Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll

Overview

General Information

Sample name:fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll
(renamed file extension from exe to dll)
Original sample name:fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.exe
Analysis ID:1493796
MD5:cd6bf0fea07fff98c49a1ef6ccd11207
SHA1:8c043e4f7778b90538944cb2aea806831bf79d32
SHA256:998b6a7ad1579c31d13a53c37e184b58491bbaed016fa55cec1cd411c6989e2e
Tags:exe
Infos:

Detection

Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Loading BitLocker PowerShell Module
Machine Learning detection for sample
PE file contains section with special chars
Powershell is started from unusual location (likely to bypass HIPS)
Reads the Security eventlog
Reads the System eventlog
Sigma detected: Execution from Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
Sigma detected: Powershell Defender Exclusion
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • loaddll64.exe (PID: 7536 cmdline: loaddll64.exe "C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)
    • conhost.exe (PID: 7552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7596 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • rundll32.exe (PID: 7644 cmdline: rundll32.exe "C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)
        • esentutl.exe (PID: 7668 cmdline: esentutl /y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe /d C:\\Users\\Public\\pha.pif /o MD5: E2098B56CF093E165D030E27591CE498)
          • conhost.exe (PID: 7692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • pha.pif (PID: 7856 cmdline: C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 7872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • rundll32.exe (PID: 7624 cmdline: rundll32.exe C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll,ASSnko MD5: EF3179D498793BF4234F708D3BE28633)
      • esentutl.exe (PID: 7676 cmdline: esentutl /y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe /d C:\\Users\\Public\\pha.pif /o MD5: E2098B56CF093E165D030E27591CE498)
        • conhost.exe (PID: 7700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • pha.pif (PID: 7864 cmdline: C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • rundll32.exe (PID: 7988 cmdline: rundll32.exe C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll,FindProcessId MD5: EF3179D498793BF4234F708D3BE28633)
      • esentutl.exe (PID: 8004 cmdline: esentutl /y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe /d C:\\Users\\Public\\pha.pif /o MD5: E2098B56CF093E165D030E27591CE498)
        • conhost.exe (PID: 8012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • pha.pif (PID: 6024 cmdline: C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 5944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • rundll32.exe (PID: 4300 cmdline: rundll32.exe C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll,NetApiBufferFree MD5: EF3179D498793BF4234F708D3BE28633)
      • esentutl.exe (PID: 6500 cmdline: esentutl /y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe /d C:\\Users\\Public\\pha.pif /o MD5: E2098B56CF093E165D030E27591CE498)
        • conhost.exe (PID: 6160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • pha.pif (PID: 7712 cmdline: C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • esentutl.exe (PID: 7632 cmdline: esentutl /y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe /d C:\\Users\\Public\\pha.pif /o MD5: E2098B56CF093E165D030E27591CE498)
    • pha.pif (PID: 8044 cmdline: C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Users\Public\pha.pif, NewProcessName: C:\Users\Public\pha.pif, OriginalFileName: C:\Users\Public\pha.pif, ParentCommandLine: rundll32.exe "C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll",#1, ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 7644, ParentProcessName: rundll32.exe, ProcessCommandLine: C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7856, ProcessName: pha.pif
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Users\Public\pha.pif, NewProcessName: C:\Users\Public\pha.pif, OriginalFileName: C:\Users\Public\pha.pif, ParentCommandLine: rundll32.exe "C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll",#1, ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 7644, ParentProcessName: rundll32.exe, ProcessCommandLine: C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7856, ProcessName: pha.pif
Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Users\Public\pha.pif, NewProcessName: C:\Users\Public\pha.pif, OriginalFileName: C:\Users\Public\pha.pif, ParentCommandLine: rundll32.exe "C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll",#1, ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 7644, ParentProcessName: rundll32.exe, ProcessCommandLine: C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7856, ProcessName: pha.pif
Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\Public\pha.pif, ProcessId: 7856, TargetFilename: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_azosnf51.g1e.ps1
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Users\Public\pha.pif, NewProcessName: C:\Users\Public\pha.pif, OriginalFileName: C:\Users\Public\pha.pif, ParentCommandLine: rundll32.exe "C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll",#1, ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 7644, ParentProcessName: rundll32.exe, ProcessCommandLine: C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7856, ProcessName: pha.pif
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllReversingLabs: Detection: 16%
Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.2% probability
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllJoe Sandbox ML: detected
Source: Binary string: powershell.pdbUGP source: esentutl.exe, 00000007.00000003.1305392989.000002C400E90000.00000004.00001000.00020000.00000000.sdmp, pha.pif, 0000000C.00000000.1321278743.00007FF67C22B000.00000002.00000001.01000000.00000006.sdmp, pha.pif.7.dr
Source: Binary string: powershell.pdb source: esentutl.exe, 00000007.00000003.1305392989.000002C400E90000.00000004.00001000.00020000.00000000.sdmp, pha.pif, 0000000C.00000000.1321278743.00007FF67C22B000.00000002.00000001.01000000.00000006.sdmp, pha.pif.7.dr
Source: pha.pif, 0000000D.00000002.1685961929.0000025B2B2B0000.00000004.00000020.00020000.00000000.sdmp, pha.pif, 00000013.00000002.1948011574.00000255C89A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microso
Source: pha.pif, 0000000D.00000002.1592007782.0000025B230C6000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 00000013.00000002.1852116699.00000255C0747000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 0000001A.00000002.1971038974.00000281D0FF7000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 0000001D.00000002.1988346586.0000026490075000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: pha.pif, 0000001D.00000002.1447843983.0000026480228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: pha.pif, 0000000C.00000002.1382752802.000001353F6B9000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 0000000D.00000002.1383454542.0000025B13279000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 00000013.00000002.1407806477.00000255B08F7000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 0000001A.00000002.1447878872.00000281C11A7000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 0000001D.00000002.1447843983.00000264803B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: pha.pif, 0000000C.00000002.1382752802.000001353F491000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 0000000D.00000002.1383454542.0000025B13051000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 00000013.00000002.1407806477.00000255B06D1000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 0000001A.00000002.1447878872.00000281C0F81000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 0000001D.00000002.1447843983.0000026480001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: pha.pif, 0000000C.00000002.1382752802.000001353F6B9000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 0000000D.00000002.1383454542.0000025B13279000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 00000013.00000002.1407806477.00000255B08F7000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 0000001A.00000002.1447878872.00000281C11A7000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 0000001D.00000002.1447843983.00000264803B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: pha.pif, 0000001D.00000002.1447843983.0000026480228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: pha.pif, 0000000D.00000002.1671607206.0000025B2B20E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
Source: pha.pif, 0000000D.00000002.1692925460.0000025B2B5A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co)e
Source: pha.pif, 00000013.00000002.1948011574.00000255C89A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.coS
Source: pha.pif, 0000000C.00000002.1382752802.000001353F491000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 0000000D.00000002.1383454542.0000025B13051000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 00000013.00000002.1407806477.00000255B06D1000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 0000001A.00000002.1447878872.00000281C0F81000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 0000001D.00000002.1447843983.0000026480001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: pha.pif, 0000001D.00000002.1988346586.0000026490075000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: pha.pif, 0000001D.00000002.1988346586.0000026490075000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: pha.pif, 0000001D.00000002.1988346586.0000026490075000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: pha.pif, 0000001D.00000002.1447843983.0000026480228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: pha.pif, 0000000D.00000002.1592007782.0000025B230C6000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 00000013.00000002.1852116699.00000255C0747000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 0000001A.00000002.1971038974.00000281D0FF7000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 0000001D.00000002.1988346586.0000026490075000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

Spam, unwanted Advertisements and Ransom Demands

barindex
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShellJump to behavior
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShellJump to behavior
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShellJump to behavior
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShell
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShell
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShell
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShell
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System

System Summary

barindex
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: .
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: .
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: .
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: .
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: .
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: .
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: .
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: .
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: .
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: .
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: .
Source: C:\Users\Public\pha.pifCode function: 12_2_00007FFAAB44B7DC12_2_00007FFAAB44B7DC
Source: C:\Users\Public\pha.pifCode function: 12_2_00007FFAAB44207D12_2_00007FFAAB44207D
Source: C:\Users\Public\pha.pifCode function: 19_2_00007FFAAB52333319_2_00007FFAAB523333
Source: C:\Users\Public\pha.pifCode function: 26_2_00007FFAAB5330E926_2_00007FFAAB5330E9
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: Number of sections : 19 > 10
Source: classification engineClassification label: mal96.evad.winDLL@40/27@0/0
Source: C:\Windows\System32\esentutl.exeFile created: C:\Users\Public\pha.pifJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8012:120:WilError_03
Source: C:\Users\Public\pha.pifMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7700:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7880:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5944:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6160:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7780:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7692:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7552:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7872:120:WilError_03
Source: C:\Users\Public\pha.pifFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_azosnf51.g1e.ps1Jump to behavior
Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll,ASSnko
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllReversingLabs: Detection: 16%
Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll"
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll,ASSnko
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll",#1
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\esentutl.exe esentutl /y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe /d C:\\Users\\Public\\pha.pif /o
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\esentutl.exe esentutl /y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe /d C:\\Users\\Public\\pha.pif /o
Source: C:\Windows\System32\esentutl.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\esentutl.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\Public\pha.pif C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\Public\pha.pif C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\Public\pha.pifProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\pha.pifProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll,FindProcessId
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\esentutl.exe esentutl /y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe /d C:\\Users\\Public\\pha.pif /o
Source: C:\Windows\System32\esentutl.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\Public\pha.pif C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\Public\pha.pifProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll,NetApiBufferFree
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\esentutl.exe esentutl /y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe /d C:\\Users\\Public\\pha.pif /o
Source: C:\Windows\System32\esentutl.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\Public\pha.pif C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\Public\pha.pifProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\esentutl.exe esentutl /y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe /d C:\\Users\\Public\\pha.pif /o
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Users\Public\pha.pif C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll,ASSnkoJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll,FindProcessIdJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll,NetApiBufferFreeJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\esentutl.exe esentutl /y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe /d C:\\Users\\Public\\pha.pif /oJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Users\Public\pha.pif C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll",#1Jump to behavior
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\esentutl.exe esentutl /y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe /d C:\\Users\\Public\\pha.pif /oJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\Public\pha.pif C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\esentutl.exe esentutl /y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe /d C:\\Users\\Public\\pha.pif /oJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\Public\pha.pif C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\esentutl.exe esentutl /y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe /d C:\\Users\\Public\\pha.pif /o
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\Public\pha.pif C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\esentutl.exe esentutl /y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe /d C:\\Users\\Public\\pha.pif /o
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\Public\pha.pif C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\loaddll64.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: ??a.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: ??a.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: ??a.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: ??a.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: ??a.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: ??a.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: ??a.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: ??a.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: ??a.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: ??a.dllJump to behavior
Source: C:\Windows\System32\esentutl.exeSection loaded: esent.dllJump to behavior
Source: C:\Windows\System32\esentutl.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\esentutl.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\esentutl.exeSection loaded: esent.dllJump to behavior
Source: C:\Windows\System32\esentutl.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\esentutl.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: atl.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: mscoree.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: version.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: amsi.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: userenv.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: profapi.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: wldp.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: msasn1.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: gpapi.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: msisip.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: wshext.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: appxsip.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: opcservices.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: secur32.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: sspicli.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: urlmon.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: iertutil.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: srvcli.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: netutils.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: propsys.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: wininet.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: mi.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: miutils.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: wmidcom.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: dpapi.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: atl.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: mscoree.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: version.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: amsi.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: userenv.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: profapi.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: wldp.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: msasn1.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: gpapi.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: msisip.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: wshext.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: appxsip.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: opcservices.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: secur32.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: sspicli.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: urlmon.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: iertutil.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: srvcli.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: netutils.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: propsys.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: wininet.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: mi.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: miutils.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: wmidcom.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: dpapi.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\esentutl.exeSection loaded: esent.dll
Source: C:\Windows\System32\esentutl.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\esentutl.exeSection loaded: kernel.appcore.dll
Source: C:\Users\Public\pha.pifSection loaded: atl.dll
Source: C:\Users\Public\pha.pifSection loaded: mscoree.dll
Source: C:\Users\Public\pha.pifSection loaded: kernel.appcore.dll
Source: C:\Users\Public\pha.pifSection loaded: version.dll
Source: C:\Users\Public\pha.pifSection loaded: vcruntime140_clr0400.dll
Source: C:\Users\Public\pha.pifSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\pha.pifSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\pha.pifSection loaded: cryptsp.dll
Source: C:\Users\Public\pha.pifSection loaded: rsaenh.dll
Source: C:\Users\Public\pha.pifSection loaded: cryptbase.dll
Source: C:\Users\Public\pha.pifSection loaded: windows.storage.dll
Source: C:\Users\Public\pha.pifSection loaded: wldp.dll
Source: C:\Users\Public\pha.pifSection loaded: msasn1.dll
Source: C:\Users\Public\pha.pifSection loaded: amsi.dll
Source: C:\Users\Public\pha.pifSection loaded: userenv.dll
Source: C:\Users\Public\pha.pifSection loaded: profapi.dll
Source: C:\Users\Public\pha.pifSection loaded: msisip.dll
Source: C:\Users\Public\pha.pifSection loaded: wshext.dll
Source: C:\Users\Public\pha.pifSection loaded: appxsip.dll
Source: C:\Users\Public\pha.pifSection loaded: opcservices.dll
Source: C:\Users\Public\pha.pifSection loaded: gpapi.dll
Source: C:\Users\Public\pha.pifSection loaded: secur32.dll
Source: C:\Users\Public\pha.pifSection loaded: sspicli.dll
Source: C:\Users\Public\pha.pifSection loaded: uxtheme.dll
Source: C:\Users\Public\pha.pifSection loaded: urlmon.dll
Source: C:\Users\Public\pha.pifSection loaded: iertutil.dll
Source: C:\Users\Public\pha.pifSection loaded: srvcli.dll
Source: C:\Users\Public\pha.pifSection loaded: netutils.dll
Source: C:\Users\Public\pha.pifSection loaded: propsys.dll
Source: C:\Users\Public\pha.pifSection loaded: wininet.dll
Source: C:\Users\Public\pha.pifSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Users\Public\pha.pifSection loaded: mi.dll
Source: C:\Users\Public\pha.pifSection loaded: miutils.dll
Source: C:\Users\Public\pha.pifSection loaded: wmidcom.dll
Source: C:\Users\Public\pha.pifSection loaded: dpapi.dll
Source: C:\Users\Public\pha.pifSection loaded: wbemcomn.dll
Source: C:\Windows\System32\esentutl.exeSection loaded: esent.dll
Source: C:\Windows\System32\esentutl.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\esentutl.exeSection loaded: kernel.appcore.dll
Source: C:\Users\Public\pha.pifSection loaded: atl.dll
Source: C:\Users\Public\pha.pifSection loaded: mscoree.dll
Source: C:\Users\Public\pha.pifSection loaded: kernel.appcore.dll
Source: C:\Users\Public\pha.pifSection loaded: version.dll
Source: C:\Users\Public\pha.pifSection loaded: vcruntime140_clr0400.dll
Source: C:\Users\Public\pha.pifSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\pha.pifSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\pha.pifSection loaded: cryptsp.dll
Source: C:\Users\Public\pha.pifSection loaded: rsaenh.dll
Source: C:\Users\Public\pha.pifSection loaded: cryptbase.dll
Source: C:\Users\Public\pha.pifSection loaded: windows.storage.dll
Source: C:\Users\Public\pha.pifSection loaded: wldp.dll
Source: C:\Users\Public\pha.pifSection loaded: amsi.dll
Source: C:\Users\Public\pha.pifSection loaded: msasn1.dll
Source: C:\Users\Public\pha.pifSection loaded: userenv.dll
Source: C:\Users\Public\pha.pifSection loaded: profapi.dll
Source: C:\Users\Public\pha.pifSection loaded: msisip.dll
Source: C:\Users\Public\pha.pifSection loaded: wshext.dll
Source: C:\Users\Public\pha.pifSection loaded: appxsip.dll
Source: C:\Users\Public\pha.pifSection loaded: opcservices.dll
Source: C:\Users\Public\pha.pifSection loaded: gpapi.dll
Source: C:\Users\Public\pha.pifSection loaded: secur32.dll
Source: C:\Users\Public\pha.pifSection loaded: sspicli.dll
Source: C:\Users\Public\pha.pifSection loaded: uxtheme.dll
Source: C:\Users\Public\pha.pifSection loaded: urlmon.dll
Source: C:\Users\Public\pha.pifSection loaded: iertutil.dll
Source: C:\Users\Public\pha.pifSection loaded: srvcli.dll
Source: C:\Users\Public\pha.pifSection loaded: netutils.dll
Source: C:\Users\Public\pha.pifSection loaded: propsys.dll
Source: C:\Users\Public\pha.pifSection loaded: wininet.dll
Source: C:\Users\Public\pha.pifSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Users\Public\pha.pifSection loaded: mi.dll
Source: C:\Users\Public\pha.pifSection loaded: miutils.dll
Source: C:\Users\Public\pha.pifSection loaded: wmidcom.dll
Source: C:\Users\Public\pha.pifSection loaded: dpapi.dll
Source: C:\Users\Public\pha.pifSection loaded: wbemcomn.dll
Source: C:\Windows\System32\esentutl.exeSection loaded: esent.dll
Source: C:\Windows\System32\esentutl.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\esentutl.exeSection loaded: kernel.appcore.dll
Source: C:\Users\Public\pha.pifSection loaded: atl.dll
Source: C:\Users\Public\pha.pifSection loaded: mscoree.dll
Source: C:\Users\Public\pha.pifSection loaded: kernel.appcore.dll
Source: C:\Users\Public\pha.pifSection loaded: version.dll
Source: C:\Users\Public\pha.pifSection loaded: vcruntime140_clr0400.dll
Source: C:\Users\Public\pha.pifSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\pha.pifSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\pha.pifSection loaded: cryptsp.dll
Source: C:\Users\Public\pha.pifSection loaded: rsaenh.dll
Source: C:\Users\Public\pha.pifSection loaded: cryptbase.dll
Source: C:\Users\Public\pha.pifSection loaded: amsi.dll
Source: C:\Users\Public\pha.pifSection loaded: userenv.dll
Source: C:\Users\Public\pha.pifSection loaded: profapi.dll
Source: C:\Users\Public\pha.pifSection loaded: wldp.dll
Source: C:\Users\Public\pha.pifSection loaded: windows.storage.dll
Source: C:\Users\Public\pha.pifSection loaded: msasn1.dll
Source: C:\Users\Public\pha.pifSection loaded: msisip.dll
Source: C:\Users\Public\pha.pifSection loaded: wshext.dll
Source: C:\Users\Public\pha.pifSection loaded: appxsip.dll
Source: C:\Users\Public\pha.pifSection loaded: opcservices.dll
Source: C:\Users\Public\pha.pifSection loaded: gpapi.dll
Source: C:\Users\Public\pha.pifSection loaded: secur32.dll
Source: C:\Users\Public\pha.pifSection loaded: sspicli.dll
Source: C:\Users\Public\pha.pifSection loaded: uxtheme.dll
Source: C:\Users\Public\pha.pifSection loaded: urlmon.dll
Source: C:\Users\Public\pha.pifSection loaded: iertutil.dll
Source: C:\Users\Public\pha.pifSection loaded: srvcli.dll
Source: C:\Users\Public\pha.pifSection loaded: netutils.dll
Source: C:\Users\Public\pha.pifSection loaded: propsys.dll
Source: C:\Users\Public\pha.pifSection loaded: wininet.dll
Source: C:\Users\Public\pha.pifSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Users\Public\pha.pifSection loaded: mi.dll
Source: C:\Users\Public\pha.pifSection loaded: miutils.dll
Source: C:\Users\Public\pha.pifSection loaded: wmidcom.dll
Source: C:\Users\Public\pha.pifSection loaded: dpapi.dll
Source: C:\Users\Public\pha.pifSection loaded: wbemcomn.dll
Source: C:\Users\Public\pha.pifKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: Image base 0x613c0000 > 0x60000000
Source: Binary string: powershell.pdbUGP source: esentutl.exe, 00000007.00000003.1305392989.000002C400E90000.00000004.00001000.00020000.00000000.sdmp, pha.pif, 0000000C.00000000.1321278743.00007FF67C22B000.00000002.00000001.01000000.00000006.sdmp, pha.pif.7.dr
Source: Binary string: powershell.pdb source: esentutl.exe, 00000007.00000003.1305392989.000002C400E90000.00000004.00001000.00020000.00000000.sdmp, pha.pif, 0000000C.00000000.1321278743.00007FF67C22B000.00000002.00000001.01000000.00000006.sdmp, pha.pif.7.dr
Source: pha.pif.7.drStatic PE information: 0x7EDA4115 [Wed Jun 10 07:45:25 2037 UTC]
Source: C:\Windows\System32\loaddll64.exeCode function: 2_2_613C1D0E LoadLibraryW,GetProcAddress,GetCurrentProcess,WriteProcessMemory,2_2_613C1D0E
Source: initial sampleStatic PE information: section where entry point is pointing to: .
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: .
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: .
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: .
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: .
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: .
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: .
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: .
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: .
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: .
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: .
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: .
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: /4
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: /19
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: /31
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: /45
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: /57
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: /70
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: /81
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: /92
Source: C:\Windows\System32\loaddll64.exeCode function: 2_2_613D0021 pushfq ; iretd 2_2_613D002A
Source: C:\Windows\System32\loaddll64.exeCode function: 2_2_613D0D00 pushfq ; ret 2_2_613D0D01
Source: C:\Windows\System32\loaddll64.exeCode function: 2_2_613D1DFE push rsp; iretd 2_2_613D1DFF
Source: C:\Windows\System32\rundll32.exeCode function: 5_2_613D0021 pushfq ; iretd 5_2_613D002A
Source: C:\Windows\System32\rundll32.exeCode function: 5_2_613D0D00 pushfq ; ret 5_2_613D0D01
Source: C:\Windows\System32\rundll32.exeCode function: 5_2_613D1DFE push rsp; iretd 5_2_613D1DFF
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_613D0021 pushfq ; iretd 6_2_613D002A
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_613D0D00 pushfq ; ret 6_2_613D0D01
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_613D1DFE push rsp; iretd 6_2_613D1DFF
Source: C:\Users\Public\pha.pifCode function: 12_2_00007FFAAB32D2A5 pushad ; iretd 12_2_00007FFAAB32D2A6
Source: C:\Users\Public\pha.pifCode function: 12_2_00007FFAAB519B7A push 3000009Bh; iretd 12_2_00007FFAAB519BC1
Source: C:\Users\Public\pha.pifCode function: 13_2_00007FFAAB35D2A5 pushad ; iretd 13_2_00007FFAAB35D2A6
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_613D0021 pushfq ; iretd 16_2_613D002A
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_613D0D00 pushfq ; ret 16_2_613D0D01
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_613D1DFE push rsp; iretd 16_2_613D1DFF
Source: C:\Users\Public\pha.pifCode function: 19_2_00007FFAAB33D2A5 pushad ; iretd 19_2_00007FFAAB33D2A6
Source: C:\Users\Public\pha.pifCode function: 19_2_00007FFAAB45347F push esp; ret 19_2_00007FFAAB453482
Source: C:\Users\Public\pha.pifCode function: 19_2_00007FFAAB4519EA pushad ; ret 19_2_00007FFAAB4519F9
Source: C:\Windows\System32\rundll32.exeCode function: 21_2_613D0021 pushfq ; iretd 21_2_613D002A
Source: C:\Windows\System32\rundll32.exeCode function: 21_2_613D0D00 pushfq ; ret 21_2_613D0D01
Source: C:\Windows\System32\rundll32.exeCode function: 21_2_613D1DFE push rsp; iretd 21_2_613D1DFF
Source: C:\Users\Public\pha.pifCode function: 26_2_00007FFAAB34D2A5 pushad ; iretd 26_2_00007FFAAB34D2A6
Source: C:\Users\Public\pha.pifCode function: 29_2_00007FFAAB32D2A5 pushad ; iretd 29_2_00007FFAAB32D2A6

Persistence and Installation Behavior

barindex
Source: C:\Windows\System32\esentutl.exeFile created: C:\Users\Public\pha.pifJump to dropped file
Source: C:\Windows\System32\esentutl.exeFile created: C:\Users\Public\pha.pifJump to dropped file
Source: C:\Windows\System32\esentutl.exeFile created: C:\Users\Public\pha.pifJump to dropped file

Boot Survival

barindex
Source: C:\Windows\System32\esentutl.exeFile created: C:\Users\Public\pha.pifJump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Source: c:\users\public\pha.pifKey value queried: Powershell behaviorJump to behavior
Source: c:\users\public\pha.pifKey value queried: Powershell behaviorJump to behavior
Source: c:\users\public\pha.pifKey value queried: Powershell behavior
Source: c:\users\public\pha.pifKey value queried: Powershell behavior
Source: c:\users\public\pha.pifKey value queried: Powershell behavior
Source: C:\Users\Public\pha.pifMemory allocated: 1353D7F0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\Public\pha.pifMemory allocated: 1353EE40000 memory reserve | memory write watchJump to behavior
Source: C:\Users\Public\pha.pifMemory allocated: 25B12E70000 memory reserve | memory write watchJump to behavior
Source: C:\Users\Public\pha.pifMemory allocated: 25B12E70000 memory reserve | memory write watchJump to behavior
Source: C:\Users\Public\pha.pifMemory allocated: 255AE840000 memory reserve | memory write watch
Source: C:\Users\Public\pha.pifMemory allocated: 255AE880000 memory reserve | memory write watch
Source: C:\Users\Public\pha.pifMemory allocated: 281C0A00000 memory reserve | memory write watch
Source: C:\Users\Public\pha.pifMemory allocated: 281C0DD0000 memory reserve | memory write watch
Source: C:\Users\Public\pha.pifMemory allocated: 264FACC0000 memory reserve | memory write watch
Source: C:\Users\Public\pha.pifMemory allocated: 264FAD30000 memory reserve | memory write watch
Source: C:\Users\Public\pha.pifThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\Public\pha.pifThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\Public\pha.pifThread delayed: delay time: 922337203685477
Source: C:\Users\Public\pha.pifThread delayed: delay time: 922337203685477
Source: C:\Users\Public\pha.pifThread delayed: delay time: 922337203685477
Source: C:\Users\Public\pha.pifThread delayed: delay time: 922337203685477
Source: C:\Users\Public\pha.pifThread delayed: delay time: 922337203685477
Source: C:\Users\Public\pha.pifThread delayed: delay time: 922337203685477
Source: C:\Users\Public\pha.pifWindow / User API: threadDelayed 8388Jump to behavior
Source: C:\Users\Public\pha.pifWindow / User API: threadDelayed 923Jump to behavior
Source: C:\Users\Public\pha.pifWindow / User API: threadDelayed 8326Jump to behavior
Source: C:\Users\Public\pha.pifWindow / User API: threadDelayed 863Jump to behavior
Source: C:\Users\Public\pha.pifWindow / User API: threadDelayed 7120
Source: C:\Users\Public\pha.pifWindow / User API: threadDelayed 1545
Source: C:\Users\Public\pha.pifWindow / User API: threadDelayed 5878
Source: C:\Users\Public\pha.pifWindow / User API: threadDelayed 1116
Source: C:\Users\Public\pha.pifWindow / User API: threadDelayed 5349
Source: C:\Users\Public\pha.pifWindow / User API: threadDelayed 357
Source: C:\Users\Public\pha.pif TID: 8188Thread sleep time: -7378697629483816s >= -30000sJump to behavior
Source: C:\Users\Public\pha.pif TID: 8116Thread sleep count: 8326 > 30Jump to behavior
Source: C:\Users\Public\pha.pif TID: 8128Thread sleep count: 863 > 30Jump to behavior
Source: C:\Users\Public\pha.pif TID: 7184Thread sleep time: -4611686018427385s >= -30000sJump to behavior
Source: C:\Users\Public\pha.pif TID: 3624Thread sleep count: 7120 > 30
Source: C:\Users\Public\pha.pif TID: 6924Thread sleep count: 1545 > 30
Source: C:\Users\Public\pha.pif TID: 6820Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Users\Public\pha.pif TID: 6812Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Public\pha.pif TID: 5096Thread sleep count: 5878 > 30
Source: C:\Users\Public\pha.pif TID: 7888Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Users\Public\pha.pif TID: 5096Thread sleep count: 1116 > 30
Source: C:\Users\Public\pha.pif TID: 7660Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Public\pha.pif TID: 6036Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Users\Public\pha.pif TID: 7484Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\Public\pha.pifThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\Public\pha.pifThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\Public\pha.pifThread delayed: delay time: 922337203685477
Source: C:\Users\Public\pha.pifThread delayed: delay time: 922337203685477
Source: C:\Users\Public\pha.pifThread delayed: delay time: 922337203685477
Source: C:\Users\Public\pha.pifThread delayed: delay time: 922337203685477
Source: C:\Users\Public\pha.pifThread delayed: delay time: 922337203685477
Source: C:\Users\Public\pha.pifThread delayed: delay time: 922337203685477
Source: C:\Users\Public\pha.pifProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\loaddll64.exeCode function: 2_2_613C1D0E LoadLibraryW,GetProcAddress,GetCurrentProcess,WriteProcessMemory,2_2_613C1D0E
Source: C:\Users\Public\pha.pifProcess token adjusted: DebugJump to behavior
Source: C:\Users\Public\pha.pifProcess token adjusted: DebugJump to behavior
Source: C:\Users\Public\pha.pifProcess token adjusted: Debug
Source: C:\Users\Public\pha.pifProcess token adjusted: Debug
Source: C:\Users\Public\pha.pifProcess token adjusted: Debug
Source: C:\Windows\System32\loaddll64.exeCode function: 2_2_613C2910 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_613C2910
Source: C:\Windows\System32\rundll32.exeCode function: 5_2_613C2910 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_613C2910
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_613C2910 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_613C2910
Source: C:\Windows\System32\rundll32.exeCode function: 16_2_613C2910 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,16_2_613C2910
Source: C:\Windows\System32\rundll32.exeCode function: 21_2_613C2910 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,21_2_613C2910
Source: C:\Users\Public\pha.pifMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\Public\pha.pif C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\Public\pha.pif C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\Public\pha.pif C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\Public\pha.pif C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Users\Public\pha.pif C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Users\Public\pha.pif C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\Public\pha.pif C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\Public\pha.pif C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\Public\pha.pif C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\Public\pha.pif C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll",#1Jump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\ VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\ VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\ VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\loaddll64.exeCode function: 2_2_613C2830 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,2_2_613C2830
Source: C:\Users\Public\pha.pifKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Native API
1
DLL Side-Loading
11
Process Injection
211
Masquerading
OS Credential Dumping1
System Time Discovery
Remote Services1
Archive Collected Data
1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
11
Disable or Modify Tools
LSASS Memory1
Process Discovery
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
Virtualization/Sandbox Evasion
Security Account Manager31
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Process Injection
NTDS1
Application Window Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information
LSA Secrets13
System Information Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Rundll32
Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Timestomp
DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading
Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1493796 Sample: fed1bc0d4bf498ec8909dbc9611... Startdate: 16/08/2024 Architecture: WINDOWS Score: 96 60 Multi AV Scanner detection for submitted file 2->60 62 Machine Learning detection for sample 2->62 64 PE file contains section with special chars 2->64 66 3 other signatures 2->66 9 loaddll64.exe 1 2->9         started        process3 signatures4 82 Adds a directory exclusion to Windows Defender 9->82 12 rundll32.exe 9->12         started        15 cmd.exe 1 9->15         started        17 rundll32.exe 9->17         started        19 4 other processes 9->19 process5 signatures6 92 Adds a directory exclusion to Windows Defender 12->92 21 pha.pif 23 12->21         started        24 esentutl.exe 2 12->24         started        27 rundll32.exe 15->27         started        29 pha.pif 17->29         started        31 esentutl.exe 17->31         started        94 Powershell is started from unusual location (likely to bypass HIPS) 19->94 96 Loading BitLocker PowerShell Module 19->96 98 Reads the Security eventlog 19->98 100 Reads the System eventlog 19->100 33 pha.pif 19->33         started        35 esentutl.exe 19->35         started        process7 file8 68 Powershell is started from unusual location (likely to bypass HIPS) 21->68 70 Loading BitLocker PowerShell Module 21->70 72 Reads the Security eventlog 21->72 37 conhost.exe 21->37         started        58 C:\Users\Public\pha.pif, PE32+ 24->58 dropped 74 Drops PE files to the user root directory 24->74 76 Drops PE files with a suspicious file extension 24->76 39 conhost.exe 24->39         started        78 Adds a directory exclusion to Windows Defender 27->78 41 pha.pif 24 27->41         started        44 esentutl.exe 2 27->44         started        80 Reads the System eventlog 29->80 46 conhost.exe 29->46         started        48 conhost.exe 31->48         started        50 conhost.exe 33->50         started        52 conhost.exe 35->52         started        signatures9 process10 signatures11 84 Powershell is started from unusual location (likely to bypass HIPS) 41->84 86 Loading BitLocker PowerShell Module 41->86 88 Reads the Security eventlog 41->88 90 Reads the System eventlog 41->90 54 conhost.exe 41->54         started        56 conhost.exe 44->56         started        process12

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll16%ReversingLabsWin64.Trojan.Barys
fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll100%Joe Sandbox ML
SourceDetectionScannerLabelLink
C:\Users\Public\pha.pif0%ReversingLabs
C:\Users\Public\pha.pif0%VirustotalBrowse
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
http://nuget.org/NuGet.exe0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://nuget.org/nuget.exe0%URL Reputationsafe
https://nuget.org/nuget.exe0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
https://aka.ms/pscore680%URL Reputationsafe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
http://crl.microso0%Avira URL Cloudsafe
http://www.apache.org/licenses/LICENSE-2.0.html0%Avira URL Cloudsafe
http://www.micom/pkiops/Docs/ry.htm00%Avira URL Cloudsafe
http://www.microsoft.coS0%Avira URL Cloudsafe
http://www.microsoft.co)e0%Avira URL Cloudsafe
https://github.com/Pester/Pester0%Avira URL Cloudsafe
http://www.apache.org/licenses/LICENSE-2.0.html0%VirustotalBrowse
https://github.com/Pester/Pester1%VirustotalBrowse
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
http://nuget.org/NuGet.exepha.pif, 0000000D.00000002.1592007782.0000025B230C6000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 00000013.00000002.1852116699.00000255C0747000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 0000001A.00000002.1971038974.00000281D0FF7000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 0000001D.00000002.1988346586.0000026490075000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://pesterbdd.com/images/Pester.pngpha.pif, 0000001D.00000002.1447843983.0000026480228000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://crl.microsopha.pif, 0000000D.00000002.1685961929.0000025B2B2B0000.00000004.00000020.00020000.00000000.sdmp, pha.pif, 00000013.00000002.1948011574.00000255C89A7000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://schemas.xmlsoap.org/soap/encoding/pha.pif, 0000000C.00000002.1382752802.000001353F6B9000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 0000000D.00000002.1383454542.0000025B13279000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 00000013.00000002.1407806477.00000255B08F7000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 0000001A.00000002.1447878872.00000281C11A7000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 0000001D.00000002.1447843983.00000264803B2000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
http://www.apache.org/licenses/LICENSE-2.0.htmlpha.pif, 0000001D.00000002.1447843983.0000026480228000.00000004.00000800.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://schemas.xmlsoap.org/wsdl/pha.pif, 0000000C.00000002.1382752802.000001353F6B9000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 0000000D.00000002.1383454542.0000025B13279000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 00000013.00000002.1407806477.00000255B08F7000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 0000001A.00000002.1447878872.00000281C11A7000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 0000001D.00000002.1447843983.00000264803B2000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
http://www.micom/pkiops/Docs/ry.htm0pha.pif, 0000000D.00000002.1671607206.0000025B2B20E000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://contoso.com/pha.pif, 0000001D.00000002.1988346586.0000026490075000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://nuget.org/nuget.exepha.pif, 0000000D.00000002.1592007782.0000025B230C6000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 00000013.00000002.1852116699.00000255C0747000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 0000001A.00000002.1971038974.00000281D0FF7000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 0000001D.00000002.1988346586.0000026490075000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
https://contoso.com/Licensepha.pif, 0000001D.00000002.1988346586.0000026490075000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.microsoft.coSpha.pif, 00000013.00000002.1948011574.00000255C89A7000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://contoso.com/Iconpha.pif, 0000001D.00000002.1988346586.0000026490075000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://aka.ms/pscore68pha.pif, 0000000C.00000002.1382752802.000001353F491000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 0000000D.00000002.1383454542.0000025B13051000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 00000013.00000002.1407806477.00000255B06D1000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 0000001A.00000002.1447878872.00000281C0F81000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 0000001D.00000002.1447843983.0000026480001000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepha.pif, 0000000C.00000002.1382752802.000001353F491000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 0000000D.00000002.1383454542.0000025B13051000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 00000013.00000002.1407806477.00000255B06D1000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 0000001A.00000002.1447878872.00000281C0F81000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 0000001D.00000002.1447843983.0000026480001000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.microsoft.co)epha.pif, 0000000D.00000002.1692925460.0000025B2B5A2000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://github.com/Pester/Pesterpha.pif, 0000001D.00000002.1447843983.0000026480228000.00000004.00000800.00020000.00000000.sdmpfalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
No contacted IP infos
Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1493796
Start date and time:2024-08-16 11:26:14 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 7m 40s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:36
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll
(renamed file extension from exe to dll)
Original Sample Name:fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.exe
Detection:MAL
Classification:mal96.evad.winDLL@40/27@0/0
EGA Information:
  • Successful, ratio: 50%
HCA Information:
  • Successful, ratio: 99%
  • Number of executed functions: 128
  • Number of non-executed functions: 36
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, UsoClient.exe
  • Excluded domains from analysis (whitelisted): login.live.com, slscr.update.microsoft.com, settings-win.data.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
  • Execution Graph export aborted for target pha.pif, PID 6024 because it is empty
  • Execution Graph export aborted for target pha.pif, PID 7712 because it is empty
  • Execution Graph export aborted for target pha.pif, PID 7856 because it is empty
  • Execution Graph export aborted for target pha.pif, PID 7864 because it is empty
  • Execution Graph export aborted for target pha.pif, PID 8044 because it is empty
  • Not all processes where analyzed, report is missing behavior information
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtCreateKey calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtReadVirtualMemory calls found.
TimeTypeDescription
05:27:18API Interceptor124x Sleep call for process: pha.pif modified
No context
No context
No context
No context
MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
C:\Users\Public\pha.piffile.exeGet hashmaliciousUnknownBrowse
    BrowserUpdater.lnkGet hashmaliciousUnknownBrowse
      Updater.lnkGet hashmaliciousUnknownBrowse
        ZG7UaFRPVW.exeGet hashmaliciousDBatLoader, RemcosBrowse
          IN-34823_PO39276-pdf.vbeGet hashmaliciousRemcos, DBatLoaderBrowse
            7XU2cRFInT.exeGet hashmaliciousRemcos, DBatLoaderBrowse
              megerosites.cmdGet hashmaliciousDBatLoader, LokibotBrowse
                Scan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-24.Pdf.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                  Payroll for July.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                    2nd_Quarter_Order_Sheet_xls_0000000000000000000.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                      Process:C:\Windows\System32\esentutl.exe
                      File Type:PE32+ executable (console) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):452608
                      Entropy (8bit):5.459268466661775
                      Encrypted:false
                      SSDEEP:6144:r2fdXxswSX0z/YWwO9sV1yZywi/PzNKXzJ7BapCK5d3klRzULOnWyjLsPhAQzqO:qVXqXEgW2KXzJ4pdd3klnnWosPhnzq
                      MD5:04029E121A0CFA5991749937DD22A1D9
                      SHA1:F43D9BB316E30AE1A3494AC5B0624F6BEA1BF054
                      SHA-256:9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F
                      SHA-512:6A2FB055473033FD8FDB8868823442875B5B60C115031AAEDA688A35A092F6278E8687E2AE2B8DC097F8F3F35D23959757BF0C408274A2EF5F40DDFA4B5C851B
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      • Antivirus: Virustotal, Detection: 0%, Browse
                      Joe Sandbox View:
                      • Filename: file.exe, Detection: malicious, Browse
                      • Filename: BrowserUpdater.lnk, Detection: malicious, Browse
                      • Filename: Updater.lnk, Detection: malicious, Browse
                      • Filename: ZG7UaFRPVW.exe, Detection: malicious, Browse
                      • Filename: IN-34823_PO39276-pdf.vbe, Detection: malicious, Browse
                      • Filename: 7XU2cRFInT.exe, Detection: malicious, Browse
                      • Filename: megerosites.cmd, Detection: malicious, Browse
                      • Filename: Scan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-24.Pdf.exe, Detection: malicious, Browse
                      • Filename: Payroll for July.exe, Detection: malicious, Browse
                      • Filename: 2nd_Quarter_Order_Sheet_xls_0000000000000000000.exe, Detection: malicious, Browse
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./..%k.ovk.ovk.ovu..vi.ovb..va.ov..lwi.ov..kwq.ovk.nv.ov..nwn.ov..jwb.ov..bwb.ov..vj.ov..mwj.ovRichk.ov........................PE..d....A.~.........."..........^......@=.........@..........................................`.......... .......................................L...........}...p..........................T......................(..................`................................text............................... ..`.rdata.............................@..@.data...,....`.......L..............@....pdata.......p.......T..............@..@.rsrc....}.......~...^..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................
                      Process:C:\Users\Public\pha.pif
                      File Type:CSV text
                      Category:modified
                      Size (bytes):3817
                      Entropy (8bit):5.359017561491687
                      Encrypted:false
                      SSDEEP:96:iqbYqGSI6o9xYsntpDxqKkWqmq1ftzHNYrKaqWiNLmSRIzQ0cBjwQyUII:iqbYqGcQtpDxqKkWqmq1ftzHuLqzIzQr
                      MD5:5E3DD85B96A2A1A844D35322C2A7CF80
                      SHA1:62541AED2E47BCFE4567D76D33D32DFDB19E220B
                      SHA-256:A2AA8EC59AEEC369CA207D72014F6F509805DDA6F61BBF27200769792DA40DA6
                      SHA-512:3251CE7E0ADD3A6485591A41F81BDBACE10BA0219E80B5C76FBC2AA285955BE02E9170D215CA21F16EEC7538BD840627035992030053F8B2FBE5D3BECDE20DAF
                      Malicious:false
                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.PowerShell.ConsoleHost, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07#\0827b790b8e74d0d12643297a812ae07\Microsoft.PowerShell.ConsoleHost.ni.dll",0..3,"System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\27947b366dfb4feddb2be787d72ca90d\System.Management.Automation.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d5
                      Process:C:\Users\Public\pha.pif
                      File Type:data
                      Category:dropped
                      Size (bytes):64
                      Entropy (8bit):0.34726597513537405
                      Encrypted:false
                      SSDEEP:3:Nlll:Nll
                      MD5:446DD1CF97EABA21CF14D03AEBC79F27
                      SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                      SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                      SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                      Malicious:false
                      Preview:@...e...........................................................
                      Process:C:\Users\Public\pha.pif
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                      Process:C:\Users\Public\pha.pif
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                      Process:C:\Users\Public\pha.pif
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                      Process:C:\Users\Public\pha.pif
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                      Process:C:\Users\Public\pha.pif
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                      Process:C:\Users\Public\pha.pif
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                      Process:C:\Users\Public\pha.pif
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                      Process:C:\Users\Public\pha.pif
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                      Process:C:\Users\Public\pha.pif
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                      Process:C:\Users\Public\pha.pif
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                      Process:C:\Users\Public\pha.pif
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                      Process:C:\Users\Public\pha.pif
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                      Process:C:\Users\Public\pha.pif
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                      Process:C:\Users\Public\pha.pif
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                      Process:C:\Users\Public\pha.pif
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                      Process:C:\Users\Public\pha.pif
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                      Process:C:\Users\Public\pha.pif
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                      Process:C:\Users\Public\pha.pif
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                      Process:C:\Users\Public\pha.pif
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                      Process:C:\Users\Public\pha.pif
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                      Process:C:\Windows\System32\esentutl.exe
                      File Type:ASCII text, with CRLF, CR line terminators
                      Category:dropped
                      Size (bytes):518
                      Entropy (8bit):4.7900971540088495
                      Encrypted:false
                      SSDEEP:12:q6pK8+n/xTnXceSbZ7u0wxDDDDDDDDjC43j/SXRYqja:/pK1/xTXcp7u0wQAmuoa
                      MD5:09AD4BD06675D7BA2B712FC0891B8873
                      SHA1:24BA9E28B6A463BE9E8AAA2ABE2CE4C5F12381E0
                      SHA-256:8D1EAB785FBAA300CDC7874A2257909EE2858732BC74666CA96CE348FEBE1906
                      SHA-512:4BE50EC90C1276BF3334BBA4450981DCECEB1DB169E2B9A2EB39A2D2DAF62B515CF8FF1150C8DCAC229D03BE6C6CFC32A2E1412DC88D59E1851C1E303FBC0DD1
                      Malicious:false
                      Preview:..Initiating COPY FILE mode..... Source File: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe...Destination File: C:\\Users\\Public\\pha.pif...... Copy Progress (% complete)...... 0 10 20 30 40 50 60 70 80 90 100... |----|----|----|----|----|----|----|----|----|----|... FAILURE: CreateFile: (80), The file exists............Operation terminated with error -1 (JET_wrnNyi, Function Not Yet Implemented) after 0.78 seconds.........
                      File type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                      Entropy (8bit):5.412847298517685
                      TrID:
                      • Win64 Dynamic Link Library (generic) (102004/3) 86.41%
                      • Win64 Executable (generic) (12005/4) 10.17%
                      • Generic Win/DOS Executable (2004/3) 1.70%
                      • DOS Executable Generic (2002/1) 1.70%
                      • VXD Driver (31/22) 0.03%
                      File name:fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll
                      File size:92'160 bytes
                      MD5:cd6bf0fea07fff98c49a1ef6ccd11207
                      SHA1:8c043e4f7778b90538944cb2aea806831bf79d32
                      SHA256:998b6a7ad1579c31d13a53c37e184b58491bbaed016fa55cec1cd411c6989e2e
                      SHA512:b3e924a50af5d9e8cc6378f5c18867f1e3707acd4f0e607b5af1c86e193609451c404dfb372f5ccf65440465c428d00b4b2a7b6c89b65e71898257e721b05688
                      SSDEEP:1536:AiZmst3xID3zvytXt9bmsvgcGw5jxM+oC8XEWCl7MbiRkR1:AiZmst3a/c9bqcGn+oC8XE0R1
                      TLSH:F1934B4EEF62DDABC817C73049E6431C1735E24416899B173E1A8A3D6E2F770EF98186
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.b......... .....*... ................<a.............................0................ ............................
                      Icon Hash:7ae282899bbab082
                      Entrypoint:0x613c13e0
                      Entrypoint Section:.
                      Digitally signed:false
                      Imagebase:0x613c0000
                      Subsystem:windows cui
                      Image File Characteristics:EXECUTABLE_IMAGE, DLL
                      DLL Characteristics:
                      Time Stamp:0x66A907D1 [Tue Jul 30 15:33:37 2024 UTC]
                      TLS Callbacks:0x613c2ea0
                      CLR (.Net) Version:
                      OS Version Major:4
                      OS Version Minor:0
                      File Version Major:4
                      File Version Minor:0
                      Subsystem Version Major:4
                      Subsystem Version Minor:0
                      Import Hash:b0ee9fca3049b669e21f2d2e0653be78
                      Instruction
                      dec eax
                      sub esp, 48h
                      dec eax
                      mov eax, dword ptr [00003F25h]
                      cmp edx, 01h
                      mov dword ptr [eax], 00000000h
                      je 00007F28F9556D5Ch
                      dec eax
                      add esp, 48h
                      jmp 00007F28F9556BE6h
                      nop
                      dec esp
                      mov dword ptr [esp+38h], eax
                      mov dword ptr [esp+34h], edx
                      dec eax
                      mov dword ptr [esp+28h], ecx
                      call 00007F28F9558172h
                      call 00007F28F95584FDh
                      dec esp
                      mov eax, dword ptr [esp+38h]
                      mov edx, dword ptr [esp+34h]
                      dec eax
                      mov ecx, dword ptr [esp+28h]
                      dec eax
                      add esp, 48h
                      jmp 00007F28F9556BB6h
                      nop
                      push ebp
                      dec eax
                      mov ebp, esp
                      dec eax
                      sub esp, 40h
                      dec eax
                      mov dword ptr [ebp+10h], ecx
                      mov byte ptr [ebp-01h], 00000000h
                      dec eax
                      mov ecx, dword ptr [ebp+10h]
                      call 00007F28F9558F6Ch
                      dec eax
                      shl eax, 02h
                      dec eax
                      mov edx, AAAAAAABh
                      stosb
                      stosb
                      stosb
                      stosb
                      dec eax
                      mul edx
                      dec eax
                      mov eax, edx
                      dec eax
                      shr eax, 1
                      dec eax
                      add eax, 04h
                      dec eax
                      mov ecx, eax
                      call 00007F28F9558F29h
                      dec eax
                      mov dword ptr [ebp-18h], eax
                      mov dword ptr [ebp-08h], 00000000h
                      mov dword ptr [ebp-0Ch], 00000000h
                      mov dword ptr [ebp-08h], 00000000h
                      jmp 00007F28F9556E68h
                      movzx eax, byte ptr [ebp-01h]
                      mov edx, eax
                      add edx, 01h
                      mov byte ptr [ebp-01h], dl
                      movsx eax, al
                      mov edx, dword ptr [ebp-08h]
                      dec eax
                      arpl dx, cx
                      dec eax
                      mov edx, dword ptr [ebp+10h]
                      dec eax
                      add edx, ecx
                      movzx eax, byte ptr [eax]
                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x90000x15c.
                      IMAGE_DIRECTORY_ENTRY_IMPORT0xa0000x800.
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x60000x27c.
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xd0000x5c.
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0xc0200x28.
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0xa1f40x1b8.
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      . 0x10000x28100x2a003c11d50f49f9ed91f93d10024f5d077aFalse0.5254836309523809data5.948288484710761IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      . 0x40000x900x20047819e70df701b21e3af22c27ddb88fcFalse0.20703125data1.7473416893362768IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      . 0x50000x5c00x600e03f7ecceeb971a657754c2442c5d91cFalse0.2994791666666667data4.03558142481659IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                      . 0x60000x27c0x400b8f2e4da2c68738a6d6ddfd9f6d7f2ceFalse0.35546875data2.7346732619257064IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                      . 0x70000x2340x40002be90b5fd30fc6e45ed1588be5fff26False0.232421875locale data table2.812013321884877IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                      . 0x80000x9800x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      . 0x90000x15c0x200cc9272152b0d60129d8c688f189e0c3fFalse0.529296875data3.6699039131979863IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                      . 0xa0000x8000x80085032acfe5935c0be1b5ee0b4f134aa3False0.36767578125data4.091512851560753IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      . 0xb0000x580x20076a8e01a43b5a2174a8cacbf4c7d16c6False0.056640625data0.20153937813451883IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      . 0xc0000x680x20007c7cdb09bba338a9276e71553c08c8eFalse0.05859375data0.27015680731160896IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      . 0xd0000x5c0x200d9a0c8f7d0bca650c24ea5dbb8769f65False0.185546875data1.0010043973382599IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                      /40xe0000x3400x4002a4fb0b4aa1e6ba712f9bc80194591a3False0.2109375data1.4775019099080853IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                      /190xf0000x9bde0x9c00c7016656cca867b8096b3536e343e7f5False0.4014423076923077data6.000965027226234IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                      /310x190000x16800x1800ebdc2ab2fbfba99053c0ee0c31fd8b24False0.24495442708333334data4.485717658585147IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                      /450x1b0000x15340x160058868bb7b28a2c5a847f526f71bdfdc3False0.3595525568181818data5.647940606243863IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                      /570x1d0000xa500xc00ea65fe74b5d1ace9a4fdfb8dad93191dFalse0.306640625data4.057482921881326IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                      /700x1e0000x12e0x200786a85e4e51a48bc8a3129bf00c60fa3False0.361328125data3.428488224423994IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                      /810x1f0000x2e890x300079147b589362b6aba64babc00cb76d57False0.19856770833333334data2.2846455098636906IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                      /920x220000x5500x600d0bbe15d06a55ed7ff30753ed519f32aFalse0.21028645833333334data1.3759351367840893IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                      DLLImport
                      KERNEL32.dllCloseHandle, CreateToolhelp32Snapshot, DeleteCriticalSection, EnterCriticalSection, ExitProcess, FreeLibrary, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetLastError, GetModuleHandleW, GetProcAddress, GetSystemTimeAsFileTime, GetTickCount, InitializeCriticalSection, LeaveCriticalSection, LoadLibraryW, Process32First, Process32Next, QueryPerformanceCounter, RtlAddFunctionTable, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, SetUnhandledExceptionFilter, Sleep, TerminateProcess, TlsGetValue, UnhandledExceptionFilter, VirtualProtect, VirtualQuery, WinExec, WriteProcessMemory
                      msvcrt.dll__dllonexit, __iob_func, _amsg_exit, _initterm, _lock, _onexit, _unlock, abort, calloc, free, fwrite, malloc, memcpy, puts, rand, signal, strcmp, strlen, strncmp, vfprintf
                      NameOrdinalAddress
                      ASSnko10x613c1d97
                      FindProcessId20x613c1848
                      NetApiBufferFree30x613c1e5f
                      NetpIsRemote40x613c1e6b
                      NetpwNameValidate50x613c1e59
                      NetpwPathType60x613c1e65
                      PxBu70x613c1c79
                      Pxon80x613c1d0e
                      base46_map90x613c4000
                      base64_decode100x613c16dc
                      base64_encode110x613c1430
                      decrypt120x613c1b61
                      encrypt130x613c19b9
                      revstr140x613c192a
                      No network behavior found

                      Click to jump to process

                      Click to jump to process

                      Click to dive into process behavior distribution

                      Click to jump to process

                      Target ID:2
                      Start time:05:27:13
                      Start date:16/08/2024
                      Path:C:\Windows\System32\loaddll64.exe
                      Wow64 process (32bit):false
                      Commandline:loaddll64.exe "C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll"
                      Imagebase:0x7ff758850000
                      File size:165'888 bytes
                      MD5 hash:763455F9DCB24DFEECC2B9D9F8D46D52
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      Target ID:3
                      Start time:05:27:13
                      Start date:16/08/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff75da10000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      Target ID:4
                      Start time:05:27:13
                      Start date:16/08/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll",#1
                      Imagebase:0x7ff7cd150000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      Target ID:5
                      Start time:05:27:14
                      Start date:16/08/2024
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:rundll32.exe C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll,ASSnko
                      Imagebase:0x7ff719bc0000
                      File size:71'680 bytes
                      MD5 hash:EF3179D498793BF4234F708D3BE28633
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      Target ID:6
                      Start time:05:27:14
                      Start date:16/08/2024
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:rundll32.exe "C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll",#1
                      Imagebase:0x7ff719bc0000
                      File size:71'680 bytes
                      MD5 hash:EF3179D498793BF4234F708D3BE28633
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      Target ID:7
                      Start time:05:27:14
                      Start date:16/08/2024
                      Path:C:\Windows\System32\esentutl.exe
                      Wow64 process (32bit):false
                      Commandline:esentutl /y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe /d C:\\Users\\Public\\pha.pif /o
                      Imagebase:0x7ff6c3590000
                      File size:409'600 bytes
                      MD5 hash:E2098B56CF093E165D030E27591CE498
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:low
                      Has exited:true

                      Target ID:8
                      Start time:05:27:14
                      Start date:16/08/2024
                      Path:C:\Windows\System32\esentutl.exe
                      Wow64 process (32bit):true
                      Commandline:esentutl /y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe /d C:\\Users\\Public\\pha.pif /o
                      Imagebase:0xdf0000
                      File size:409'600 bytes
                      MD5 hash:E2098B56CF093E165D030E27591CE498
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:low
                      Has exited:true

                      Target ID:9
                      Start time:05:27:14
                      Start date:16/08/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff75da10000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      Target ID:10
                      Start time:05:27:14
                      Start date:16/08/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff75da10000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      Target ID:12
                      Start time:05:27:16
                      Start date:16/08/2024
                      Path:C:\Users\Public\pha.pif
                      Wow64 process (32bit):false
                      Commandline:C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'"
                      Imagebase:0x7ff67c220000
                      File size:452'608 bytes
                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Antivirus matches:
                      • Detection: 0%, ReversingLabs
                      • Detection: 0%, Virustotal, Browse
                      Reputation:high
                      Has exited:true

                      Target ID:13
                      Start time:05:27:16
                      Start date:16/08/2024
                      Path:C:\Users\Public\pha.pif
                      Wow64 process (32bit):false
                      Commandline:C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'"
                      Imagebase:0x7ff67c220000
                      File size:452'608 bytes
                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      Target ID:14
                      Start time:05:27:16
                      Start date:16/08/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff75da10000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:15
                      Start time:05:27:16
                      Start date:16/08/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff75da10000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:16
                      Start time:05:27:17
                      Start date:16/08/2024
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:rundll32.exe C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll,FindProcessId
                      Imagebase:0x7ff719bc0000
                      File size:71'680 bytes
                      MD5 hash:EF3179D498793BF4234F708D3BE28633
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:17
                      Start time:05:27:17
                      Start date:16/08/2024
                      Path:C:\Windows\System32\esentutl.exe
                      Wow64 process (32bit):false
                      Commandline:esentutl /y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe /d C:\\Users\\Public\\pha.pif /o
                      Imagebase:0x7ff6c3590000
                      File size:409'600 bytes
                      MD5 hash:E2098B56CF093E165D030E27591CE498
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:18
                      Start time:05:27:17
                      Start date:16/08/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff75da10000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:19
                      Start time:05:27:19
                      Start date:16/08/2024
                      Path:C:\Users\Public\pha.pif
                      Wow64 process (32bit):false
                      Commandline:C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'"
                      Imagebase:0x7ff67c220000
                      File size:452'608 bytes
                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:20
                      Start time:05:27:19
                      Start date:16/08/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff75da10000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:21
                      Start time:05:27:20
                      Start date:16/08/2024
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:rundll32.exe C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll,NetApiBufferFree
                      Imagebase:0x7ff719bc0000
                      File size:71'680 bytes
                      MD5 hash:EF3179D498793BF4234F708D3BE28633
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:22
                      Start time:05:27:20
                      Start date:16/08/2024
                      Path:C:\Windows\System32\esentutl.exe
                      Wow64 process (32bit):false
                      Commandline:esentutl /y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe /d C:\\Users\\Public\\pha.pif /o
                      Imagebase:0x7ff6c3590000
                      File size:409'600 bytes
                      MD5 hash:E2098B56CF093E165D030E27591CE498
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:23
                      Start time:05:27:20
                      Start date:16/08/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff75da10000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:26
                      Start time:05:27:22
                      Start date:16/08/2024
                      Path:C:\Users\Public\pha.pif
                      Wow64 process (32bit):false
                      Commandline:C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'"
                      Imagebase:0x7ff67c220000
                      File size:452'608 bytes
                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:27
                      Start time:05:27:22
                      Start date:16/08/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff75da10000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:28
                      Start time:05:27:23
                      Start date:16/08/2024
                      Path:C:\Windows\System32\esentutl.exe
                      Wow64 process (32bit):false
                      Commandline:esentutl /y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe /d C:\\Users\\Public\\pha.pif /o
                      Imagebase:0x7ff6c3590000
                      File size:409'600 bytes
                      MD5 hash:E2098B56CF093E165D030E27591CE498
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:29
                      Start time:05:27:25
                      Start date:16/08/2024
                      Path:C:\Users\Public\pha.pif
                      Wow64 process (32bit):false
                      Commandline:C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'"
                      Imagebase:0x7ff67c220000
                      File size:452'608 bytes
                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Reset < >

                        Execution Graph

                        Execution Coverage:20.1%
                        Dynamic/Decrypted Code Coverage:0%
                        Signature Coverage:5.4%
                        Total number of Nodes:148
                        Total number of Limit Nodes:2
                        execution_graph 838 613c13e0 839 613c13f6 838->839 844 613c2830 839->844 841 613c1413 848 613c2bc0 841->848 845 613c2859 844->845 846 613c2870 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 844->846 845->841 847 613c28cd 846->847 847->841 850 613c2bcf 848->850 849 613c1418 850->849 851 613c2c90 RtlAddFunctionTable 850->851 851->849 852 613c1290 853 613c12af 852->853 854 613c12f0 852->854 857 613c2470 6 API calls 853->857 858 613c12d6 853->858 879 613c2470 854->879 856 613c12f5 859 613c1305 856->859 860 613c12be 856->860 857->860 899 613c1050 859->899 862 613c222b 5 API calls 860->862 864 613c12cb 862->864 863 613c130a 863->858 865 613c1370 863->865 866 613c1353 863->866 864->858 869 613c1050 2 API calls 864->869 867 613c1375 865->867 868 613c13c0 865->868 866->858 870 613c1050 2 API calls 866->870 905 613c2810 867->905 871 613c222b 5 API calls 868->871 869->858 870->858 871->864 873 613c137a 910 613c222b 873->910 876 613c222b 5 API calls 877 613c13a1 876->877 878 613c1050 2 API calls 877->878 878->864 882 613c24a0 879->882 888 613c248b 879->888 880 613c2650 881 613c2659 880->881 880->888 883 613c2300 4 API calls 881->883 885 613c2688 881->885 882->880 884 613c253c 882->884 882->888 883->881 887 613c268d 884->887 884->888 889 613c2594 884->889 892 613c26f6 884->892 895 613c26c1 884->895 891 613c25c4 885->891 886 613c2300 4 API calls 886->892 890 613c2300 4 API calls 887->890 887->892 888->856 889->884 889->891 889->892 914 613c2300 889->914 890->895 891->888 896 613c2613 VirtualQuery 891->896 893 613c2300 4 API calls 892->893 897 613c2739 893->897 895->886 896->888 898 613c262c VirtualProtect 896->898 897->888 898->891 900 613c1066 899->900 901 613c10e0 899->901 902 613c1094 Sleep 900->902 904 613c10a8 900->904 903 613c1119 Sleep 901->903 901->904 902->900 903->901 904->863 906 613c281a 905->906 907 613c27b0 905->907 906->873 923 613c2f20 907->923 911 613c138a 910->911 912 613c2244 910->912 911->858 911->876 932 613c1e6b 912->932 915 613c2332 914->915 916 613c2393 VirtualQuery 915->916 919 613c2435 915->919 917 613c23c1 memcpy 916->917 916->919 920 613c248b 919->920 921 613c2613 VirtualQuery 919->921 920->889 921->920 922 613c262c VirtualProtect 921->922 922->919 924 613c2f34 923->924 925 613c2fb5 924->925 930 613c36b0 _lock 924->930 925->873 931 613ca324 930->931 933 613c1ea5 932->933 962 613c1d97 LoadLibraryW 933->962 935 613c1f55 936 613c1d97 LoadLibraryW 935->936 937 613c1f81 936->937 938 613c1d97 LoadLibraryW 937->938 939 613c1fe5 938->939 940 613c1d97 LoadLibraryW 939->940 941 613c2011 940->941 942 613c201d WinExec 941->942 964 613c3620 Sleep 942->964 944 613c2038 945 613c1d97 LoadLibraryW 944->945 946 613c2064 945->946 947 613c1d97 LoadLibraryW 946->947 948 613c2090 947->948 949 613c1d97 LoadLibraryW 948->949 950 613c217b 949->950 951 613c1d97 LoadLibraryW 950->951 952 613c21a7 951->952 953 613c21b3 WinExec 952->953 954 613c21d3 953->954 955 613c1d97 LoadLibraryW 954->955 956 613c21f0 955->956 957 613c1d97 LoadLibraryW 956->957 958 613c221c ExitProcess 957->958 960 613c222b 958->960 959 613c2258 959->911 960->959 961 613c1e6b 2 API calls 960->961 961->959 963 613c1dc1 962->963 963->935 964->944 965 613c2e70 966 613c2e78 965->966 967 613c2e7d 966->967 970 613c3530 966->970 969 613c2e95 971 613c3539 970->971 972 613c3582 970->972 973 613c353b 971->973 974 613c3554 971->974 975 613c358c 972->975 976 613c35a0 InitializeCriticalSection 972->976 981 613c354a 973->981 982 613c33a0 EnterCriticalSection 973->982 977 613c33a0 3 API calls 974->977 980 613c355e 974->980 975->969 976->975 977->980 978 613c3569 DeleteCriticalSection 978->981 980->978 980->981 981->969 983 613c33f4 982->983 985 613c33c1 982->985 984 613c33d0 TlsGetValue GetLastError 984->985 985->983 985->984 987 613c2ea0 988 613c2eb2 987->988 989 613c3530 5 API calls 988->989 990 613c2ec2 988->990 989->990 991 613c2910 RtlCaptureContext RtlLookupFunctionEntry 992 613c294d RtlVirtualUnwind 991->992 993 613c29f0 991->993 994 613c2983 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 992->994 993->994 994->993 995 613c3410 996 613c3430 995->996 997 613c3421 995->997 996->997 998 613c344c EnterCriticalSection LeaveCriticalSection 996->998 999 613c3490 1000 613c349f 999->1000 1001 613c34b0 EnterCriticalSection 999->1001 1002 613c34e7 LeaveCriticalSection 1001->1002 1003 613c34cb 1001->1003 1004 613c34f4 1002->1004 1003->1002 1005 613c34d1 1003->1005 1006 613c3510 LeaveCriticalSection 1005->1006 1006->1004 986 613c37b1 RtlAddFunctionTable

                        Callgraph

                        • Executed
                        • Not Executed
                        • Opacity -> Relevance
                        • Disassembly available
                        callgraph 0 Function_613D16BF 1 Function_613C36B8 2 Function_613C19B9 3 Function_613C31B0 45 Function_613C2FF0 3->45 4 Function_613C2830 5 Function_613C36B0 6 Function_613C1430 7 Function_613C2CB0 28 Function_613C3390 7->28 8 Function_613C3530 17 Function_613C33A0 8->17 9 Function_613C3030 10 Function_613C37B1 11 Function_613C36A9 12 Function_613C192A 13 Function_613C222B 51 Function_613C1E6B 13->51 52 Function_613C1E65 13->52 58 Function_613C1E5F 13->58 59 Function_613C1E59 13->59 14 Function_613C3620 15 Function_613C3120 15->45 16 Function_613C2F20 16->1 16->5 36 Function_613C2280 16->36 48 Function_613C2270 16->48 18 Function_613C2EA0 18->8 19 Function_613D0021 20 Function_613D039A 21 Function_613CA294 22 Function_613C1D97 23 Function_613C2F10 24 Function_613C1290 24->13 25 Function_613C3610 24->25 26 Function_613C2810 24->26 47 Function_613C2470 24->47 60 Function_613C1050 24->60 26->16 27 Function_613C2910 29 Function_613C2A10 29->28 30 Function_613C3410 31 Function_613C3490 32 Function_613C3012 33 Function_613D0513 34 Function_613C1D0E 57 Function_613C16DC 34->57 35 Function_613C3080 35->45 37 Function_613C1000 37->36 38 Function_613C2300 38->15 38->38 46 Function_613C3170 38->46 61 Function_613C35D0 38->61 66 Function_613C3240 38->66 39 Function_613C3280 39->9 39->45 40 Function_613C4081 41 Function_613D0D00 42 Function_613D1DFE 43 Function_613C1C79 43->57 44 Function_613D057A 46->45 47->38 47->46 47->61 49 Function_613C2E70 49->8 50 Function_613C22ED 51->12 51->14 51->22 51->51 51->52 51->57 51->58 51->59 53 Function_613C13E0 53->4 65 Function_613C2BC0 53->65 54 Function_613C32E0 54->9 54->45 55 Function_613C4060 56 Function_613C1B61 60->48 62 Function_613D1CCD 63 Function_613C1848 64 Function_613D1E4B 65->3 65->35 65->66 66->45

                        Control-flow Graph

                        APIs
                          • Part of subcall function 613C1D97: LoadLibraryW.KERNELBASE(?,?,?,?,?,?,?,?,?,613C1F55), ref: 613C1DB2
                        • WinExec.KERNEL32 ref: 613C202C
                          • Part of subcall function 613C3620: Sleep.KERNEL32 ref: 613C362A
                        • WinExec.KERNEL32 ref: 613C21C2
                        • ExitProcess.KERNEL32 ref: 613C2228
                        Strings
                        Memory Dump Source
                        • Source File: 00000002.00000002.1411634517.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                        • Associated: 00000002.00000002.1411320486.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000002.00000002.1411738444.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000002.00000002.1412072213.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000002.00000002.1412335861.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000002.00000002.1413379993.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000002.00000002.1414706735.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_613c0000_loaddll64.jbxd
                        Similarity
                        • API ID: Exec$ExitLibraryLoadProcessSleep
                        • String ID: 4VULgU2Y$=82LgYWaw5SYoBHXcNWasJWdQxFXzJXZzVFXcpzQgQ2LgUGel5CbsVGazJXZ39GccxFMuEjdcxFbsVGaTJXZ39GUzd3bk5WaXxFXyMTblR3c5NFXcN3dvRmbpdFXcpzQgk3LgwGd1RnblNXZ$==Qaz1WQ$=cmbpJHd$=cmbpJHd$T5WYjNVa$T5WYjNVa$gYWaw5SY$ggGdhBlb$h1WbvNUL$icCX6M0J$kFkIgQmb$oBHXcNWa$sJWdQxFX$uVmclZWZ$vl2c1x2Y$yBFcN1CZ$z1WQ$z1WQ$zJXZzVFX
                        • API String ID: 1758684399-1342957281
                        • Opcode ID: 4d1f63c8848b9324423b377315b3159e9dcea841206612359d24d613c9a9fc1c
                        • Instruction ID: a98b6bfe7a99aebf3bb0dc4532f6b7cdca838be127f0f4748d87de296261d5c7
                        • Opcode Fuzzy Hash: 4d1f63c8848b9324423b377315b3159e9dcea841206612359d24d613c9a9fc1c
                        • Instruction Fuzzy Hash: 74813E75701B869DCF24EBA6A8543E873A5A785F8CF4480398E8E5FB18FF38C6159341

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 87 613c2bc0-613c2bda call 613c3240 90 613c2bdc-613c2bdf 87->90 91 613c2c01-613c2c0b 87->91 90->91 92 613c2be1-613c2bfa call 613c3080 90->92 95 613c2bfc 92->95 96 613c2c10-613c2c40 92->96 95->91 97 613c2c70-613c2c7b call 613c31b0 96->97 100 613c2c7d-613c2c80 97->100 101 613c2c42-613c2c6e 97->101 100->95 103 613c2c86-613c2c88 100->103 101->97 102 613c2ca5-613c2caa 101->102 104 613c2c90-613c2ca0 RtlAddFunctionTable 102->104 103->104 104->95
                        APIs
                        • RtlAddFunctionTable.KERNEL32 ref: 613C2C9A
                        Strings
                        Memory Dump Source
                        • Source File: 00000002.00000002.1411634517.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                        • Associated: 00000002.00000002.1411320486.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000002.00000002.1411738444.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000002.00000002.1412072213.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000002.00000002.1412335861.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000002.00000002.1413379993.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000002.00000002.1414706735.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_613c0000_loaddll64.jbxd
                        Similarity
                        • API ID: FunctionTable
                        • String ID: .pdata
                        • API String ID: 1252446317-4177594709
                        • Opcode ID: 52976069890d9e3f5a635ecf40bf80e2661f8a198458f1dda444388e4e8995d7
                        • Instruction ID: a98d7effac0a08117c3fa1e10c50b581c5c7b73d9eed72f9ca58742f97c7602a
                        • Opcode Fuzzy Hash: 52976069890d9e3f5a635ecf40bf80e2661f8a198458f1dda444388e4e8995d7
                        • Instruction Fuzzy Hash: 4621B472B022609AFB058FA9DA443947B62A788F98F4CD024CE0B57314EB3A9A61D755

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 105 613c1d97-613c1dca LoadLibraryW 107 613c1dcc-613c1e2d 105->107 108 613c1e31-613c1e58 105->108 107->108
                        APIs
                        • LoadLibraryW.KERNELBASE(?,?,?,?,?,?,?,?,?,613C1F55), ref: 613C1DB2
                        Memory Dump Source
                        • Source File: 00000002.00000002.1411634517.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                        • Associated: 00000002.00000002.1411320486.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000002.00000002.1411738444.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000002.00000002.1412072213.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000002.00000002.1412335861.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000002.00000002.1413379993.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000002.00000002.1414706735.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_613c0000_loaddll64.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: 4127155981cb20e6f2d50b37ca81e7bbd812f1fa0de4aab2728d0d118f7055a4
                        • Instruction ID: c1c33eecdd383886d2d8d2bb6f1c2682b4f93b08dfe668e5ddc8be9d462bd23a
                        • Opcode Fuzzy Hash: 4127155981cb20e6f2d50b37ca81e7bbd812f1fa0de4aab2728d0d118f7055a4
                        • Instruction Fuzzy Hash: 06210B72B11B608CE700DBB9EC4439C3B71A348B98F044515DE6DA7BA8EF39C650C394

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 160 613c3620-613c3636 Sleep
                        APIs
                        Memory Dump Source
                        • Source File: 00000002.00000002.1411634517.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                        • Associated: 00000002.00000002.1411320486.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000002.00000002.1411738444.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000002.00000002.1412072213.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000002.00000002.1412335861.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000002.00000002.1413379993.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000002.00000002.1414706735.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_613c0000_loaddll64.jbxd
                        Similarity
                        • API ID: Sleep
                        • String ID:
                        • API String ID: 3472027048-0
                        • Opcode ID: fe2ac243386cde0167416a04810260f3cbc85ba1deb6f6aec3d46932f2df1739
                        • Instruction ID: e9c459437bb93fbad0663031f86f151610a23291e51109e838943003221a6897
                        • Opcode Fuzzy Hash: fe2ac243386cde0167416a04810260f3cbc85ba1deb6f6aec3d46932f2df1739
                        • Instruction Fuzzy Hash: F0B01220F13160C3D70C33769C9635850D5574C300FD000288107842A0DC9D02A64640

                        Control-flow Graph

                        APIs
                        • RtlCaptureContext.KERNEL32 ref: 613C2924
                        • RtlLookupFunctionEntry.KERNEL32 ref: 613C293B
                        • RtlVirtualUnwind.KERNEL32 ref: 613C297D
                        • SetUnhandledExceptionFilter.KERNEL32 ref: 613C29C4
                        • UnhandledExceptionFilter.KERNEL32 ref: 613C29D1
                        • GetCurrentProcess.KERNEL32 ref: 613C29D7
                        • TerminateProcess.KERNEL32 ref: 613C29E5
                        Memory Dump Source
                        • Source File: 00000002.00000002.1411634517.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                        • Associated: 00000002.00000002.1411320486.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000002.00000002.1411738444.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000002.00000002.1412072213.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000002.00000002.1412335861.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000002.00000002.1413379993.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000002.00000002.1414706735.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_613c0000_loaddll64.jbxd
                        Similarity
                        • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentEntryFunctionLookupTerminateUnwindVirtual
                        • String ID:
                        • API String ID: 3266983031-0
                        • Opcode ID: d20c4be697a3212f516fb3c4bcd7d35ad969eae838489b411cfbb6ecde053262
                        • Instruction ID: e8e25b836daba40db766a00739c45693a0588c7fa2b6924b27fae8a827f53c88
                        • Opcode Fuzzy Hash: d20c4be697a3212f516fb3c4bcd7d35ad969eae838489b411cfbb6ecde053262
                        • Instruction Fuzzy Hash: E421D375611B31D9EB008B61F8843C937AAB748B98F480566D94F67734EF3AC764C780

                        Control-flow Graph

                        APIs
                        • GetSystemTimeAsFileTime.KERNEL32 ref: 613C2875
                        • GetCurrentProcessId.KERNEL32 ref: 613C2880
                        • GetCurrentThreadId.KERNEL32 ref: 613C2888
                        • GetTickCount.KERNEL32 ref: 613C2890
                        • QueryPerformanceCounter.KERNEL32 ref: 613C289D
                        Memory Dump Source
                        • Source File: 00000002.00000002.1411634517.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                        • Associated: 00000002.00000002.1411320486.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000002.00000002.1411738444.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000002.00000002.1412072213.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000002.00000002.1412335861.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000002.00000002.1413379993.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000002.00000002.1414706735.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_613c0000_loaddll64.jbxd
                        Similarity
                        • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                        • String ID:
                        • API String ID: 1445889803-0
                        • Opcode ID: 426e265ac137bbdeef0a01d9666284549597ad6e21c5f98ec00e579fb7b8abee
                        • Instruction ID: fbcbe058b436404562c126ae5aac31350f057f625ad19c487ba693073682924f
                        • Opcode Fuzzy Hash: 426e265ac137bbdeef0a01d9666284549597ad6e21c5f98ec00e579fb7b8abee
                        • Instruction Fuzzy Hash: 6411BF33756B3082F7005B25B904385B2A2B788BA0F0C5231EE5E53BA4EF3DC9968340

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 344 613c1d0e-613c1d96 call 613c16dc
                        Strings
                        Memory Dump Source
                        • Source File: 00000002.00000002.1411634517.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                        • Associated: 00000002.00000002.1411320486.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000002.00000002.1411738444.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000002.00000002.1412072213.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000002.00000002.1412335861.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000002.00000002.1413379993.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000002.00000002.1414706735.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_613c0000_loaddll64.jbxd
                        Similarity
                        • API ID:
                        • String ID: 1$H$QW1zaU9wZW5TZXNzaW9u$amsi
                        • API String ID: 0-2475992684
                        • Opcode ID: 1bb04ba2f0fa43a65cbcdff75b826ee074d1c3cac69b7fde60ac233b5bb34267
                        • Instruction ID: 48afebd15f5027fc2ff16c9ee842c811c6bede606a0100d88bde5cd432c053ef
                        • Opcode Fuzzy Hash: 1bb04ba2f0fa43a65cbcdff75b826ee074d1c3cac69b7fde60ac233b5bb34267
                        • Instruction Fuzzy Hash: AA012C32710B64CCEB019BB5EC413EC3772A358B88F480616CE5DA7764EF2AC3618390

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 188 613c2470-613c2489 189 613c248b-613c2498 188->189 190 613c24a0-613c24f7 call 613c3170 call 613c35d0 188->190 190->189 195 613c24f9-613c24fd 190->195 196 613c24ff-613c2505 195->196 197 613c2525-613c252b 195->197 198 613c250b-613c2512 196->198 199 613c2650-613c2653 196->199 197->199 200 613c2531-613c2536 197->200 198->199 201 613c2518-613c251f 198->201 199->189 203 613c2659-613c2660 199->203 200->199 202 613c253c-613c2542 200->202 201->202 204 613c2521 201->204 205 613c275c-613c2781 call 613c2290 202->205 206 613c2548-613c254f 202->206 207 613c2664-613c2686 call 613c2300 203->207 204->197 214 613c27a0-613c27a4 205->214 215 613c2783-613c279e 205->215 206->189 209 613c2555-613c2560 206->209 218 613c2688 207->218 212 613c256a-613c257f 209->212 216 613c2585 212->216 217 613c26c6-613c26f6 call 613c2300 212->217 215->214 220 613c268d-613c2690 216->220 221 613c258b-613c258e 216->221 223 613c26fb-613c270a call 613c2290 217->223 222 613c25c4-613c25d0 218->222 220->223 224 613c2692-613c26c1 call 613c2300 220->224 228 613c270f-613c2739 call 613c2300 221->228 229 613c2594-613c2597 221->229 222->189 225 613c25d6-613c25e8 222->225 223->228 224->217 232 613c2603-613c2611 225->232 242 613c273e-613c2757 call 613c2290 228->242 229->223 230 613c259d-613c25c2 call 613c2300 229->230 230->212 230->222 237 613c25f0-613c25fd 232->237 238 613c2613-613c2626 VirtualQuery 232->238 237->189 237->232 241 613c262c-613c2645 VirtualProtect 238->241 238->242 241->237 242->205
                        APIs
                        • VirtualQuery.KERNEL32(?,?,?,?,?,?,613C4054,?,?,?,?,613C12F5), ref: 613C2620
                        • VirtualProtect.KERNEL32(?,?,?,?,?,?,613C4054,?,?,?,?,613C12F5), ref: 613C2642
                        Strings
                        Memory Dump Source
                        • Source File: 00000002.00000002.1411634517.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                        • Associated: 00000002.00000002.1411320486.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000002.00000002.1411738444.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000002.00000002.1412072213.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000002.00000002.1412335861.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000002.00000002.1413379993.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000002.00000002.1414706735.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_613c0000_loaddll64.jbxd
                        Similarity
                        • API ID: Virtual$ProtectQuery
                        • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$ VirtualQuery failed for %d bytes at address %p$T@<a
                        • API String ID: 1027372294-2627587640
                        • Opcode ID: e52f81ac41c2342fd462fc3170bb2c56cf49e9c9a5294d6a356940808a4d1b69
                        • Instruction ID: 62939e9ad82f9327e1e07ec4eefc127d92b0ac663fd755b0084f4618bd059482
                        • Opcode Fuzzy Hash: e52f81ac41c2342fd462fc3170bb2c56cf49e9c9a5294d6a356940808a4d1b69
                        • Instruction Fuzzy Hash: 2771DE76B11A2489EB01CF76EA8078AB362B748FACF48D115CD1F17358DB3AC911C352

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 270 613c2300-613c232e 271 613c2332-613c2359 270->271 273 613c235b-613c2369 call 613c3120 271->273 276 613c236f-613c23bf call 613c3240 VirtualQuery 273->276 277 613c2452-613c2489 call 613c2290 273->277 283 613c2435-613c244d call 613c2290 276->283 284 613c23c1-613c23cb 276->284 286 613c248b-613c2498 277->286 287 613c24a0-613c24f7 call 613c3170 call 613c35d0 277->287 283->277 288 613c23cd-613c23d3 284->288 289 613c23f9-613c36a0 memcpy 284->289 287->286 295 613c24f9-613c24fd 287->295 288->289 296 613c24ff-613c2505 295->296 297 613c2525-613c252b 295->297 298 613c250b-613c2512 296->298 299 613c2650-613c2653 296->299 297->299 300 613c2531-613c2536 297->300 298->299 301 613c2518-613c251f 298->301 299->286 303 613c2659-613c2660 299->303 300->299 302 613c253c-613c2542 300->302 301->302 304 613c2521 301->304 305 613c275c-613c2781 call 613c2290 302->305 306 613c2548-613c254f 302->306 307 613c2664-613c2686 call 613c2300 303->307 304->297 314 613c27a0-613c27a4 305->314 315 613c2783-613c279e 305->315 306->286 309 613c2555-613c2560 306->309 318 613c2688 307->318 312 613c256a-613c257f 309->312 316 613c2585 312->316 317 613c26c6-613c26f6 call 613c2300 312->317 315->314 320 613c268d-613c2690 316->320 321 613c258b-613c258e 316->321 323 613c26fb-613c270a call 613c2290 317->323 322 613c25c4-613c25d0 318->322 320->323 324 613c2692-613c26c1 call 613c2300 320->324 328 613c270f-613c2739 call 613c2300 321->328 329 613c2594-613c2597 321->329 322->286 325 613c25d6-613c25e8 322->325 323->328 324->317 332 613c2603-613c2611 325->332 342 613c273e-613c2757 call 613c2290 328->342 329->323 330 613c259d-613c25c2 call 613c2300 329->330 330->312 330->322 337 613c25f0-613c25fd 332->337 338 613c2613-613c2626 VirtualQuery 332->338 337->286 337->332 341 613c262c-613c2645 VirtualProtect 338->341 338->342 341->337 342->305
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000002.00000002.1411634517.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                        • Associated: 00000002.00000002.1411320486.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000002.00000002.1411738444.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000002.00000002.1412072213.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000002.00000002.1412335861.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000002.00000002.1413379993.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000002.00000002.1414706735.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_613c0000_loaddll64.jbxd
                        Similarity
                        • API ID: QueryVirtual
                        • String ID: VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$T@<a
                        • API String ID: 1804819252-4232178576
                        • Opcode ID: 8e7eacb048b803b310af8d91aca0147f1e0aad4f005fb9ffc7c056ff4d3ee6e9
                        • Instruction ID: 6a292cefe7e1f4070340493715416b3679d18dd40189ba87be4cd8971f2c6506
                        • Opcode Fuzzy Hash: 8e7eacb048b803b310af8d91aca0147f1e0aad4f005fb9ffc7c056ff4d3ee6e9
                        • Instruction Fuzzy Hash: 2631F673701A649AE601DF12ED04B967B65F788FE8F48C121DE1E17320DB3AD652C740

                        Execution Graph

                        Execution Coverage:20.1%
                        Dynamic/Decrypted Code Coverage:0%
                        Signature Coverage:0%
                        Total number of Nodes:148
                        Total number of Limit Nodes:2
                        execution_graph 836 613c13e0 837 613c13f6 836->837 842 613c2830 837->842 839 613c1413 846 613c2bc0 839->846 843 613c2859 842->843 844 613c2870 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 842->844 843->839 845 613c28cd 844->845 845->839 848 613c2bcf 846->848 847 613c1418 848->847 849 613c2c90 RtlAddFunctionTable 848->849 849->847 850 613c1290 851 613c12af 850->851 852 613c12f0 850->852 855 613c2470 6 API calls 851->855 856 613c12d6 851->856 877 613c2470 852->877 854 613c12f5 857 613c1305 854->857 858 613c12be 854->858 855->858 897 613c1050 857->897 860 613c222b 5 API calls 858->860 862 613c12cb 860->862 861 613c130a 861->856 863 613c1370 861->863 864 613c1353 861->864 862->856 867 613c1050 2 API calls 862->867 865 613c1375 863->865 866 613c13c0 863->866 864->856 868 613c1050 2 API calls 864->868 903 613c2810 865->903 869 613c222b 5 API calls 866->869 867->856 868->856 869->862 871 613c137a 908 613c222b 871->908 874 613c222b 5 API calls 875 613c13a1 874->875 876 613c1050 2 API calls 875->876 876->862 880 613c24a0 877->880 882 613c248b 877->882 878 613c2650 879 613c2659 878->879 878->882 881 613c2300 4 API calls 879->881 884 613c2688 879->884 880->878 880->882 883 613c253c 880->883 881->879 882->854 883->882 886 613c26f6 883->886 887 613c268d 883->887 889 613c2594 883->889 894 613c26c1 883->894 888 613c25c4 884->888 885 613c2300 4 API calls 885->886 891 613c2300 4 API calls 886->891 887->886 890 613c2300 4 API calls 887->890 888->882 895 613c2613 VirtualQuery 888->895 889->883 889->886 889->888 912 613c2300 889->912 890->894 892 613c2739 891->892 892->882 894->885 895->882 896 613c262c VirtualProtect 895->896 896->888 898 613c1066 897->898 899 613c10e0 897->899 900 613c1094 Sleep 898->900 902 613c10a8 898->902 901 613c1119 Sleep 899->901 899->902 900->898 901->899 902->861 904 613c281a 903->904 905 613c27b0 903->905 904->871 921 613c2f20 905->921 909 613c138a 908->909 910 613c2244 908->910 909->856 909->874 930 613c1e6b 910->930 913 613c2332 912->913 914 613c2393 VirtualQuery 913->914 917 613c2435 913->917 915 613c23c1 memcpy 914->915 914->917 918 613c248b 917->918 919 613c2613 VirtualQuery 917->919 918->889 919->918 920 613c262c VirtualProtect 919->920 920->917 922 613c2f34 921->922 923 613c2fb5 922->923 928 613c36b0 _lock 922->928 923->871 929 613ca324 928->929 931 613c1ea5 930->931 960 613c1d97 LoadLibraryW 931->960 933 613c1f55 934 613c1d97 LoadLibraryW 933->934 935 613c1f81 934->935 936 613c1d97 LoadLibraryW 935->936 937 613c1fe5 936->937 938 613c1d97 LoadLibraryW 937->938 939 613c2011 938->939 940 613c201d WinExec 939->940 962 613c3620 Sleep 940->962 942 613c2038 943 613c1d97 LoadLibraryW 942->943 944 613c2064 943->944 945 613c1d97 LoadLibraryW 944->945 946 613c2090 945->946 947 613c1d97 LoadLibraryW 946->947 948 613c217b 947->948 949 613c1d97 LoadLibraryW 948->949 950 613c21a7 949->950 951 613c21b3 WinExec 950->951 952 613c21d3 951->952 953 613c1d97 LoadLibraryW 952->953 954 613c21f0 953->954 955 613c1d97 LoadLibraryW 954->955 956 613c221c ExitProcess 955->956 958 613c222b 956->958 957 613c2258 957->909 958->957 959 613c1e6b 2 API calls 958->959 959->957 961 613c1dc1 960->961 961->933 962->942 963 613c2e70 964 613c2e78 963->964 965 613c2e7d 964->965 968 613c3530 964->968 967 613c2e95 969 613c3539 968->969 970 613c3582 968->970 973 613c353b 969->973 974 613c3554 969->974 971 613c358c 970->971 972 613c35a0 InitializeCriticalSection 970->972 971->967 972->971 976 613c354a 973->976 980 613c33a0 EnterCriticalSection 973->980 975 613c355e 974->975 978 613c33a0 3 API calls 974->978 975->976 977 613c3569 DeleteCriticalSection 975->977 976->967 977->976 978->975 981 613c33f4 980->981 983 613c33c1 980->983 982 613c33d0 TlsGetValue GetLastError 982->983 983->981 983->982 985 613c2ea0 986 613c2eb2 985->986 987 613c3530 5 API calls 986->987 988 613c2ec2 986->988 987->988 989 613c2910 RtlCaptureContext RtlLookupFunctionEntry 990 613c294d RtlVirtualUnwind 989->990 991 613c29f0 989->991 992 613c2983 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 990->992 991->992 992->991 993 613c3410 994 613c3430 993->994 995 613c3421 993->995 994->995 996 613c344c EnterCriticalSection LeaveCriticalSection 994->996 997 613c3490 998 613c349f 997->998 999 613c34b0 EnterCriticalSection 997->999 1000 613c34e7 LeaveCriticalSection 999->1000 1001 613c34cb 999->1001 1002 613c34f4 1000->1002 1001->1000 1003 613c34d1 1001->1003 1004 613c3510 LeaveCriticalSection 1003->1004 1004->1002 984 613c37b1 RtlAddFunctionTable

                        Callgraph

                        • Executed
                        • Not Executed
                        • Opacity -> Relevance
                        • Disassembly available
                        callgraph 0 Function_613D16BF 1 Function_613C36B8 2 Function_613C19B9 3 Function_613C3030 4 Function_613C3530 17 Function_613C33A0 4->17 5 Function_613C2CB0 28 Function_613C3390 5->28 6 Function_613C1430 7 Function_613C36B0 8 Function_613C2830 9 Function_613C31B0 45 Function_613C2FF0 9->45 10 Function_613C37B1 11 Function_613C36A9 12 Function_613C192A 13 Function_613C222B 51 Function_613C1E6B 13->51 52 Function_613C1E65 13->52 57 Function_613C1E5F 13->57 58 Function_613C1E59 13->58 14 Function_613C3620 15 Function_613C3120 15->45 16 Function_613C2F20 16->1 16->7 36 Function_613C2280 16->36 48 Function_613C2270 16->48 18 Function_613C2EA0 18->4 19 Function_613D0021 20 Function_613D039A 21 Function_613CA294 22 Function_613C1D97 23 Function_613C2F10 24 Function_613C1290 24->13 25 Function_613C3610 24->25 26 Function_613C2810 24->26 47 Function_613C2470 24->47 59 Function_613C1050 24->59 26->16 27 Function_613C2910 29 Function_613C2A10 29->28 30 Function_613C3410 31 Function_613C3490 32 Function_613C3012 33 Function_613D0513 34 Function_613C1D0E 56 Function_613C16DC 34->56 35 Function_613C3080 35->45 37 Function_613C1000 37->36 38 Function_613C2300 38->15 38->38 44 Function_613C3170 38->44 60 Function_613C35D0 38->60 65 Function_613C3240 38->65 39 Function_613C3280 39->3 39->45 40 Function_613D0D00 41 Function_613D1DFE 42 Function_613C1C79 42->56 43 Function_613D057A 44->45 46 Function_613C2E70 46->4 47->38 47->44 47->60 49 Function_613C4072 50 Function_613C22ED 51->12 51->14 51->22 51->51 51->52 51->56 51->57 51->58 53 Function_613C13E0 53->8 64 Function_613C2BC0 53->64 54 Function_613C32E0 54->3 54->45 55 Function_613C1B61 59->48 61 Function_613D1CCD 62 Function_613C1848 63 Function_613D1E4B 64->9 64->35 64->65 65->45

                        Control-flow Graph

                        APIs
                          • Part of subcall function 613C1D97: LoadLibraryW.KERNELBASE(?,?,?,?,?,?,?,?,?,613C1F55), ref: 613C1DB2
                        • WinExec.KERNEL32 ref: 613C202C
                          • Part of subcall function 613C3620: Sleep.KERNEL32 ref: 613C362A
                        • WinExec.KERNEL32 ref: 613C21C2
                        • ExitProcess.KERNEL32 ref: 613C2228
                        Strings
                        Memory Dump Source
                        • Source File: 00000005.00000002.1321821043.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                        • Associated: 00000005.00000002.1321794539.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000005.00000002.1321846857.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000005.00000002.1321872073.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000005.00000002.1321896312.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000005.00000002.1321919144.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000005.00000002.1321941439.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_5_2_613c0000_rundll32.jbxd
                        Similarity
                        • API ID: Exec$ExitLibraryLoadProcessSleep
                        • String ID: 4VULgU2Y$=82LgYWaw5SYoBHXcNWasJWdQxFXzJXZzVFXcpzQgQ2LgUGel5CbsVGazJXZ39GccxFMuEjdcxFbsVGaTJXZ39GUzd3bk5WaXxFXyMTblR3c5NFXcN3dvRmbpdFXcpzQgk3LgwGd1RnblNXZ$==Qaz1WQ$=cmbpJHd$=cmbpJHd$T5WYjNVa$T5WYjNVa$gYWaw5SY$ggGdhBlb$h1WbvNUL$icCX6M0J$kFkIgQmb$oBHXcNWa$sJWdQxFX$uVmclZWZ$vl2c1x2Y$yBFcN1CZ$z1WQ$z1WQ$zJXZzVFX
                        • API String ID: 1758684399-1342957281
                        • Opcode ID: 4d1f63c8848b9324423b377315b3159e9dcea841206612359d24d613c9a9fc1c
                        • Instruction ID: a98b6bfe7a99aebf3bb0dc4532f6b7cdca838be127f0f4748d87de296261d5c7
                        • Opcode Fuzzy Hash: 4d1f63c8848b9324423b377315b3159e9dcea841206612359d24d613c9a9fc1c
                        • Instruction Fuzzy Hash: 74813E75701B869DCF24EBA6A8543E873A5A785F8CF4480398E8E5FB18FF38C6159341

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 87 613c2bc0-613c2bda call 613c3240 90 613c2bdc-613c2bdf 87->90 91 613c2c01-613c2c0b 87->91 90->91 92 613c2be1-613c2bfa call 613c3080 90->92 95 613c2bfc 92->95 96 613c2c10-613c2c40 92->96 95->91 97 613c2c70-613c2c7b call 613c31b0 96->97 100 613c2c7d-613c2c80 97->100 101 613c2c42-613c2c6e 97->101 100->95 103 613c2c86-613c2c88 100->103 101->97 102 613c2ca5-613c2caa 101->102 104 613c2c90-613c2ca0 RtlAddFunctionTable 102->104 103->104 104->95
                        APIs
                        • RtlAddFunctionTable.KERNEL32 ref: 613C2C9A
                        Strings
                        Memory Dump Source
                        • Source File: 00000005.00000002.1321821043.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                        • Associated: 00000005.00000002.1321794539.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000005.00000002.1321846857.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000005.00000002.1321872073.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000005.00000002.1321896312.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000005.00000002.1321919144.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000005.00000002.1321941439.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_5_2_613c0000_rundll32.jbxd
                        Similarity
                        • API ID: FunctionTable
                        • String ID: .pdata
                        • API String ID: 1252446317-4177594709
                        • Opcode ID: 52976069890d9e3f5a635ecf40bf80e2661f8a198458f1dda444388e4e8995d7
                        • Instruction ID: a98d7effac0a08117c3fa1e10c50b581c5c7b73d9eed72f9ca58742f97c7602a
                        • Opcode Fuzzy Hash: 52976069890d9e3f5a635ecf40bf80e2661f8a198458f1dda444388e4e8995d7
                        • Instruction Fuzzy Hash: 4621B472B022609AFB058FA9DA443947B62A788F98F4CD024CE0B57314EB3A9A61D755

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 105 613c1d97-613c1dca LoadLibraryW 107 613c1dcc-613c1e2d 105->107 108 613c1e31-613c1e58 105->108 107->108
                        APIs
                        • LoadLibraryW.KERNELBASE(?,?,?,?,?,?,?,?,?,613C1F55), ref: 613C1DB2
                        Memory Dump Source
                        • Source File: 00000005.00000002.1321821043.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                        • Associated: 00000005.00000002.1321794539.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000005.00000002.1321846857.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000005.00000002.1321872073.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000005.00000002.1321896312.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000005.00000002.1321919144.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000005.00000002.1321941439.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_5_2_613c0000_rundll32.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: 4127155981cb20e6f2d50b37ca81e7bbd812f1fa0de4aab2728d0d118f7055a4
                        • Instruction ID: c1c33eecdd383886d2d8d2bb6f1c2682b4f93b08dfe668e5ddc8be9d462bd23a
                        • Opcode Fuzzy Hash: 4127155981cb20e6f2d50b37ca81e7bbd812f1fa0de4aab2728d0d118f7055a4
                        • Instruction Fuzzy Hash: 06210B72B11B608CE700DBB9EC4439C3B71A348B98F044515DE6DA7BA8EF39C650C394

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 160 613c3620-613c3636 Sleep
                        APIs
                        Memory Dump Source
                        • Source File: 00000005.00000002.1321821043.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                        • Associated: 00000005.00000002.1321794539.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000005.00000002.1321846857.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000005.00000002.1321872073.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000005.00000002.1321896312.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000005.00000002.1321919144.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000005.00000002.1321941439.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_5_2_613c0000_rundll32.jbxd
                        Similarity
                        • API ID: Sleep
                        • String ID:
                        • API String ID: 3472027048-0
                        • Opcode ID: fe2ac243386cde0167416a04810260f3cbc85ba1deb6f6aec3d46932f2df1739
                        • Instruction ID: e9c459437bb93fbad0663031f86f151610a23291e51109e838943003221a6897
                        • Opcode Fuzzy Hash: fe2ac243386cde0167416a04810260f3cbc85ba1deb6f6aec3d46932f2df1739
                        • Instruction Fuzzy Hash: F0B01220F13160C3D70C33769C9635850D5574C300FD000288107842A0DC9D02A64640

                        Control-flow Graph

                        APIs
                        • RtlCaptureContext.KERNEL32 ref: 613C2924
                        • RtlLookupFunctionEntry.KERNEL32 ref: 613C293B
                        • RtlVirtualUnwind.KERNEL32 ref: 613C297D
                        • SetUnhandledExceptionFilter.KERNEL32 ref: 613C29C4
                        • UnhandledExceptionFilter.KERNEL32 ref: 613C29D1
                        • GetCurrentProcess.KERNEL32 ref: 613C29D7
                        • TerminateProcess.KERNEL32 ref: 613C29E5
                        Memory Dump Source
                        • Source File: 00000005.00000002.1321821043.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                        • Associated: 00000005.00000002.1321794539.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000005.00000002.1321846857.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000005.00000002.1321872073.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000005.00000002.1321896312.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000005.00000002.1321919144.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000005.00000002.1321941439.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_5_2_613c0000_rundll32.jbxd
                        Similarity
                        • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentEntryFunctionLookupTerminateUnwindVirtual
                        • String ID:
                        • API String ID: 3266983031-0
                        • Opcode ID: d20c4be697a3212f516fb3c4bcd7d35ad969eae838489b411cfbb6ecde053262
                        • Instruction ID: e8e25b836daba40db766a00739c45693a0588c7fa2b6924b27fae8a827f53c88
                        • Opcode Fuzzy Hash: d20c4be697a3212f516fb3c4bcd7d35ad969eae838489b411cfbb6ecde053262
                        • Instruction Fuzzy Hash: E421D375611B31D9EB008B61F8843C937AAB748B98F480566D94F67734EF3AC764C780

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 188 613c2470-613c2489 189 613c248b-613c2498 188->189 190 613c24a0-613c24f7 call 613c3170 call 613c35d0 188->190 190->189 195 613c24f9-613c24fd 190->195 196 613c24ff-613c2505 195->196 197 613c2525-613c252b 195->197 198 613c250b-613c2512 196->198 199 613c2650-613c2653 196->199 197->199 200 613c2531-613c2536 197->200 198->199 201 613c2518-613c251f 198->201 199->189 203 613c2659-613c2660 199->203 200->199 202 613c253c-613c2542 200->202 201->202 204 613c2521 201->204 205 613c275c-613c2781 call 613c2290 202->205 206 613c2548-613c254f 202->206 207 613c2664-613c2686 call 613c2300 203->207 204->197 217 613c27a0-613c27a4 205->217 218 613c2783-613c279e 205->218 206->189 210 613c2555-613c2560 206->210 216 613c2688 207->216 211 613c256a-613c257f 210->211 214 613c2585 211->214 215 613c26c6-613c26f6 call 613c2300 211->215 219 613c268d-613c2690 214->219 220 613c258b-613c258e 214->220 225 613c26fb-613c270a call 613c2290 215->225 221 613c25c4-613c25d0 216->221 218->217 219->225 226 613c2692-613c26c1 call 613c2300 219->226 223 613c270f-613c2739 call 613c2300 220->223 224 613c2594-613c2597 220->224 221->189 227 613c25d6-613c25e8 221->227 242 613c273e-613c2757 call 613c2290 223->242 224->225 230 613c259d-613c25c2 call 613c2300 224->230 225->223 226->215 232 613c2603-613c2611 227->232 230->211 230->221 238 613c25f0-613c25fd 232->238 239 613c2613-613c2626 VirtualQuery 232->239 238->189 238->232 241 613c262c-613c2645 VirtualProtect 239->241 239->242 241->238 242->205
                        APIs
                        • VirtualQuery.KERNEL32(?,?,?,?,?,?,613C4054,?,?,?,?,613C12F5), ref: 613C2620
                        • VirtualProtect.KERNEL32(?,?,?,?,?,?,613C4054,?,?,?,?,613C12F5), ref: 613C2642
                        Strings
                        Memory Dump Source
                        • Source File: 00000005.00000002.1321821043.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                        • Associated: 00000005.00000002.1321794539.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000005.00000002.1321846857.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000005.00000002.1321872073.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000005.00000002.1321896312.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000005.00000002.1321919144.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000005.00000002.1321941439.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_5_2_613c0000_rundll32.jbxd
                        Similarity
                        • API ID: Virtual$ProtectQuery
                        • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$ VirtualQuery failed for %d bytes at address %p$T@<a
                        • API String ID: 1027372294-2627587640
                        • Opcode ID: e52f81ac41c2342fd462fc3170bb2c56cf49e9c9a5294d6a356940808a4d1b69
                        • Instruction ID: 62939e9ad82f9327e1e07ec4eefc127d92b0ac663fd755b0084f4618bd059482
                        • Opcode Fuzzy Hash: e52f81ac41c2342fd462fc3170bb2c56cf49e9c9a5294d6a356940808a4d1b69
                        • Instruction Fuzzy Hash: 2771DE76B11A2489EB01CF76EA8078AB362B748FACF48D115CD1F17358DB3AC911C352

                        Control-flow Graph

                        APIs
                        • GetSystemTimeAsFileTime.KERNEL32 ref: 613C2875
                        • GetCurrentProcessId.KERNEL32 ref: 613C2880
                        • GetCurrentThreadId.KERNEL32 ref: 613C2888
                        • GetTickCount.KERNEL32 ref: 613C2890
                        • QueryPerformanceCounter.KERNEL32 ref: 613C289D
                        Memory Dump Source
                        • Source File: 00000005.00000002.1321821043.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                        • Associated: 00000005.00000002.1321794539.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000005.00000002.1321846857.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000005.00000002.1321872073.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000005.00000002.1321896312.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000005.00000002.1321919144.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000005.00000002.1321941439.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_5_2_613c0000_rundll32.jbxd
                        Similarity
                        • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                        • String ID:
                        • API String ID: 1445889803-0
                        • Opcode ID: 426e265ac137bbdeef0a01d9666284549597ad6e21c5f98ec00e579fb7b8abee
                        • Instruction ID: fbcbe058b436404562c126ae5aac31350f057f625ad19c487ba693073682924f
                        • Opcode Fuzzy Hash: 426e265ac137bbdeef0a01d9666284549597ad6e21c5f98ec00e579fb7b8abee
                        • Instruction Fuzzy Hash: 6411BF33756B3082F7005B25B904385B2A2B788BA0F0C5231EE5E53BA4EF3DC9968340

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 270 613c2300-613c232e 271 613c2332-613c2359 270->271 273 613c235b-613c2369 call 613c3120 271->273 276 613c236f-613c23bf call 613c3240 VirtualQuery 273->276 277 613c2452-613c2489 call 613c2290 273->277 283 613c2435-613c244d call 613c2290 276->283 284 613c23c1-613c23cb 276->284 286 613c248b-613c2498 277->286 287 613c24a0-613c24f7 call 613c3170 call 613c35d0 277->287 283->277 288 613c23cd-613c23d3 284->288 289 613c23f9-613c36a0 memcpy 284->289 287->286 295 613c24f9-613c24fd 287->295 288->289 296 613c24ff-613c2505 295->296 297 613c2525-613c252b 295->297 298 613c250b-613c2512 296->298 299 613c2650-613c2653 296->299 297->299 300 613c2531-613c2536 297->300 298->299 301 613c2518-613c251f 298->301 299->286 303 613c2659-613c2660 299->303 300->299 302 613c253c-613c2542 300->302 301->302 304 613c2521 301->304 305 613c275c-613c2781 call 613c2290 302->305 306 613c2548-613c254f 302->306 307 613c2664-613c2686 call 613c2300 303->307 304->297 317 613c27a0-613c27a4 305->317 318 613c2783-613c279e 305->318 306->286 310 613c2555-613c2560 306->310 316 613c2688 307->316 311 613c256a-613c257f 310->311 314 613c2585 311->314 315 613c26c6-613c26f6 call 613c2300 311->315 319 613c268d-613c2690 314->319 320 613c258b-613c258e 314->320 325 613c26fb-613c270a call 613c2290 315->325 321 613c25c4-613c25d0 316->321 318->317 319->325 326 613c2692-613c26c1 call 613c2300 319->326 323 613c270f-613c2739 call 613c2300 320->323 324 613c2594-613c2597 320->324 321->286 327 613c25d6-613c25e8 321->327 342 613c273e-613c2757 call 613c2290 323->342 324->325 330 613c259d-613c25c2 call 613c2300 324->330 325->323 326->315 332 613c2603-613c2611 327->332 330->311 330->321 338 613c25f0-613c25fd 332->338 339 613c2613-613c2626 VirtualQuery 332->339 338->286 338->332 341 613c262c-613c2645 VirtualProtect 339->341 339->342 341->338 342->305
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000005.00000002.1321821043.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                        • Associated: 00000005.00000002.1321794539.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000005.00000002.1321846857.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000005.00000002.1321872073.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000005.00000002.1321896312.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000005.00000002.1321919144.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000005.00000002.1321941439.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_5_2_613c0000_rundll32.jbxd
                        Similarity
                        • API ID: QueryVirtual
                        • String ID: VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$T@<a
                        • API String ID: 1804819252-4232178576
                        • Opcode ID: 8e7eacb048b803b310af8d91aca0147f1e0aad4f005fb9ffc7c056ff4d3ee6e9
                        • Instruction ID: 6a292cefe7e1f4070340493715416b3679d18dd40189ba87be4cd8971f2c6506
                        • Opcode Fuzzy Hash: 8e7eacb048b803b310af8d91aca0147f1e0aad4f005fb9ffc7c056ff4d3ee6e9
                        • Instruction Fuzzy Hash: 2631F673701A649AE601DF12ED04B967B65F788FE8F48C121DE1E17320DB3AD652C740

                        Execution Graph

                        Execution Coverage:20.1%
                        Dynamic/Decrypted Code Coverage:0%
                        Signature Coverage:0%
                        Total number of Nodes:148
                        Total number of Limit Nodes:2
                        execution_graph 835 613c13e0 836 613c13f6 835->836 841 613c2830 836->841 838 613c1413 845 613c2bc0 838->845 842 613c2859 841->842 843 613c2870 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 841->843 842->838 844 613c28cd 843->844 844->838 847 613c2bcf 845->847 846 613c1418 847->846 848 613c2c90 RtlAddFunctionTable 847->848 848->846 849 613c1290 850 613c12af 849->850 851 613c12f0 849->851 854 613c2470 6 API calls 850->854 855 613c12d6 850->855 876 613c2470 851->876 853 613c12f5 856 613c1305 853->856 857 613c12be 853->857 854->857 896 613c1050 856->896 859 613c222b 5 API calls 857->859 861 613c12cb 859->861 860 613c130a 860->855 862 613c1370 860->862 863 613c1353 860->863 861->855 866 613c1050 2 API calls 861->866 864 613c1375 862->864 865 613c13c0 862->865 863->855 867 613c1050 2 API calls 863->867 902 613c2810 864->902 868 613c222b 5 API calls 865->868 866->855 867->855 868->861 870 613c137a 907 613c222b 870->907 873 613c222b 5 API calls 874 613c13a1 873->874 875 613c1050 2 API calls 874->875 875->861 879 613c24a0 876->879 881 613c248b 876->881 877 613c2650 878 613c2659 877->878 877->881 880 613c2300 4 API calls 878->880 883 613c2688 878->883 879->877 879->881 882 613c253c 879->882 880->878 881->853 882->881 885 613c26f6 882->885 886 613c268d 882->886 888 613c2594 882->888 893 613c26c1 882->893 887 613c25c4 883->887 884 613c2300 4 API calls 884->885 890 613c2300 4 API calls 885->890 886->885 889 613c2300 4 API calls 886->889 887->881 894 613c2613 VirtualQuery 887->894 888->882 888->885 888->887 911 613c2300 888->911 889->893 891 613c2739 890->891 891->881 893->884 894->881 895 613c262c VirtualProtect 894->895 895->887 897 613c1066 896->897 898 613c10e0 896->898 899 613c1094 Sleep 897->899 901 613c10a8 897->901 900 613c1119 Sleep 898->900 898->901 899->897 900->898 901->860 903 613c281a 902->903 904 613c27b0 902->904 903->870 920 613c2f20 904->920 908 613c138a 907->908 909 613c2244 907->909 908->855 908->873 929 613c1e6b 909->929 912 613c2332 911->912 913 613c2393 VirtualQuery 912->913 916 613c2435 912->916 914 613c23c1 memcpy 913->914 913->916 917 613c248b 916->917 918 613c2613 VirtualQuery 916->918 917->888 918->917 919 613c262c VirtualProtect 918->919 919->916 921 613c2f34 920->921 922 613c2fb5 921->922 927 613c36b0 _lock 921->927 922->870 928 613ca324 927->928 930 613c1ea5 929->930 959 613c1d97 LoadLibraryW 930->959 932 613c1f55 933 613c1d97 LoadLibraryW 932->933 934 613c1f81 933->934 935 613c1d97 LoadLibraryW 934->935 936 613c1fe5 935->936 937 613c1d97 LoadLibraryW 936->937 938 613c2011 937->938 939 613c201d WinExec 938->939 961 613c3620 Sleep 939->961 941 613c2038 942 613c1d97 LoadLibraryW 941->942 943 613c2064 942->943 944 613c1d97 LoadLibraryW 943->944 945 613c2090 944->945 946 613c1d97 LoadLibraryW 945->946 947 613c217b 946->947 948 613c1d97 LoadLibraryW 947->948 949 613c21a7 948->949 950 613c21b3 WinExec 949->950 951 613c21d3 950->951 952 613c1d97 LoadLibraryW 951->952 953 613c21f0 952->953 954 613c1d97 LoadLibraryW 953->954 955 613c221c ExitProcess 954->955 957 613c222b 955->957 956 613c2258 956->908 957->956 958 613c1e6b 2 API calls 957->958 958->956 960 613c1dc1 959->960 960->932 961->941 962 613c2e70 963 613c2e78 962->963 964 613c2e7d 963->964 967 613c3530 963->967 966 613c2e95 968 613c3539 967->968 969 613c3582 967->969 972 613c353b 968->972 973 613c3554 968->973 970 613c358c 969->970 971 613c35a0 InitializeCriticalSection 969->971 970->966 971->970 975 613c354a 972->975 979 613c33a0 EnterCriticalSection 972->979 974 613c355e 973->974 977 613c33a0 3 API calls 973->977 974->975 976 613c3569 DeleteCriticalSection 974->976 975->966 976->975 977->974 980 613c33f4 979->980 982 613c33c1 979->982 981 613c33d0 TlsGetValue GetLastError 981->982 982->980 982->981 984 613c2ea0 985 613c2eb2 984->985 986 613c3530 5 API calls 985->986 987 613c2ec2 985->987 986->987 988 613c2910 RtlCaptureContext RtlLookupFunctionEntry 989 613c294d RtlVirtualUnwind 988->989 990 613c29f0 988->990 991 613c2983 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 989->991 990->991 991->990 992 613c3410 993 613c3430 992->993 994 613c3421 992->994 993->994 995 613c344c EnterCriticalSection LeaveCriticalSection 993->995 996 613c3490 997 613c349f 996->997 998 613c34b0 EnterCriticalSection 996->998 999 613c34e7 LeaveCriticalSection 998->999 1000 613c34cb 998->1000 1001 613c34f4 999->1001 1000->999 1002 613c34d1 1000->1002 1003 613c3510 LeaveCriticalSection 1002->1003 1003->1001 983 613c37b1 RtlAddFunctionTable

                        Callgraph

                        • Executed
                        • Not Executed
                        • Opacity -> Relevance
                        • Disassembly available
                        callgraph 0 Function_613D16BF 1 Function_613C36B8 2 Function_613C19B9 3 Function_613C3030 4 Function_613C3530 17 Function_613C33A0 4->17 5 Function_613C2CB0 28 Function_613C3390 5->28 6 Function_613C1430 7 Function_613C36B0 8 Function_613C2830 9 Function_613C31B0 45 Function_613C2FF0 9->45 10 Function_613C37B1 11 Function_613C36A9 12 Function_613C192A 13 Function_613C222B 50 Function_613C1E6B 13->50 51 Function_613C1E65 13->51 56 Function_613C1E5F 13->56 57 Function_613C1E59 13->57 14 Function_613C3620 15 Function_613C3120 15->45 16 Function_613C2F20 16->1 16->7 36 Function_613C2280 16->36 48 Function_613C2270 16->48 18 Function_613C2EA0 18->4 19 Function_613D0021 20 Function_613D039A 21 Function_613CA294 22 Function_613C1D97 23 Function_613C2F10 24 Function_613C1290 24->13 25 Function_613C3610 24->25 26 Function_613C2810 24->26 47 Function_613C2470 24->47 58 Function_613C1050 24->58 26->16 27 Function_613C2910 29 Function_613C2A10 29->28 30 Function_613C3410 31 Function_613C3490 32 Function_613C3012 33 Function_613D0513 34 Function_613C1D0E 55 Function_613C16DC 34->55 35 Function_613C3080 35->45 37 Function_613C1000 37->36 38 Function_613C2300 38->15 38->38 44 Function_613C3170 38->44 59 Function_613C35D0 38->59 64 Function_613C3240 38->64 39 Function_613C3280 39->3 39->45 40 Function_613D0D00 41 Function_613D1DFE 42 Function_613C1C79 42->55 43 Function_613D057A 44->45 46 Function_613C2E70 46->4 47->38 47->44 47->59 49 Function_613C22ED 50->12 50->14 50->22 50->50 50->51 50->55 50->56 50->57 52 Function_613C13E0 52->8 63 Function_613C2BC0 52->63 53 Function_613C32E0 53->3 53->45 54 Function_613C1B61 58->48 60 Function_613D1CCD 61 Function_613C1848 62 Function_613D1E4B 63->9 63->35 63->64 64->45

                        Control-flow Graph

                        APIs
                          • Part of subcall function 613C1D97: LoadLibraryW.KERNELBASE(?,?,?,?,?,?,?,?,?,613C1F55), ref: 613C1DB2
                        • WinExec.KERNEL32 ref: 613C202C
                          • Part of subcall function 613C3620: Sleep.KERNEL32 ref: 613C362A
                        • WinExec.KERNEL32 ref: 613C21C2
                        • ExitProcess.KERNEL32 ref: 613C2228
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1321831520.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                        • Associated: 00000006.00000002.1321807624.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000006.00000002.1321849373.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000006.00000002.1321883268.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000006.00000002.1321906989.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000006.00000002.1321928964.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000006.00000002.1321954539.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_613c0000_rundll32.jbxd
                        Similarity
                        • API ID: Exec$ExitLibraryLoadProcessSleep
                        • String ID: 4VULgU2Y$=82LgYWaw5SYoBHXcNWasJWdQxFXzJXZzVFXcpzQgQ2LgUGel5CbsVGazJXZ39GccxFMuEjdcxFbsVGaTJXZ39GUzd3bk5WaXxFXyMTblR3c5NFXcN3dvRmbpdFXcpzQgk3LgwGd1RnblNXZ$==Qaz1WQ$=cmbpJHd$=cmbpJHd$T5WYjNVa$T5WYjNVa$gYWaw5SY$ggGdhBlb$h1WbvNUL$icCX6M0J$kFkIgQmb$oBHXcNWa$sJWdQxFX$uVmclZWZ$vl2c1x2Y$yBFcN1CZ$z1WQ$z1WQ$zJXZzVFX
                        • API String ID: 1758684399-1342957281
                        • Opcode ID: 4d1f63c8848b9324423b377315b3159e9dcea841206612359d24d613c9a9fc1c
                        • Instruction ID: a98b6bfe7a99aebf3bb0dc4532f6b7cdca838be127f0f4748d87de296261d5c7
                        • Opcode Fuzzy Hash: 4d1f63c8848b9324423b377315b3159e9dcea841206612359d24d613c9a9fc1c
                        • Instruction Fuzzy Hash: 74813E75701B869DCF24EBA6A8543E873A5A785F8CF4480398E8E5FB18FF38C6159341

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 87 613c2bc0-613c2bda call 613c3240 90 613c2bdc-613c2bdf 87->90 91 613c2c01-613c2c0b 87->91 90->91 92 613c2be1-613c2bfa call 613c3080 90->92 95 613c2bfc 92->95 96 613c2c10-613c2c40 92->96 95->91 97 613c2c70-613c2c7b call 613c31b0 96->97 100 613c2c7d-613c2c80 97->100 101 613c2c42-613c2c6e 97->101 100->95 102 613c2c86-613c2c88 100->102 101->97 103 613c2ca5-613c2caa 101->103 104 613c2c90-613c2ca0 RtlAddFunctionTable 102->104 103->104 104->95
                        APIs
                        • RtlAddFunctionTable.KERNEL32 ref: 613C2C9A
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1321831520.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                        • Associated: 00000006.00000002.1321807624.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000006.00000002.1321849373.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000006.00000002.1321883268.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000006.00000002.1321906989.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000006.00000002.1321928964.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000006.00000002.1321954539.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_613c0000_rundll32.jbxd
                        Similarity
                        • API ID: FunctionTable
                        • String ID: .pdata
                        • API String ID: 1252446317-4177594709
                        • Opcode ID: 52976069890d9e3f5a635ecf40bf80e2661f8a198458f1dda444388e4e8995d7
                        • Instruction ID: a98d7effac0a08117c3fa1e10c50b581c5c7b73d9eed72f9ca58742f97c7602a
                        • Opcode Fuzzy Hash: 52976069890d9e3f5a635ecf40bf80e2661f8a198458f1dda444388e4e8995d7
                        • Instruction Fuzzy Hash: 4621B472B022609AFB058FA9DA443947B62A788F98F4CD024CE0B57314EB3A9A61D755

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 105 613c1d97-613c1dca LoadLibraryW 107 613c1dcc-613c1e2d 105->107 108 613c1e31-613c1e58 105->108 107->108
                        APIs
                        • LoadLibraryW.KERNELBASE(?,?,?,?,?,?,?,?,?,613C1F55), ref: 613C1DB2
                        Memory Dump Source
                        • Source File: 00000006.00000002.1321831520.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                        • Associated: 00000006.00000002.1321807624.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000006.00000002.1321849373.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000006.00000002.1321883268.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000006.00000002.1321906989.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000006.00000002.1321928964.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000006.00000002.1321954539.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_613c0000_rundll32.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: 4127155981cb20e6f2d50b37ca81e7bbd812f1fa0de4aab2728d0d118f7055a4
                        • Instruction ID: c1c33eecdd383886d2d8d2bb6f1c2682b4f93b08dfe668e5ddc8be9d462bd23a
                        • Opcode Fuzzy Hash: 4127155981cb20e6f2d50b37ca81e7bbd812f1fa0de4aab2728d0d118f7055a4
                        • Instruction Fuzzy Hash: 06210B72B11B608CE700DBB9EC4439C3B71A348B98F044515DE6DA7BA8EF39C650C394

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 160 613c3620-613c3636 Sleep
                        APIs
                        Memory Dump Source
                        • Source File: 00000006.00000002.1321831520.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                        • Associated: 00000006.00000002.1321807624.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000006.00000002.1321849373.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000006.00000002.1321883268.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000006.00000002.1321906989.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000006.00000002.1321928964.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000006.00000002.1321954539.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_613c0000_rundll32.jbxd
                        Similarity
                        • API ID: Sleep
                        • String ID:
                        • API String ID: 3472027048-0
                        • Opcode ID: fe2ac243386cde0167416a04810260f3cbc85ba1deb6f6aec3d46932f2df1739
                        • Instruction ID: e9c459437bb93fbad0663031f86f151610a23291e51109e838943003221a6897
                        • Opcode Fuzzy Hash: fe2ac243386cde0167416a04810260f3cbc85ba1deb6f6aec3d46932f2df1739
                        • Instruction Fuzzy Hash: F0B01220F13160C3D70C33769C9635850D5574C300FD000288107842A0DC9D02A64640

                        Control-flow Graph

                        APIs
                        • RtlCaptureContext.KERNEL32 ref: 613C2924
                        • RtlLookupFunctionEntry.KERNEL32 ref: 613C293B
                        • RtlVirtualUnwind.KERNEL32 ref: 613C297D
                        • SetUnhandledExceptionFilter.KERNEL32 ref: 613C29C4
                        • UnhandledExceptionFilter.KERNEL32 ref: 613C29D1
                        • GetCurrentProcess.KERNEL32 ref: 613C29D7
                        • TerminateProcess.KERNEL32 ref: 613C29E5
                        Memory Dump Source
                        • Source File: 00000006.00000002.1321831520.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                        • Associated: 00000006.00000002.1321807624.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000006.00000002.1321849373.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000006.00000002.1321883268.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000006.00000002.1321906989.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000006.00000002.1321928964.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000006.00000002.1321954539.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_613c0000_rundll32.jbxd
                        Similarity
                        • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentEntryFunctionLookupTerminateUnwindVirtual
                        • String ID:
                        • API String ID: 3266983031-0
                        • Opcode ID: d20c4be697a3212f516fb3c4bcd7d35ad969eae838489b411cfbb6ecde053262
                        • Instruction ID: e8e25b836daba40db766a00739c45693a0588c7fa2b6924b27fae8a827f53c88
                        • Opcode Fuzzy Hash: d20c4be697a3212f516fb3c4bcd7d35ad969eae838489b411cfbb6ecde053262
                        • Instruction Fuzzy Hash: E421D375611B31D9EB008B61F8843C937AAB748B98F480566D94F67734EF3AC764C780

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 188 613c2470-613c2489 189 613c248b-613c2498 188->189 190 613c24a0-613c24f7 call 613c3170 call 613c35d0 188->190 190->189 195 613c24f9-613c24fd 190->195 196 613c24ff-613c2505 195->196 197 613c2525-613c252b 195->197 198 613c250b-613c2512 196->198 199 613c2650-613c2653 196->199 197->199 200 613c2531-613c2536 197->200 198->199 201 613c2518-613c251f 198->201 199->189 203 613c2659-613c2660 199->203 200->199 202 613c253c-613c2542 200->202 201->202 204 613c2521 201->204 205 613c275c-613c2781 call 613c2290 202->205 206 613c2548-613c254f 202->206 207 613c2664-613c2686 call 613c2300 203->207 204->197 217 613c27a0-613c27a4 205->217 218 613c2783-613c279e 205->218 206->189 210 613c2555-613c2560 206->210 216 613c2688 207->216 211 613c256a-613c257f 210->211 214 613c2585 211->214 215 613c26c6-613c26f6 call 613c2300 211->215 219 613c268d-613c2690 214->219 220 613c258b-613c258e 214->220 225 613c26fb-613c270a call 613c2290 215->225 221 613c25c4-613c25d0 216->221 218->217 219->225 226 613c2692-613c26c1 call 613c2300 219->226 223 613c270f-613c2739 call 613c2300 220->223 224 613c2594-613c2597 220->224 221->189 227 613c25d6-613c25e8 221->227 242 613c273e-613c2757 call 613c2290 223->242 224->225 230 613c259d-613c25c2 call 613c2300 224->230 225->223 226->215 232 613c2603-613c2611 227->232 230->211 230->221 238 613c25f0-613c25fd 232->238 239 613c2613-613c2626 VirtualQuery 232->239 238->189 238->232 241 613c262c-613c2645 VirtualProtect 239->241 239->242 241->238 242->205
                        APIs
                        • VirtualQuery.KERNEL32(?,?,?,?,?,?,613C4054,?,?,?,?,613C12F5), ref: 613C2620
                        • VirtualProtect.KERNEL32(?,?,?,?,?,?,613C4054,?,?,?,?,613C12F5), ref: 613C2642
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1321831520.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                        • Associated: 00000006.00000002.1321807624.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000006.00000002.1321849373.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000006.00000002.1321883268.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000006.00000002.1321906989.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000006.00000002.1321928964.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000006.00000002.1321954539.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_613c0000_rundll32.jbxd
                        Similarity
                        • API ID: Virtual$ProtectQuery
                        • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$ VirtualQuery failed for %d bytes at address %p$T@<a
                        • API String ID: 1027372294-2627587640
                        • Opcode ID: e52f81ac41c2342fd462fc3170bb2c56cf49e9c9a5294d6a356940808a4d1b69
                        • Instruction ID: 62939e9ad82f9327e1e07ec4eefc127d92b0ac663fd755b0084f4618bd059482
                        • Opcode Fuzzy Hash: e52f81ac41c2342fd462fc3170bb2c56cf49e9c9a5294d6a356940808a4d1b69
                        • Instruction Fuzzy Hash: 2771DE76B11A2489EB01CF76EA8078AB362B748FACF48D115CD1F17358DB3AC911C352

                        Control-flow Graph

                        APIs
                        • GetSystemTimeAsFileTime.KERNEL32 ref: 613C2875
                        • GetCurrentProcessId.KERNEL32 ref: 613C2880
                        • GetCurrentThreadId.KERNEL32 ref: 613C2888
                        • GetTickCount.KERNEL32 ref: 613C2890
                        • QueryPerformanceCounter.KERNEL32 ref: 613C289D
                        Memory Dump Source
                        • Source File: 00000006.00000002.1321831520.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                        • Associated: 00000006.00000002.1321807624.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000006.00000002.1321849373.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000006.00000002.1321883268.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000006.00000002.1321906989.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000006.00000002.1321928964.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000006.00000002.1321954539.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_613c0000_rundll32.jbxd
                        Similarity
                        • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                        • String ID:
                        • API String ID: 1445889803-0
                        • Opcode ID: 426e265ac137bbdeef0a01d9666284549597ad6e21c5f98ec00e579fb7b8abee
                        • Instruction ID: fbcbe058b436404562c126ae5aac31350f057f625ad19c487ba693073682924f
                        • Opcode Fuzzy Hash: 426e265ac137bbdeef0a01d9666284549597ad6e21c5f98ec00e579fb7b8abee
                        • Instruction Fuzzy Hash: 6411BF33756B3082F7005B25B904385B2A2B788BA0F0C5231EE5E53BA4EF3DC9968340

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 270 613c2300-613c232e 271 613c2332-613c2359 270->271 273 613c235b-613c2369 call 613c3120 271->273 276 613c236f-613c23bf call 613c3240 VirtualQuery 273->276 277 613c2452-613c2489 call 613c2290 273->277 283 613c2435-613c244d call 613c2290 276->283 284 613c23c1-613c23cb 276->284 286 613c248b-613c2498 277->286 287 613c24a0-613c24f7 call 613c3170 call 613c35d0 277->287 283->277 288 613c23cd-613c23d3 284->288 289 613c23f9-613c36a0 memcpy 284->289 287->286 295 613c24f9-613c24fd 287->295 288->289 296 613c24ff-613c2505 295->296 297 613c2525-613c252b 295->297 298 613c250b-613c2512 296->298 299 613c2650-613c2653 296->299 297->299 300 613c2531-613c2536 297->300 298->299 301 613c2518-613c251f 298->301 299->286 303 613c2659-613c2660 299->303 300->299 302 613c253c-613c2542 300->302 301->302 304 613c2521 301->304 305 613c275c-613c2781 call 613c2290 302->305 306 613c2548-613c254f 302->306 307 613c2664-613c2686 call 613c2300 303->307 304->297 317 613c27a0-613c27a4 305->317 318 613c2783-613c279e 305->318 306->286 310 613c2555-613c2560 306->310 316 613c2688 307->316 311 613c256a-613c257f 310->311 314 613c2585 311->314 315 613c26c6-613c26f6 call 613c2300 311->315 319 613c268d-613c2690 314->319 320 613c258b-613c258e 314->320 325 613c26fb-613c270a call 613c2290 315->325 321 613c25c4-613c25d0 316->321 318->317 319->325 326 613c2692-613c26c1 call 613c2300 319->326 323 613c270f-613c2739 call 613c2300 320->323 324 613c2594-613c2597 320->324 321->286 327 613c25d6-613c25e8 321->327 342 613c273e-613c2757 call 613c2290 323->342 324->325 330 613c259d-613c25c2 call 613c2300 324->330 325->323 326->315 332 613c2603-613c2611 327->332 330->311 330->321 338 613c25f0-613c25fd 332->338 339 613c2613-613c2626 VirtualQuery 332->339 338->286 338->332 341 613c262c-613c2645 VirtualProtect 339->341 339->342 341->338 342->305
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1321831520.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                        • Associated: 00000006.00000002.1321807624.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000006.00000002.1321849373.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000006.00000002.1321883268.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000006.00000002.1321906989.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000006.00000002.1321928964.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000006.00000002.1321954539.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_613c0000_rundll32.jbxd
                        Similarity
                        • API ID: QueryVirtual
                        • String ID: VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$T@<a
                        • API String ID: 1804819252-4232178576
                        • Opcode ID: 8e7eacb048b803b310af8d91aca0147f1e0aad4f005fb9ffc7c056ff4d3ee6e9
                        • Instruction ID: 6a292cefe7e1f4070340493715416b3679d18dd40189ba87be4cd8971f2c6506
                        • Opcode Fuzzy Hash: 8e7eacb048b803b310af8d91aca0147f1e0aad4f005fb9ffc7c056ff4d3ee6e9
                        • Instruction Fuzzy Hash: 2631F673701A649AE601DF12ED04B967B65F788FE8F48C121DE1E17320DB3AD652C740
                        Strings
                        Memory Dump Source
                        • Source File: 0000000C.00000002.1722175683.00007FFAAB440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB440000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_12_2_7ffaab440000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID: 63$US_H
                        • API String ID: 0-1833780297
                        • Opcode ID: 55f78b2c4274bcd0c23956ba9fd4a5c94db880a595698b85580f0534f3327a54
                        • Instruction ID: 8dcb5b25af4c47ded1b432a0ef617a360d9235f999c77e63a397390ede379505
                        • Opcode Fuzzy Hash: 55f78b2c4274bcd0c23956ba9fd4a5c94db880a595698b85580f0534f3327a54
                        • Instruction Fuzzy Hash: 6872497190DB868FEB49DB6CC8919E57FF0FF56350B0841BAC08ECB1A3DA25A855C781
                        Strings
                        Memory Dump Source
                        • Source File: 0000000C.00000002.1722175683.00007FFAAB440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB440000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_12_2_7ffaab440000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID: 63
                        • API String ID: 0-3819469774
                        • Opcode ID: 70ce087276d8039b6eccf0b9254a838bf0e9f007355fcfda6e2e179c860ded5e
                        • Instruction ID: 13b85d7be6a56105d18934e485d840fd7e6e75f33a7a5f50f3c41dcb587428d5
                        • Opcode Fuzzy Hash: 70ce087276d8039b6eccf0b9254a838bf0e9f007355fcfda6e2e179c860ded5e
                        • Instruction Fuzzy Hash: 49C18031A08A498FEF84DF58C455AE97BF1FF69340F1441AAD40ED72A6CA34E895CBC0
                        Strings
                        Memory Dump Source
                        • Source File: 0000000C.00000002.1733044520.00007FFAAB510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB510000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_12_2_7ffaab510000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID: X7IO
                        • API String ID: 0-3372327689
                        • Opcode ID: b94a2bb0d4538179fc4a091bf97a676c75867f67fd16a2c5c5b9c96e1abb0cbd
                        • Instruction ID: 90da410bfd01989d8844a2f4aae92e7d605406138ff8acd4328fbf06f57161f7
                        • Opcode Fuzzy Hash: b94a2bb0d4538179fc4a091bf97a676c75867f67fd16a2c5c5b9c96e1abb0cbd
                        • Instruction Fuzzy Hash: 1BD1676290EA8B9FE795BB68A8159B97BD4EF12350B1801FED14FC70B3D9189C09C3D1
                        Strings
                        Memory Dump Source
                        • Source File: 0000000C.00000002.1722175683.00007FFAAB440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB440000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_12_2_7ffaab440000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID: 63
                        • API String ID: 0-3819469774
                        • Opcode ID: 3c8f2ccb70c42fcbe6e83db54d8e9141f78e89ff03e429658575a57eab743dc9
                        • Instruction ID: 1b3f8df9266f7c28f25415686c5b6b99b8b30ca17c1ff8a27be756fddc924f04
                        • Opcode Fuzzy Hash: 3c8f2ccb70c42fcbe6e83db54d8e9141f78e89ff03e429658575a57eab743dc9
                        • Instruction Fuzzy Hash: CEE1B371A08A4A8FDB84EF5CC495AE97BF1FFA9340F14417AD40DD72A6CA34A885C7C0
                        Memory Dump Source
                        • Source File: 0000000C.00000002.1733044520.00007FFAAB510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB510000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_12_2_7ffaab510000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f39aee7dc14c6387492193342dd3c70f227dd8dabb0e4d93d6e594afe833b017
                        • Instruction ID: 677b9b9560a48f570af517d892ece84a4319dd671e4228e58c47e8c620390aa2
                        • Opcode Fuzzy Hash: f39aee7dc14c6387492193342dd3c70f227dd8dabb0e4d93d6e594afe833b017
                        • Instruction Fuzzy Hash: CC2248A2A0EB8A8FE795AB2CA8455B53BD5EF56350F1401BBD04FC71B3DD18AC4983C1
                        Memory Dump Source
                        • Source File: 0000000C.00000002.1733044520.00007FFAAB510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB510000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_12_2_7ffaab510000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 66a0826d38f38567c8d6b60a0e3e28c436177c509b336abd0a12dd9fb83a8449
                        • Instruction ID: fabf7e88b7ef5bf9bfdf90ff9297ef26c5caa27d9870e5a55c4512e7feb0c8a8
                        • Opcode Fuzzy Hash: 66a0826d38f38567c8d6b60a0e3e28c436177c509b336abd0a12dd9fb83a8449
                        • Instruction Fuzzy Hash: D6024862A0EB865FE396A728A8655707FD5EF97260B0941FBD04FC71B3DC189C0A83C1
                        Memory Dump Source
                        • Source File: 0000000C.00000002.1733044520.00007FFAAB510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB510000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_12_2_7ffaab510000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: af956162eadd1f0399af4280ed1784a1afdbaaf20f076a6c66fa7ec609c3fa77
                        • Instruction ID: 5bca045a07b1c68ad632409e575995cfb26eab746c4a45e4a12f1d6f192282f9
                        • Opcode Fuzzy Hash: af956162eadd1f0399af4280ed1784a1afdbaaf20f076a6c66fa7ec609c3fa77
                        • Instruction Fuzzy Hash: CAC119B280E68A5FE756A738A8055B57FE4EF57260F0541FBD04EC70B3DA189C4983D2
                        Memory Dump Source
                        • Source File: 0000000C.00000002.1722175683.00007FFAAB440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB440000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_12_2_7ffaab440000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7d295f3a27676d3e03f74b8d8d4e15608e91214fd6e705e42149155905bf098b
                        • Instruction ID: 2e4a6dc6ab163553da26af137c54cc348f493785f4fc4b7bcabf1d6c088797fb
                        • Opcode Fuzzy Hash: 7d295f3a27676d3e03f74b8d8d4e15608e91214fd6e705e42149155905bf098b
                        • Instruction Fuzzy Hash: D4911563A0D3974FD706AB6CE8A20D57F64EF83229B0941F7C59DCE0A3F914241983E5
                        Memory Dump Source
                        • Source File: 0000000C.00000002.1733044520.00007FFAAB510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB510000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_12_2_7ffaab510000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 75bade4bf781c12759fcb42f02eb7427ec3e6ad0e5baee198bae6b2df463aba1
                        • Instruction ID: cc7f5c7137e5f2888be786e0f17d9ab163ce81d1691d4cafc91b6aefeda54a67
                        • Opcode Fuzzy Hash: 75bade4bf781c12759fcb42f02eb7427ec3e6ad0e5baee198bae6b2df463aba1
                        • Instruction Fuzzy Hash: D65107A2D0EA8A8FF7A1E72CA4515B52BD5EF57290F0941BAC44FC70B3D9199C0983C2
                        Memory Dump Source
                        • Source File: 0000000C.00000002.1733044520.00007FFAAB510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB510000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_12_2_7ffaab510000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5ce15a69ffd2926526c98f45907104b1bd38b646e05d879d48535dd7d73f03b0
                        • Instruction ID: e31b0dc40610ae3632e39ff7d1fde22770584be289bb7bc1dafd7c4d73b355d4
                        • Opcode Fuzzy Hash: 5ce15a69ffd2926526c98f45907104b1bd38b646e05d879d48535dd7d73f03b0
                        • Instruction Fuzzy Hash: DF512752A0EB866FE3A5B71CA8685702BD5FF96390B4841BAD44FD71B3DC19AC0983C1
                        Memory Dump Source
                        • Source File: 0000000C.00000002.1733044520.00007FFAAB510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB510000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_12_2_7ffaab510000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: da9d4f2a8f44002672cf0c7217b3c90067688628cfb16f368afdc4e169431a7a
                        • Instruction ID: 77c34bce381ab993b83b7e1e08fd0760da9daabededb410be81a8fe4b70b4d16
                        • Opcode Fuzzy Hash: da9d4f2a8f44002672cf0c7217b3c90067688628cfb16f368afdc4e169431a7a
                        • Instruction Fuzzy Hash: 78415962A0DB8A8FEBA5E76C68516A5BFD5EF56350B1840BFD04EC30A3DA159809C3C1
                        Memory Dump Source
                        • Source File: 0000000C.00000002.1722175683.00007FFAAB440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB440000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_12_2_7ffaab440000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c39deedb62cf7d94d5aa46a237734a970bde39cf022b7cca731f083e32e2597d
                        • Instruction ID: dcf812a9918c334cd4d499703dd8e408321ec6fc7a5d025afdefb0d67b8ac9ed
                        • Opcode Fuzzy Hash: c39deedb62cf7d94d5aa46a237734a970bde39cf022b7cca731f083e32e2597d
                        • Instruction Fuzzy Hash: F631F77191CF488FEB189F5CD8466E97BE0FB99311F00812FE04993252DA70A855CBC2
                        Memory Dump Source
                        • Source File: 0000000C.00000002.1717292290.00007FFAAB32D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB32D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_12_2_7ffaab32d000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0b653986f4a8e827b3c27baf387e51701fa837a9c03c977c4977695e621a135b
                        • Instruction ID: 5817714593b23338ee9a8d2dc0365b107754922136485190b27d355c504c820d
                        • Opcode Fuzzy Hash: 0b653986f4a8e827b3c27baf387e51701fa837a9c03c977c4977695e621a135b
                        • Instruction Fuzzy Hash: D841467140EBC49FE7568B28D8469523FF0EF53260F1905DFD088CB5A3D629A84AC7A2
                        Memory Dump Source
                        • Source File: 0000000C.00000002.1722175683.00007FFAAB440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB440000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_12_2_7ffaab440000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 956014bf1e44295ad4a3290ca76fa02c162f53fa19419f559932efa64b02ff85
                        • Instruction ID: c9a3cd6cad4e85944d76b6bcecfe4bff5402d274ec4bda799ae5fe2af0a24bbb
                        • Opcode Fuzzy Hash: 956014bf1e44295ad4a3290ca76fa02c162f53fa19419f559932efa64b02ff85
                        • Instruction Fuzzy Hash: E7215A26B1DE8A8FEB94EF2DD884AF637D4EFAA26570440BBD40DC7166DD24DC058390
                        Memory Dump Source
                        • Source File: 0000000C.00000002.1722175683.00007FFAAB440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB440000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_12_2_7ffaab440000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f4337bed3c025f8ded3519425b015b195976c0dbac7abdd28d8623e35829e4cc
                        • Instruction ID: c21d7d738346f96d77aecc9c6fc6873ecde1e0b1be019ad00e40c20808c042c1
                        • Opcode Fuzzy Hash: f4337bed3c025f8ded3519425b015b195976c0dbac7abdd28d8623e35829e4cc
                        • Instruction Fuzzy Hash: E6313A3190DB888FDB59DFACC8496E9BFE0EF66321F0481AFC049C7162D6755819CB92
                        Memory Dump Source
                        • Source File: 0000000C.00000002.1733044520.00007FFAAB510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB510000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_12_2_7ffaab510000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d5015146a4ede802f944aeb7f1a86e646f043ad668c08c4f2b65cc004e481970
                        • Instruction ID: 41070ebc447ddb90b1132cb2596e38f8d3a576f3c89e8801f006847fe8ae1dcc
                        • Opcode Fuzzy Hash: d5015146a4ede802f944aeb7f1a86e646f043ad668c08c4f2b65cc004e481970
                        • Instruction Fuzzy Hash: F1212BA2F0EE4B8FE3A4A61C68555703BC5EBA5390F1841BAD40FC72B3DD54AC4983C1
                        Memory Dump Source
                        • Source File: 0000000C.00000002.1722175683.00007FFAAB440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB440000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_12_2_7ffaab440000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                        • Instruction ID: 718e74db34d11c32abd77556616b67ad033d569757b0435e39ffabc2895382b1
                        • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                        • Instruction Fuzzy Hash: F601677111CB0C8FD744EF0CE451AA5B7E0FB95364F10056DE58AC3665DA36E892CB45
                        Memory Dump Source
                        • Source File: 0000000C.00000002.1733044520.00007FFAAB510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB510000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_12_2_7ffaab510000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 95d897085a27584066ce51ff72bf65edc227e4bc580745874221b3e21ce2525f
                        • Instruction ID: 83cc6250bdd1022b0fad75eda149c2f02ee397380feb27d336dd239308971dad
                        • Opcode Fuzzy Hash: 95d897085a27584066ce51ff72bf65edc227e4bc580745874221b3e21ce2525f
                        • Instruction Fuzzy Hash: 13F0C8A3D1F7C28AE76653A838520F8AFD4DF032A471840FFD0CF860E3D50A18094392
                        Memory Dump Source
                        • Source File: 0000000C.00000002.1722175683.00007FFAAB440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB440000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_12_2_7ffaab440000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 70744461ae5ccc717cd413a90b27d3fe3270dfe4984880f8163348218504d8b2
                        • Instruction ID: 68cbd8d69ba0d4b838f97a9035a3ebe8ce63e503a2209f553f4f0cbdb59c6c5a
                        • Opcode Fuzzy Hash: 70744461ae5ccc717cd413a90b27d3fe3270dfe4984880f8163348218504d8b2
                        • Instruction Fuzzy Hash: 60F0303275C6048FDB4CAA1CF8429B573E1EBD9321B10056EE48BC2696D927E8468685
                        Memory Dump Source
                        • Source File: 0000000C.00000002.1733044520.00007FFAAB510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB510000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_12_2_7ffaab510000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9d83d0e282077a2c4fb74adc1509edc2986cb51186e386421d1c7f7131788af6
                        • Instruction ID: 02e2b94183848e2dd737bc33d0f51b35370747a0a5f62fe2c976a5c00f26be68
                        • Opcode Fuzzy Hash: 9d83d0e282077a2c4fb74adc1509edc2986cb51186e386421d1c7f7131788af6
                        • Instruction Fuzzy Hash: 16F09A32A4D5468FD659EB5CF4428E877E8EF5636072100BAE05EC7173CA25EC448B81
                        Memory Dump Source
                        • Source File: 0000000C.00000002.1733044520.00007FFAAB510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB510000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_12_2_7ffaab510000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2d43d597c56a6413a860ec408593fbb790cc58c68e2f83a7ef800f14477a3e61
                        • Instruction ID: 127ff245923bdf1bea2644d282e1b395b7c4101b8d3d373e80dcaa5461cd0c45
                        • Opcode Fuzzy Hash: 2d43d597c56a6413a860ec408593fbb790cc58c68e2f83a7ef800f14477a3e61
                        • Instruction Fuzzy Hash: 41F09432A0D5498FE758FB2CF0818A877E4EF06320B2100B6E04ECB073CA26AC44CB80
                        Memory Dump Source
                        • Source File: 0000000C.00000002.1733044520.00007FFAAB510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB510000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_12_2_7ffaab510000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                        • Instruction ID: 7379d249b573eb560ded2a86f46ed8178d949a56e274238c74d7134cae361f36
                        • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                        • Instruction Fuzzy Hash: 42E0E531B4C80ACF9A68EB0CF0419A973E5EB9936171151A6D14FC7572CA22EC558B80
                        Strings
                        Memory Dump Source
                        • Source File: 0000000C.00000002.1722175683.00007FFAAB440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB440000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_12_2_7ffaab440000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID: 8Dd
                        • API String ID: 0-453327945
                        • Opcode ID: 441b62b4dfe60c4aae94afb6804ca7c6cac7695eca2619a7b34cc9b77f7b7153
                        • Instruction ID: 462587adc8d7fd2077c06821fcb367fc533ce3b1c1ad892fc6188a1950df7608
                        • Opcode Fuzzy Hash: 441b62b4dfe60c4aae94afb6804ca7c6cac7695eca2619a7b34cc9b77f7b7153
                        • Instruction Fuzzy Hash: BA32C86BA1F7D39FE312477C98660E57FA0EF9326570940F7C1CA8A0A3E915185E83E1
                        Strings
                        Memory Dump Source
                        • Source File: 0000000C.00000002.1722175683.00007FFAAB440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB440000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_12_2_7ffaab440000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID: (0P$8,P$@JP$H1P$P/P$^$-P$/P
                        • API String ID: 0-4049320940
                        • Opcode ID: f7dfd6672d7780a2599c7a63e1925a2cdad443ee31735c365e6b7014e83740e9
                        • Instruction ID: a547ad970db3c0d3c61964aedf6715c94ab0bd2d066564d520fb4563d9a78690
                        • Opcode Fuzzy Hash: f7dfd6672d7780a2599c7a63e1925a2cdad443ee31735c365e6b7014e83740e9
                        • Instruction Fuzzy Hash: 7581D68380FBD15FF31647A86C251B55E94FFE2390B1880FBE08D962EBA8549D2D83D5
                        Strings
                        Memory Dump Source
                        • Source File: 0000000C.00000002.1722175683.00007FFAAB440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB440000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_12_2_7ffaab440000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID: (0P$8,P$H1P$P/P$^$-P$/P
                        • API String ID: 0-4191321229
                        • Opcode ID: 929c8c510b429e067f126c39d20d255f503ff6a2390e66d5dffef20d147c27a8
                        • Instruction ID: 34d3a54fb072fffb288c59cda6e47f5ec50f06701de6bd03ce9cd6c78ec1b5be
                        • Opcode Fuzzy Hash: 929c8c510b429e067f126c39d20d255f503ff6a2390e66d5dffef20d147c27a8
                        • Instruction Fuzzy Hash: 1D31818380FAE15FF31946D82C650F55F98FBA6390B1884FBE0CD866EB98548D2D83D1
                        Strings
                        Memory Dump Source
                        • Source File: 0000000D.00000002.1722966017.00007FFAAB470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_13_2_7ffaab470000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID: 63$UP_H
                        • API String ID: 0-1863055888
                        • Opcode ID: c4439d80b2e338d5b9d1f37faaf0f6657456327ec9e63853dbbd1695ce5fb703
                        • Instruction ID: a373d47d73ecd0eacffea72ec967a1e6a354d994f4b07523e39139dda97a33f2
                        • Opcode Fuzzy Hash: c4439d80b2e338d5b9d1f37faaf0f6657456327ec9e63853dbbd1695ce5fb703
                        • Instruction Fuzzy Hash: 5552577190DA898FEB49EF1CC491AB87BE0FF56350F1441BAD04DC72A7DA25A886C7C1
                        Strings
                        Memory Dump Source
                        • Source File: 0000000D.00000002.1722966017.00007FFAAB470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_13_2_7ffaab470000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID: 63
                        • API String ID: 0-3819469774
                        • Opcode ID: 0008273dd3483193f4d93d680a917ba24710375df7b3b18281576d5db5b834c6
                        • Instruction ID: 0a1e2d12e5cc42f75f58dc007663f59e635878781ac1114a60acb163c0983bdc
                        • Opcode Fuzzy Hash: 0008273dd3483193f4d93d680a917ba24710375df7b3b18281576d5db5b834c6
                        • Instruction Fuzzy Hash: E2C17E31E09A498FEF95EF58C454AA97BF2FF69340F1441AAD40DD7296CA34E885CBC0
                        Strings
                        Memory Dump Source
                        • Source File: 0000000D.00000002.1722966017.00007FFAAB470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_13_2_7ffaab470000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID: 63
                        • API String ID: 0-3819469774
                        • Opcode ID: 375f93ec24b72877d12a9232fa8cd2ef7f38bde7b21d3de0a009afcc57013039
                        • Instruction ID: be5a39509025eda629938bf120f44d55dcf2810e7d4f86130e09df21316ff2de
                        • Opcode Fuzzy Hash: 375f93ec24b72877d12a9232fa8cd2ef7f38bde7b21d3de0a009afcc57013039
                        • Instruction Fuzzy Hash: 83C17C71A08A4D8FDF94EF58C495AAD7BE1FFA9340F14816AD40DD7296CA34E885CBC0
                        Memory Dump Source
                        • Source File: 0000000D.00000002.1732577321.00007FFAAB540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB540000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_13_2_7ffaab540000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 80da650eaf10e44cd6fb6c1079e880183c1fdac0c86d47def231e4985f78c516
                        • Instruction ID: 41a063fa08dc05d3ffbe817e25e23a8e420e1273efbf547306d31e4c4cb74f49
                        • Opcode Fuzzy Hash: 80da650eaf10e44cd6fb6c1079e880183c1fdac0c86d47def231e4985f78c516
                        • Instruction Fuzzy Hash: B1224972A4EB8A8FE795A728D8455F53BE6EF56350F0401BBD04EC71A3DD18A80983D1
                        Memory Dump Source
                        • Source File: 0000000D.00000002.1732577321.00007FFAAB540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB540000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_13_2_7ffaab540000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5239b7da379bc62610f9a2df4a74351ee55e1f5fb1135a1acafe36ec02e5295d
                        • Instruction ID: ad47ed34cb59880ae39599d57ba25235742dfb87659d0322e7ddc83b1ad1ee30
                        • Opcode Fuzzy Hash: 5239b7da379bc62610f9a2df4a74351ee55e1f5fb1135a1acafe36ec02e5295d
                        • Instruction Fuzzy Hash: F7122762A5EB864FE3969728D8555F07FE6EF57260B0841FBD04EC71B3DD08AC0A8391
                        Memory Dump Source
                        • Source File: 0000000D.00000002.1732577321.00007FFAAB540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB540000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_13_2_7ffaab540000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: dfd3b0e71d0639aa9a69beab28eb022845f9a05d44d41ee8e048584c57fa2d50
                        • Instruction ID: 21b0bd766b875d07fbf101d69df532e9f057c71a234e0c0391049102d19a2bbc
                        • Opcode Fuzzy Hash: dfd3b0e71d0639aa9a69beab28eb022845f9a05d44d41ee8e048584c57fa2d50
                        • Instruction Fuzzy Hash: E9E17866A5E7D64FE3578B7898555E07FE6EF47260B0941FBC08DCB0A3C9095C0AC392
                        Memory Dump Source
                        • Source File: 0000000D.00000002.1732577321.00007FFAAB540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB540000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_13_2_7ffaab540000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b45991bc100150f7f182fd972ade37f31283d9796042e489c5cba5f2b0d628ca
                        • Instruction ID: aca3d7e596be163ff62f45083dbda287d87ea55c654f38c2902923d7ae165dc9
                        • Opcode Fuzzy Hash: b45991bc100150f7f182fd972ade37f31283d9796042e489c5cba5f2b0d628ca
                        • Instruction Fuzzy Hash: D8D1796290EB8B8FE795AB68D8556F57BD6EF03350B1801FED04EC70A3D9189809C3D1
                        Memory Dump Source
                        • Source File: 0000000D.00000002.1732577321.00007FFAAB540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB540000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_13_2_7ffaab540000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 716f3cc89e2e43e393082b2050aebbab7f13eedf582d4df08ba09ea65e287e8f
                        • Instruction ID: 095ff5d8bbc01b6c295d3616ea20f7f6dd9e5c0da11d5eda36dcd0b845aafdff
                        • Opcode Fuzzy Hash: 716f3cc89e2e43e393082b2050aebbab7f13eedf582d4df08ba09ea65e287e8f
                        • Instruction Fuzzy Hash: C9D1246280E78A9FE7569738D8555F53FA5EF47260F0941FBD08DCB0A3DA18980A83D2
                        Memory Dump Source
                        • Source File: 0000000D.00000002.1722966017.00007FFAAB470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_13_2_7ffaab470000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 11f8ac1b74f6ea172e1dd6d0950d6003eaf08c3825e643aad3da8fbbe36db052
                        • Instruction ID: 308886eabab713bd7c4f06183ed34fc5db12ff1d0cca0ec71cbe6f12fb001b14
                        • Opcode Fuzzy Hash: 11f8ac1b74f6ea172e1dd6d0950d6003eaf08c3825e643aad3da8fbbe36db052
                        • Instruction Fuzzy Hash: 0171407790DBC69FF345ABBCD8A64E47BA0FF9226970D46B3D08C8A073ED14185986C1
                        Memory Dump Source
                        • Source File: 0000000D.00000002.1722966017.00007FFAAB470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_13_2_7ffaab470000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c7a68a846c904ad5510943c3535e3661be55a41374ecd32f507a76dca822313e
                        • Instruction ID: 6544944066d09a14fa96c62706a58bc65de324bc404ebdaa385b8dc0b5ab9eb2
                        • Opcode Fuzzy Hash: c7a68a846c904ad5510943c3535e3661be55a41374ecd32f507a76dca822313e
                        • Instruction Fuzzy Hash: 416137B250EBC58FE749CB2CC895464BBF0EF5635470945FED089CB1A3E915A84BC782
                        Memory Dump Source
                        • Source File: 0000000D.00000002.1722966017.00007FFAAB470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_13_2_7ffaab470000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fa37fc7fa08a0eb63edf477b6f9dd0778eab36d3c521cc6dc011dbe710bac807
                        • Instruction ID: 32e559f67a135bc614248e3144c9d4e7ecbf072f305f6bfe220bd8a06834b4a7
                        • Opcode Fuzzy Hash: fa37fc7fa08a0eb63edf477b6f9dd0778eab36d3c521cc6dc011dbe710bac807
                        • Instruction Fuzzy Hash: E531F97191CB489FEB18DB5C984A6A97BE0FBA9311F00812FE449D3252DA70A855CBC2
                        Memory Dump Source
                        • Source File: 0000000D.00000002.1717782956.00007FFAAB35D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB35D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_13_2_7ffaab35d000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7cf8caedea51b7515d9ac3dc88e8ba9515e669cd00181f89f56473b770a0e5ef
                        • Instruction ID: eb058cafd29e0b4a094510cf3b9d34c7dc74263457405c45ea819bc6518d7a67
                        • Opcode Fuzzy Hash: 7cf8caedea51b7515d9ac3dc88e8ba9515e669cd00181f89f56473b770a0e5ef
                        • Instruction Fuzzy Hash: C841B07240EBC48FD757DB3898595513FB0EF17250B0985EFD088CF5A7E628A809C7A2
                        Memory Dump Source
                        • Source File: 0000000D.00000002.1722966017.00007FFAAB470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_13_2_7ffaab470000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8c1cd0564f67070acde60327479fb54e78938087559029d5d7503a063ab58937
                        • Instruction ID: e354bb24492a7206f26465ddf49de148cf13ddb90d1d42432e92553eed11a647
                        • Opcode Fuzzy Hash: 8c1cd0564f67070acde60327479fb54e78938087559029d5d7503a063ab58937
                        • Instruction Fuzzy Hash: 10215A62B0DE8E8FDB90DB2CD855AB477D5FFA725570801B7D04CC3162DD14D8468380
                        Memory Dump Source
                        • Source File: 0000000D.00000002.1722966017.00007FFAAB470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_13_2_7ffaab470000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 314588f6a0afc11a937a802103e3ebcffaa4b8217844a0c7d3cf7f7561314d81
                        • Instruction ID: babe7152e5a5af04e475828415080da21f25bb35db8f867d390142cf94864ae7
                        • Opcode Fuzzy Hash: 314588f6a0afc11a937a802103e3ebcffaa4b8217844a0c7d3cf7f7561314d81
                        • Instruction Fuzzy Hash: B5212B7190C78C8FDB59DBACD84A7E97FF0EB96321F04416BD048C3162D674945ACB92
                        Memory Dump Source
                        • Source File: 0000000D.00000002.1722966017.00007FFAAB470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_13_2_7ffaab470000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                        • Instruction ID: e3a4c77bf5f2a951ae31564d57dcd7e733a1c1195d6e7e8debf0cfe92705bdbc
                        • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                        • Instruction Fuzzy Hash: D601677111CB0C8FD744EF0CE451AA5B7E0FB95364F10056DE58AC36A5DA36E892CB45
                        Memory Dump Source
                        • Source File: 0000000D.00000002.1732577321.00007FFAAB540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB540000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_13_2_7ffaab540000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8246d1ceb03f3d9e08cbd00c6cd3ddea84971663a7e38f14e5fe70232c3a16e0
                        • Instruction ID: b3c7903df2dacde4899fbc4ca49cf80d19a612b54ddaed8d22f615b78eaf008e
                        • Opcode Fuzzy Hash: 8246d1ceb03f3d9e08cbd00c6cd3ddea84971663a7e38f14e5fe70232c3a16e0
                        • Instruction Fuzzy Hash: A2F0FCA7D6F7D28AE76643A858520F8BFD6DF032A471940FFD08E860D7D80A280953D3
                        Memory Dump Source
                        • Source File: 0000000D.00000002.1722966017.00007FFAAB470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_13_2_7ffaab470000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5f183dd218b1e7df1abb2e7f81492dd1ddbada4d126069de0cce3372576afe15
                        • Instruction ID: 553a719b39388e0d0f1ccc0757235b541853cce4081e6e2ce3127c9d24bca842
                        • Opcode Fuzzy Hash: 5f183dd218b1e7df1abb2e7f81492dd1ddbada4d126069de0cce3372576afe15
                        • Instruction Fuzzy Hash: A5F0303275C6088FDB4CAA1CF8529B573E1EB99321B10056EE48BC2696D927E886C685
                        Memory Dump Source
                        • Source File: 0000000D.00000002.1732577321.00007FFAAB540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB540000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_13_2_7ffaab540000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 89a77255ea757af5ff982d1456289e12f861a36ca891993e5c165ea84b0b9f41
                        • Instruction ID: 412e0f2de4aa835c5e5cc84c65f0da60162e0042577ec36af7c090f7f00ccc9e
                        • Opcode Fuzzy Hash: 89a77255ea757af5ff982d1456289e12f861a36ca891993e5c165ea84b0b9f41
                        • Instruction Fuzzy Hash: 2BF0BE32A8D9458FD759EB5CE4428E877E9EF5636072100BAE05EC7173CE25EC44C781
                        Memory Dump Source
                        • Source File: 0000000D.00000002.1732577321.00007FFAAB540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB540000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_13_2_7ffaab540000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3bc9e1cbbe4f758eca55abeabc5f104d40a6b128f2248a22c87147df7fdda248
                        • Instruction ID: a55dc87c806625525538b52c5ab23396fd3a1f3a83329e551cb992de10cb4a29
                        • Opcode Fuzzy Hash: 3bc9e1cbbe4f758eca55abeabc5f104d40a6b128f2248a22c87147df7fdda248
                        • Instruction Fuzzy Hash: 85F0B832A8D5498FD758FB6CE0818E8B7E4EF06320B2104F6E14ECB463CA26AC44C780
                        Memory Dump Source
                        • Source File: 0000000D.00000002.1732577321.00007FFAAB540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB540000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_13_2_7ffaab540000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                        • Instruction ID: 431d2e2543d35696d408a0528fb24a3c6114a2e4411059e181a9e193c41f7467
                        • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                        • Instruction Fuzzy Hash: 75E01A31B8C809CFDA68DB0CE0419E973E6EB9A36171151B7D14FC7572CA22EC558BC0
                        Memory Dump Source
                        • Source File: 0000000D.00000002.1722966017.00007FFAAB470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_13_2_7ffaab470000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3dc528f400e4341693587660fb62d0c1ccb157bdc261a789e3c9d8b0f6e58666
                        • Instruction ID: 0b6095f28d24e69d1f5629175b5a9d2422cc17ea0e050d5a336a1f5582b1d863
                        • Opcode Fuzzy Hash: 3dc528f400e4341693587660fb62d0c1ccb157bdc261a789e3c9d8b0f6e58666
                        • Instruction Fuzzy Hash: A7E0CD2024D7868FD344962C9040BBD77819FC6350F94487DF4DD83393C94D58819352
                        Strings
                        Memory Dump Source
                        • Source File: 0000000D.00000002.1722966017.00007FFAAB470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_13_2_7ffaab470000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID: (0P$8,P$@JP$H1P$P/P$^$-P$/P
                        • API String ID: 0-4049320940
                        • Opcode ID: 0e628309eacb0d17e09439097bcf764858dc31b14d64f4827d398a66ec8920d9
                        • Instruction ID: 3dcbf23319135420d876d59a39721d21692e19fcc693f0d980c6030380263564
                        • Opcode Fuzzy Hash: 0e628309eacb0d17e09439097bcf764858dc31b14d64f4827d398a66ec8920d9
                        • Instruction Fuzzy Hash: FE81A68390FBD15FF31687A82C151B55E94FFA2290B1880FBE0CC966EBA8549D4DC3D5
                        Strings
                        Memory Dump Source
                        • Source File: 0000000D.00000002.1722966017.00007FFAAB470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_13_2_7ffaab470000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID: K_^$K_^$K_^$K_^
                        • API String ID: 0-3666970850
                        • Opcode ID: 17da05a5b86b04054a9d4980e0001301f144258314bdb25198cb6786eee26dd7
                        • Instruction ID: fab7df0ea74f61bd589c5b102cbb3769125a265675096d53a718022aed016c3b
                        • Opcode Fuzzy Hash: 17da05a5b86b04054a9d4980e0001301f144258314bdb25198cb6786eee26dd7
                        • Instruction Fuzzy Hash: ED4186B290EBC29FF756476988650A17FA0FF63254B0D42F7C188CB4B3E919184AC292
                        Strings
                        Memory Dump Source
                        • Source File: 0000000D.00000002.1722966017.00007FFAAB470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_13_2_7ffaab470000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID: K_^$K_^$K_^$K_^
                        • API String ID: 0-3666970850
                        • Opcode ID: 8b6cb26c311988ce11b4bf80c69da490accf3fe26a8d9a618f48fd27f71b95bc
                        • Instruction ID: e926125d6ef08632c6a5a32703f6cfb08038862de6f3dfe0a050bf075637abb8
                        • Opcode Fuzzy Hash: 8b6cb26c311988ce11b4bf80c69da490accf3fe26a8d9a618f48fd27f71b95bc
                        • Instruction Fuzzy Hash: 403187B290EBC29FF75A475A88550A17FA1FF6326470D43F6C188874A3E9191C4BC6D2

                        Execution Graph

                        Execution Coverage:20.1%
                        Dynamic/Decrypted Code Coverage:0%
                        Signature Coverage:0%
                        Total number of Nodes:148
                        Total number of Limit Nodes:2
                        execution_graph 835 613c13e0 836 613c13f6 835->836 841 613c2830 836->841 838 613c1413 845 613c2bc0 838->845 842 613c2859 841->842 843 613c2870 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 841->843 842->838 844 613c28cd 843->844 844->838 847 613c2bcf 845->847 846 613c1418 847->846 848 613c2c90 RtlAddFunctionTable 847->848 848->846 849 613c1290 850 613c12af 849->850 851 613c12f0 849->851 854 613c2470 6 API calls 850->854 855 613c12d6 850->855 876 613c2470 851->876 853 613c12f5 856 613c1305 853->856 857 613c12be 853->857 854->857 896 613c1050 856->896 859 613c222b 5 API calls 857->859 861 613c12cb 859->861 860 613c130a 860->855 862 613c1370 860->862 863 613c1353 860->863 861->855 866 613c1050 2 API calls 861->866 864 613c1375 862->864 865 613c13c0 862->865 863->855 867 613c1050 2 API calls 863->867 902 613c2810 864->902 868 613c222b 5 API calls 865->868 866->855 867->855 868->861 870 613c137a 907 613c222b 870->907 873 613c222b 5 API calls 874 613c13a1 873->874 875 613c1050 2 API calls 874->875 875->861 879 613c24a0 876->879 881 613c248b 876->881 877 613c2650 878 613c2659 877->878 877->881 880 613c2300 4 API calls 878->880 883 613c2688 878->883 879->877 879->881 882 613c253c 879->882 880->878 881->853 882->881 885 613c26f6 882->885 886 613c268d 882->886 888 613c2594 882->888 893 613c26c1 882->893 887 613c25c4 883->887 884 613c2300 4 API calls 884->885 890 613c2300 4 API calls 885->890 886->885 889 613c2300 4 API calls 886->889 887->881 894 613c2613 VirtualQuery 887->894 888->882 888->885 888->887 911 613c2300 888->911 889->893 891 613c2739 890->891 891->881 893->884 894->881 895 613c262c VirtualProtect 894->895 895->887 897 613c1066 896->897 898 613c10e0 896->898 899 613c1094 Sleep 897->899 901 613c10a8 897->901 900 613c1119 Sleep 898->900 898->901 899->897 900->898 901->860 903 613c281a 902->903 904 613c27b0 902->904 903->870 920 613c2f20 904->920 908 613c138a 907->908 909 613c2244 907->909 908->855 908->873 929 613c1e6b 909->929 912 613c2332 911->912 913 613c2393 VirtualQuery 912->913 916 613c2435 912->916 914 613c23c1 memcpy 913->914 913->916 917 613c248b 916->917 918 613c2613 VirtualQuery 916->918 917->888 918->917 919 613c262c VirtualProtect 918->919 919->916 921 613c2f34 920->921 922 613c2fb5 921->922 927 613c36b0 _lock 921->927 922->870 928 613ca324 927->928 930 613c1ea5 929->930 959 613c1d97 LoadLibraryW 930->959 932 613c1f55 933 613c1d97 LoadLibraryW 932->933 934 613c1f81 933->934 935 613c1d97 LoadLibraryW 934->935 936 613c1fe5 935->936 937 613c1d97 LoadLibraryW 936->937 938 613c2011 937->938 939 613c201d WinExec 938->939 961 613c3620 Sleep 939->961 941 613c2038 942 613c1d97 LoadLibraryW 941->942 943 613c2064 942->943 944 613c1d97 LoadLibraryW 943->944 945 613c2090 944->945 946 613c1d97 LoadLibraryW 945->946 947 613c217b 946->947 948 613c1d97 LoadLibraryW 947->948 949 613c21a7 948->949 950 613c21b3 WinExec 949->950 951 613c21d3 950->951 952 613c1d97 LoadLibraryW 951->952 953 613c21f0 952->953 954 613c1d97 LoadLibraryW 953->954 955 613c221c ExitProcess 954->955 957 613c222b 955->957 956 613c2258 956->908 957->956 958 613c1e6b 2 API calls 957->958 958->956 960 613c1dc1 959->960 960->932 961->941 962 613c2e70 963 613c2e78 962->963 964 613c2e7d 963->964 967 613c3530 963->967 966 613c2e95 968 613c3539 967->968 969 613c3582 967->969 972 613c353b 968->972 973 613c3554 968->973 970 613c358c 969->970 971 613c35a0 InitializeCriticalSection 969->971 970->966 971->970 975 613c354a 972->975 979 613c33a0 EnterCriticalSection 972->979 974 613c355e 973->974 977 613c33a0 3 API calls 973->977 974->975 976 613c3569 DeleteCriticalSection 974->976 975->966 976->975 977->974 980 613c33f4 979->980 982 613c33c1 979->982 981 613c33d0 TlsGetValue GetLastError 981->982 982->980 982->981 984 613c2ea0 985 613c2eb2 984->985 986 613c3530 5 API calls 985->986 987 613c2ec2 985->987 986->987 988 613c2910 RtlCaptureContext RtlLookupFunctionEntry 989 613c294d RtlVirtualUnwind 988->989 990 613c29f0 988->990 991 613c2983 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 989->991 990->991 991->990 992 613c3410 993 613c3430 992->993 994 613c3421 992->994 993->994 995 613c344c EnterCriticalSection LeaveCriticalSection 993->995 996 613c3490 997 613c349f 996->997 998 613c34b0 EnterCriticalSection 996->998 999 613c34e7 LeaveCriticalSection 998->999 1000 613c34cb 998->1000 1001 613c34f4 999->1001 1000->999 1002 613c34d1 1000->1002 1003 613c3510 LeaveCriticalSection 1002->1003 1003->1001 983 613c37b1 RtlAddFunctionTable

                        Callgraph

                        • Executed
                        • Not Executed
                        • Opacity -> Relevance
                        • Disassembly available
                        callgraph 0 Function_613D16BF 1 Function_613C36B8 2 Function_613C19B9 3 Function_613C3030 4 Function_613C3530 17 Function_613C33A0 4->17 5 Function_613C2CB0 28 Function_613C3390 5->28 6 Function_613C1430 7 Function_613C36B0 8 Function_613C2830 9 Function_613C31B0 45 Function_613C2FF0 9->45 10 Function_613C37B1 11 Function_613C36A9 12 Function_613C192A 13 Function_613C222B 50 Function_613C1E6B 13->50 51 Function_613C1E65 13->51 56 Function_613C1E5F 13->56 57 Function_613C1E59 13->57 14 Function_613C3620 15 Function_613C3120 15->45 16 Function_613C2F20 16->1 16->7 36 Function_613C2280 16->36 48 Function_613C2270 16->48 18 Function_613C2EA0 18->4 19 Function_613D0021 20 Function_613D039A 21 Function_613CA294 22 Function_613C1D97 23 Function_613C2F10 24 Function_613C1290 24->13 25 Function_613C3610 24->25 26 Function_613C2810 24->26 47 Function_613C2470 24->47 58 Function_613C1050 24->58 26->16 27 Function_613C2910 29 Function_613C2A10 29->28 30 Function_613C3410 31 Function_613C3490 32 Function_613C3012 33 Function_613D0513 34 Function_613C1D0E 55 Function_613C16DC 34->55 35 Function_613C3080 35->45 37 Function_613C1000 37->36 38 Function_613C2300 38->15 38->38 44 Function_613C3170 38->44 59 Function_613C35D0 38->59 64 Function_613C3240 38->64 39 Function_613C3280 39->3 39->45 40 Function_613D0D00 41 Function_613D1DFE 42 Function_613C1C79 42->55 43 Function_613D057A 44->45 46 Function_613C2E70 46->4 47->38 47->44 47->59 49 Function_613C22ED 50->12 50->14 50->22 50->50 50->51 50->55 50->56 50->57 52 Function_613C13E0 52->8 63 Function_613C2BC0 52->63 53 Function_613C32E0 53->3 53->45 54 Function_613C1B61 58->48 60 Function_613D1CCD 61 Function_613C1848 62 Function_613D1E4B 63->9 63->35 63->64 64->45

                        Control-flow Graph

                        APIs
                          • Part of subcall function 613C1D97: LoadLibraryW.KERNELBASE(?,?,?,?,?,?,?,?,?,613C1F55), ref: 613C1DB2
                        • WinExec.KERNEL32 ref: 613C202C
                          • Part of subcall function 613C3620: Sleep.KERNEL32 ref: 613C362A
                        • WinExec.KERNEL32 ref: 613C21C2
                        • ExitProcess.KERNEL32 ref: 613C2228
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1350232438.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                        • Associated: 00000010.00000002.1350116938.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000010.00000002.1350315159.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000010.00000002.1350342276.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000010.00000002.1350397871.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000010.00000002.1350423496.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000010.00000002.1350567490.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_613c0000_rundll32.jbxd
                        Similarity
                        • API ID: Exec$ExitLibraryLoadProcessSleep
                        • String ID: 4VULgU2Y$=82LgYWaw5SYoBHXcNWasJWdQxFXzJXZzVFXcpzQgQ2LgUGel5CbsVGazJXZ39GccxFMuEjdcxFbsVGaTJXZ39GUzd3bk5WaXxFXyMTblR3c5NFXcN3dvRmbpdFXcpzQgk3LgwGd1RnblNXZ$==Qaz1WQ$=cmbpJHd$=cmbpJHd$T5WYjNVa$T5WYjNVa$gYWaw5SY$ggGdhBlb$h1WbvNUL$icCX6M0J$kFkIgQmb$oBHXcNWa$sJWdQxFX$uVmclZWZ$vl2c1x2Y$yBFcN1CZ$z1WQ$z1WQ$zJXZzVFX
                        • API String ID: 1758684399-1342957281
                        • Opcode ID: 4d1f63c8848b9324423b377315b3159e9dcea841206612359d24d613c9a9fc1c
                        • Instruction ID: a98b6bfe7a99aebf3bb0dc4532f6b7cdca838be127f0f4748d87de296261d5c7
                        • Opcode Fuzzy Hash: 4d1f63c8848b9324423b377315b3159e9dcea841206612359d24d613c9a9fc1c
                        • Instruction Fuzzy Hash: 74813E75701B869DCF24EBA6A8543E873A5A785F8CF4480398E8E5FB18FF38C6159341

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 87 613c2bc0-613c2bda call 613c3240 90 613c2bdc-613c2bdf 87->90 91 613c2c01-613c2c0b 87->91 90->91 92 613c2be1-613c2bfa call 613c3080 90->92 95 613c2bfc 92->95 96 613c2c10-613c2c40 92->96 95->91 97 613c2c70-613c2c7b call 613c31b0 96->97 100 613c2c7d-613c2c80 97->100 101 613c2c42-613c2c6e 97->101 100->95 102 613c2c86-613c2c88 100->102 101->97 103 613c2ca5-613c2caa 101->103 104 613c2c90-613c2ca0 RtlAddFunctionTable 102->104 103->104 104->95
                        APIs
                        • RtlAddFunctionTable.KERNEL32 ref: 613C2C9A
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1350232438.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                        • Associated: 00000010.00000002.1350116938.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000010.00000002.1350315159.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000010.00000002.1350342276.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000010.00000002.1350397871.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000010.00000002.1350423496.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000010.00000002.1350567490.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_613c0000_rundll32.jbxd
                        Similarity
                        • API ID: FunctionTable
                        • String ID: .pdata
                        • API String ID: 1252446317-4177594709
                        • Opcode ID: 52976069890d9e3f5a635ecf40bf80e2661f8a198458f1dda444388e4e8995d7
                        • Instruction ID: a98d7effac0a08117c3fa1e10c50b581c5c7b73d9eed72f9ca58742f97c7602a
                        • Opcode Fuzzy Hash: 52976069890d9e3f5a635ecf40bf80e2661f8a198458f1dda444388e4e8995d7
                        • Instruction Fuzzy Hash: 4621B472B022609AFB058FA9DA443947B62A788F98F4CD024CE0B57314EB3A9A61D755

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 105 613c1d97-613c1dca LoadLibraryW 107 613c1dcc-613c1e2d 105->107 108 613c1e31-613c1e58 105->108 107->108
                        APIs
                        • LoadLibraryW.KERNELBASE(?,?,?,?,?,?,?,?,?,613C1F55), ref: 613C1DB2
                        Memory Dump Source
                        • Source File: 00000010.00000002.1350232438.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                        • Associated: 00000010.00000002.1350116938.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000010.00000002.1350315159.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000010.00000002.1350342276.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000010.00000002.1350397871.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000010.00000002.1350423496.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000010.00000002.1350567490.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_613c0000_rundll32.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: 4127155981cb20e6f2d50b37ca81e7bbd812f1fa0de4aab2728d0d118f7055a4
                        • Instruction ID: c1c33eecdd383886d2d8d2bb6f1c2682b4f93b08dfe668e5ddc8be9d462bd23a
                        • Opcode Fuzzy Hash: 4127155981cb20e6f2d50b37ca81e7bbd812f1fa0de4aab2728d0d118f7055a4
                        • Instruction Fuzzy Hash: 06210B72B11B608CE700DBB9EC4439C3B71A348B98F044515DE6DA7BA8EF39C650C394

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 160 613c3620-613c3636 Sleep
                        APIs
                        Memory Dump Source
                        • Source File: 00000010.00000002.1350232438.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                        • Associated: 00000010.00000002.1350116938.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000010.00000002.1350315159.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000010.00000002.1350342276.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000010.00000002.1350397871.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000010.00000002.1350423496.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000010.00000002.1350567490.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_613c0000_rundll32.jbxd
                        Similarity
                        • API ID: Sleep
                        • String ID:
                        • API String ID: 3472027048-0
                        • Opcode ID: fe2ac243386cde0167416a04810260f3cbc85ba1deb6f6aec3d46932f2df1739
                        • Instruction ID: e9c459437bb93fbad0663031f86f151610a23291e51109e838943003221a6897
                        • Opcode Fuzzy Hash: fe2ac243386cde0167416a04810260f3cbc85ba1deb6f6aec3d46932f2df1739
                        • Instruction Fuzzy Hash: F0B01220F13160C3D70C33769C9635850D5574C300FD000288107842A0DC9D02A64640

                        Control-flow Graph

                        APIs
                        • RtlCaptureContext.KERNEL32 ref: 613C2924
                        • RtlLookupFunctionEntry.KERNEL32 ref: 613C293B
                        • RtlVirtualUnwind.KERNEL32 ref: 613C297D
                        • SetUnhandledExceptionFilter.KERNEL32 ref: 613C29C4
                        • UnhandledExceptionFilter.KERNEL32 ref: 613C29D1
                        • GetCurrentProcess.KERNEL32 ref: 613C29D7
                        • TerminateProcess.KERNEL32 ref: 613C29E5
                        Memory Dump Source
                        • Source File: 00000010.00000002.1350232438.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                        • Associated: 00000010.00000002.1350116938.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000010.00000002.1350315159.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000010.00000002.1350342276.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000010.00000002.1350397871.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000010.00000002.1350423496.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000010.00000002.1350567490.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_613c0000_rundll32.jbxd
                        Similarity
                        • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentEntryFunctionLookupTerminateUnwindVirtual
                        • String ID:
                        • API String ID: 3266983031-0
                        • Opcode ID: d20c4be697a3212f516fb3c4bcd7d35ad969eae838489b411cfbb6ecde053262
                        • Instruction ID: e8e25b836daba40db766a00739c45693a0588c7fa2b6924b27fae8a827f53c88
                        • Opcode Fuzzy Hash: d20c4be697a3212f516fb3c4bcd7d35ad969eae838489b411cfbb6ecde053262
                        • Instruction Fuzzy Hash: E421D375611B31D9EB008B61F8843C937AAB748B98F480566D94F67734EF3AC764C780

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 188 613c2470-613c2489 189 613c248b-613c2498 188->189 190 613c24a0-613c24f7 call 613c3170 call 613c35d0 188->190 190->189 195 613c24f9-613c24fd 190->195 196 613c24ff-613c2505 195->196 197 613c2525-613c252b 195->197 198 613c250b-613c2512 196->198 199 613c2650-613c2653 196->199 197->199 200 613c2531-613c2536 197->200 198->199 201 613c2518-613c251f 198->201 199->189 203 613c2659-613c2660 199->203 200->199 202 613c253c-613c2542 200->202 201->202 204 613c2521 201->204 205 613c275c-613c2781 call 613c2290 202->205 206 613c2548-613c254f 202->206 207 613c2664-613c2686 call 613c2300 203->207 204->197 217 613c27a0-613c27a4 205->217 218 613c2783-613c279e 205->218 206->189 210 613c2555-613c2560 206->210 216 613c2688 207->216 211 613c256a-613c257f 210->211 214 613c2585 211->214 215 613c26c6-613c26f6 call 613c2300 211->215 219 613c268d-613c2690 214->219 220 613c258b-613c258e 214->220 225 613c26fb-613c270a call 613c2290 215->225 221 613c25c4-613c25d0 216->221 218->217 219->225 226 613c2692-613c26c1 call 613c2300 219->226 223 613c270f-613c2739 call 613c2300 220->223 224 613c2594-613c2597 220->224 221->189 227 613c25d6-613c25e8 221->227 242 613c273e-613c2757 call 613c2290 223->242 224->225 230 613c259d-613c25c2 call 613c2300 224->230 225->223 226->215 232 613c2603-613c2611 227->232 230->211 230->221 238 613c25f0-613c25fd 232->238 239 613c2613-613c2626 VirtualQuery 232->239 238->189 238->232 241 613c262c-613c2645 VirtualProtect 239->241 239->242 241->238 242->205
                        APIs
                        • VirtualQuery.KERNEL32(?,?,?,?,?,?,613C4054,?,?,?,?,613C12F5), ref: 613C2620
                        • VirtualProtect.KERNEL32(?,?,?,?,?,?,613C4054,?,?,?,?,613C12F5), ref: 613C2642
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1350232438.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                        • Associated: 00000010.00000002.1350116938.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000010.00000002.1350315159.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000010.00000002.1350342276.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000010.00000002.1350397871.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000010.00000002.1350423496.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000010.00000002.1350567490.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_613c0000_rundll32.jbxd
                        Similarity
                        • API ID: Virtual$ProtectQuery
                        • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$ VirtualQuery failed for %d bytes at address %p$T@<a
                        • API String ID: 1027372294-2627587640
                        • Opcode ID: e52f81ac41c2342fd462fc3170bb2c56cf49e9c9a5294d6a356940808a4d1b69
                        • Instruction ID: 62939e9ad82f9327e1e07ec4eefc127d92b0ac663fd755b0084f4618bd059482
                        • Opcode Fuzzy Hash: e52f81ac41c2342fd462fc3170bb2c56cf49e9c9a5294d6a356940808a4d1b69
                        • Instruction Fuzzy Hash: 2771DE76B11A2489EB01CF76EA8078AB362B748FACF48D115CD1F17358DB3AC911C352

                        Control-flow Graph

                        APIs
                        • GetSystemTimeAsFileTime.KERNEL32 ref: 613C2875
                        • GetCurrentProcessId.KERNEL32 ref: 613C2880
                        • GetCurrentThreadId.KERNEL32 ref: 613C2888
                        • GetTickCount.KERNEL32 ref: 613C2890
                        • QueryPerformanceCounter.KERNEL32 ref: 613C289D
                        Memory Dump Source
                        • Source File: 00000010.00000002.1350232438.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                        • Associated: 00000010.00000002.1350116938.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000010.00000002.1350315159.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000010.00000002.1350342276.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000010.00000002.1350397871.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000010.00000002.1350423496.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000010.00000002.1350567490.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_613c0000_rundll32.jbxd
                        Similarity
                        • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                        • String ID:
                        • API String ID: 1445889803-0
                        • Opcode ID: 426e265ac137bbdeef0a01d9666284549597ad6e21c5f98ec00e579fb7b8abee
                        • Instruction ID: fbcbe058b436404562c126ae5aac31350f057f625ad19c487ba693073682924f
                        • Opcode Fuzzy Hash: 426e265ac137bbdeef0a01d9666284549597ad6e21c5f98ec00e579fb7b8abee
                        • Instruction Fuzzy Hash: 6411BF33756B3082F7005B25B904385B2A2B788BA0F0C5231EE5E53BA4EF3DC9968340

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 270 613c2300-613c232e 271 613c2332-613c2359 270->271 273 613c235b-613c2369 call 613c3120 271->273 276 613c236f-613c23bf call 613c3240 VirtualQuery 273->276 277 613c2452-613c2489 call 613c2290 273->277 283 613c2435-613c244d call 613c2290 276->283 284 613c23c1-613c23cb 276->284 286 613c248b-613c2498 277->286 287 613c24a0-613c24f7 call 613c3170 call 613c35d0 277->287 283->277 288 613c23cd-613c23d3 284->288 289 613c23f9-613c36a0 memcpy 284->289 287->286 295 613c24f9-613c24fd 287->295 288->289 296 613c24ff-613c2505 295->296 297 613c2525-613c252b 295->297 298 613c250b-613c2512 296->298 299 613c2650-613c2653 296->299 297->299 300 613c2531-613c2536 297->300 298->299 301 613c2518-613c251f 298->301 299->286 303 613c2659-613c2660 299->303 300->299 302 613c253c-613c2542 300->302 301->302 304 613c2521 301->304 305 613c275c-613c2781 call 613c2290 302->305 306 613c2548-613c254f 302->306 307 613c2664-613c2686 call 613c2300 303->307 304->297 317 613c27a0-613c27a4 305->317 318 613c2783-613c279e 305->318 306->286 310 613c2555-613c2560 306->310 316 613c2688 307->316 311 613c256a-613c257f 310->311 314 613c2585 311->314 315 613c26c6-613c26f6 call 613c2300 311->315 319 613c268d-613c2690 314->319 320 613c258b-613c258e 314->320 325 613c26fb-613c270a call 613c2290 315->325 321 613c25c4-613c25d0 316->321 318->317 319->325 326 613c2692-613c26c1 call 613c2300 319->326 323 613c270f-613c2739 call 613c2300 320->323 324 613c2594-613c2597 320->324 321->286 327 613c25d6-613c25e8 321->327 342 613c273e-613c2757 call 613c2290 323->342 324->325 330 613c259d-613c25c2 call 613c2300 324->330 325->323 326->315 332 613c2603-613c2611 327->332 330->311 330->321 338 613c25f0-613c25fd 332->338 339 613c2613-613c2626 VirtualQuery 332->339 338->286 338->332 341 613c262c-613c2645 VirtualProtect 339->341 339->342 341->338 342->305
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1350232438.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                        • Associated: 00000010.00000002.1350116938.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000010.00000002.1350315159.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000010.00000002.1350342276.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000010.00000002.1350397871.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000010.00000002.1350423496.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000010.00000002.1350567490.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_613c0000_rundll32.jbxd
                        Similarity
                        • API ID: QueryVirtual
                        • String ID: VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$T@<a
                        • API String ID: 1804819252-4232178576
                        • Opcode ID: 8e7eacb048b803b310af8d91aca0147f1e0aad4f005fb9ffc7c056ff4d3ee6e9
                        • Instruction ID: 6a292cefe7e1f4070340493715416b3679d18dd40189ba87be4cd8971f2c6506
                        • Opcode Fuzzy Hash: 8e7eacb048b803b310af8d91aca0147f1e0aad4f005fb9ffc7c056ff4d3ee6e9
                        • Instruction Fuzzy Hash: 2631F673701A649AE601DF12ED04B967B65F788FE8F48C121DE1E17320DB3AD652C740
                        Memory Dump Source
                        • Source File: 00000013.00000002.1971480919.00007FFAAB520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB520000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_19_2_7ffaab520000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: cd85aa0f018d905323425f72cc196b619a164fd97e40c8b2e72c8e2c1ea4f3f6
                        • Instruction ID: 612352e27514e2a7c33695c8abd2abd5f47c1ebe73b27d711640e38bb6cfbc63
                        • Opcode Fuzzy Hash: cd85aa0f018d905323425f72cc196b619a164fd97e40c8b2e72c8e2c1ea4f3f6
                        • Instruction Fuzzy Hash: FFB11752A0FBC64FE796A76898555707FE5FF57250B0940FBD08EC71A3D829AC0983C2
                        Strings
                        Memory Dump Source
                        • Source File: 00000013.00000002.1966893681.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_19_2_7ffaab450000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID: 63
                        • API String ID: 0-3819469774
                        • Opcode ID: c36f96540908227e015cef9ad27fc1eb84813a909d77dd40daa8cafb8932063a
                        • Instruction ID: 4fde1bf486b65c76e95f4a7b7b75cfda7a2b186413694886e9b1860bf831bcbf
                        • Opcode Fuzzy Hash: c36f96540908227e015cef9ad27fc1eb84813a909d77dd40daa8cafb8932063a
                        • Instruction Fuzzy Hash: 4E22E371A0DA498FDB84EF5CC485AA97BE1FF59350F1442AED04DC72A6CA24EC46CBC1
                        Strings
                        Memory Dump Source
                        • Source File: 00000013.00000002.1966893681.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_19_2_7ffaab450000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID: 63
                        • API String ID: 0-3819469774
                        • Opcode ID: 5175ff3fcd06e1b8dfc0216d7d61f9fd44ee4f51de22dc0617e7095f7ff1fcfa
                        • Instruction ID: 8c394e9c1c8085801676fe4d2a66fd0e606983497421bea0080011c77a0d7099
                        • Opcode Fuzzy Hash: 5175ff3fcd06e1b8dfc0216d7d61f9fd44ee4f51de22dc0617e7095f7ff1fcfa
                        • Instruction Fuzzy Hash: 10C16D31A09A498FEF84EF58C454AA97BB1FF69340F14826AD40DD72A6CA34EC45CBC1
                        Strings
                        Memory Dump Source
                        • Source File: 00000013.00000002.1966893681.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_19_2_7ffaab450000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID: 63
                        • API String ID: 0-3819469774
                        • Opcode ID: b0b75b26ad34124bc449f3dbfd054624def67cf7166bb4da14f201d1558397fa
                        • Instruction ID: 84eea4158c7f79cb971ee017afce991977cf011a8e5acbb3d65e8a90afa38923
                        • Opcode Fuzzy Hash: b0b75b26ad34124bc449f3dbfd054624def67cf7166bb4da14f201d1558397fa
                        • Instruction Fuzzy Hash: 4BF1C172A08E498FEB94EF5CC495AED7BE1FF98354F04827AD00DC7196DA24AC4687C1
                        Memory Dump Source
                        • Source File: 00000013.00000002.1971480919.00007FFAAB520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB520000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_19_2_7ffaab520000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3441d5fa49a929eec16b5f558269c9926d93d332a9993b8ddb48ef426f4ee69b
                        • Instruction ID: 19aa71584df6e0267c9a44ededcdede0129faad34e71377ca0fa3836f940a882
                        • Opcode Fuzzy Hash: 3441d5fa49a929eec16b5f558269c9926d93d332a9993b8ddb48ef426f4ee69b
                        • Instruction Fuzzy Hash: A7322AA2A0FB8A8FE795D72898559B57BE5EF57250F0801FBD04EC71A3DD18AC0983C1
                        Memory Dump Source
                        • Source File: 00000013.00000002.1971480919.00007FFAAB520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB520000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_19_2_7ffaab520000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 53c2c10252dccdf17f61c9a9c4aaaba36a322ae3ce42acc6dc3e673b4923dbd0
                        • Instruction ID: 00d737dacc7402740565b7b3c2957f01ef886ef0ef02f22c026096d52ec1ab7b
                        • Opcode Fuzzy Hash: 53c2c10252dccdf17f61c9a9c4aaaba36a322ae3ce42acc6dc3e673b4923dbd0
                        • Instruction Fuzzy Hash: 88E1576690FBC64FE39B8B6858515A07FE5EF57260F0941FBC08DCB0A3D91A580AC392
                        Memory Dump Source
                        • Source File: 00000013.00000002.1971480919.00007FFAAB520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB520000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_19_2_7ffaab520000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 08bc6b835fa227afc87c805223f0095c5a98c6836d39846336a533ca42f26249
                        • Instruction ID: a163ba24e2368f9cdbc08af9c5c4eaf7e7514b4187c0c7d09c2afbe6dd1bf410
                        • Opcode Fuzzy Hash: 08bc6b835fa227afc87c805223f0095c5a98c6836d39846336a533ca42f26249
                        • Instruction Fuzzy Hash: A1D1696290FA8B8FE7A5AB6898555B57BD4EF27350B1801FED44EC70A3D918AC09C3C1
                        Memory Dump Source
                        • Source File: 00000013.00000002.1971480919.00007FFAAB520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB520000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_19_2_7ffaab520000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a7122f7ee3a24a4c3716f9b05f9bd9d2e0beb0f09d99656e765791780945fdfb
                        • Instruction ID: 1fa39f8a41c4f6c1cd8ffa1be18df8023a27df44062e7a5d45fe13bc31e3f17c
                        • Opcode Fuzzy Hash: a7122f7ee3a24a4c3716f9b05f9bd9d2e0beb0f09d99656e765791780945fdfb
                        • Instruction Fuzzy Hash: C0D129A280F78A9FE756D73898155B57FA8EF47260F0941FBD48DC70A3DA185C0A83D2
                        Memory Dump Source
                        • Source File: 00000013.00000002.1966893681.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_19_2_7ffaab450000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ecf966c785ff643dbbbe180b95ec90f5c83f751f8b43131e4feb36db356f63bf
                        • Instruction ID: 630a6067f97c2065acdd2245b8c529e60c5bf2dc978b0514055deea4e66a084e
                        • Opcode Fuzzy Hash: ecf966c785ff643dbbbe180b95ec90f5c83f751f8b43131e4feb36db356f63bf
                        • Instruction Fuzzy Hash: B681F87160DBC68FD30ADB2C88A65A47BE0EF53254B1842FFD48DCF1A3E9196806C756
                        Memory Dump Source
                        • Source File: 00000013.00000002.1966893681.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_19_2_7ffaab450000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5dfe9385379b6cd2d33cbd787e51126150dd945c9d948ea022f239d36e0d5cc5
                        • Instruction ID: 5f1761321fe6147ac8c4be5a0831f53faa11a62c62d91b2cca768451d5e3372f
                        • Opcode Fuzzy Hash: 5dfe9385379b6cd2d33cbd787e51126150dd945c9d948ea022f239d36e0d5cc5
                        • Instruction Fuzzy Hash: 1B113A6690EBC99FD743AB3898690E47FB0EF53115B0942EBD488CB0B3D9195D0CC7A2
                        Memory Dump Source
                        • Source File: 00000013.00000002.1966893681.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_19_2_7ffaab450000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d18a284097d4348a0a016935fb30547baa53ad373304df5dbd6ade63c2ec592d
                        • Instruction ID: a5d8f5aeb27a4a29a71a6cffaed9f342b240f0138b8520230fcd69c761269f9a
                        • Opcode Fuzzy Hash: d18a284097d4348a0a016935fb30547baa53ad373304df5dbd6ade63c2ec592d
                        • Instruction Fuzzy Hash: 2AF0BE30818ACC8FCB45DF2888195A87FE0EF26204B0442ABE44DC7061DA61AD18CBC2
                        Memory Dump Source
                        • Source File: 00000013.00000002.1966893681.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_19_2_7ffaab450000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 08d25a8fe89ae7791c3d8e06abaaf8278fdab135ea8f3d35a0dc71a7b1bdde81
                        • Instruction ID: 7c0ebbe5412fac578673c8ee80e252803a64fabe118ac9cbd2653172bfbd803c
                        • Opcode Fuzzy Hash: 08d25a8fe89ae7791c3d8e06abaaf8278fdab135ea8f3d35a0dc71a7b1bdde81
                        • Instruction Fuzzy Hash: 1041E572A0DF868FF756DF6C88665A93FD0EF5226570A41BBC0CCC70A3E915AC068790
                        Memory Dump Source
                        • Source File: 00000013.00000002.1966893681.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_19_2_7ffaab450000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7fd4ffe7a0a9d4bb35842ed1fc064c0c6e67383f0172fa4ff12698bbcdc471ea
                        • Instruction ID: f1d9e4445a6ed45df37dd0256e035c0370dab0766d854a0adf65b1fda6da757f
                        • Opcode Fuzzy Hash: 7fd4ffe7a0a9d4bb35842ed1fc064c0c6e67383f0172fa4ff12698bbcdc471ea
                        • Instruction Fuzzy Hash: C341E77191CF888FDB58DB5C98466B9BBE0FB95311F04826FE08D93252DB70A855CBC2
                        Memory Dump Source
                        • Source File: 00000013.00000002.1962580394.00007FFAAB33D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB33D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_19_2_7ffaab33d000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e9627bdc9165f15da38e2646c99b92ab44bde8f878b3857ac8fc2b9698715d9e
                        • Instruction ID: 1c40bff66b52f449c1510fe91670556f55b88e4da526043f9e51fbcc492b3d2b
                        • Opcode Fuzzy Hash: e9627bdc9165f15da38e2646c99b92ab44bde8f878b3857ac8fc2b9698715d9e
                        • Instruction Fuzzy Hash: EA41477140EBC48FD7569B2898519523FF0EF57360F0A01EFD088CB1A3D625A84AC7A2
                        Memory Dump Source
                        • Source File: 00000013.00000002.1966893681.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_19_2_7ffaab450000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d9cb9f91eabeb3210c3cdbabeac1c127edc1966aa85a92365456fb6aa9fd6c41
                        • Instruction ID: 5f9b0384348889df44b4c0e09729f112e6372432fb42fd643a1bd6455c789645
                        • Opcode Fuzzy Hash: d9cb9f91eabeb3210c3cdbabeac1c127edc1966aa85a92365456fb6aa9fd6c41
                        • Instruction Fuzzy Hash: 9E21B67190CB4C8FDB59DBAC984A6E97FF0EB96321F04426FD048C7162D6749809CB91
                        Memory Dump Source
                        • Source File: 00000013.00000002.1966893681.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_19_2_7ffaab450000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                        • Instruction ID: 92295cdb2f7af2e4ecd78a6a2afc89a425ddf69577780f790e250f5ce601b16d
                        • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                        • Instruction Fuzzy Hash: AA01677111CB0C8FD744EF0CE451AA5B7E0FB95364F10066DE58AC3665DA36E892CB45
                        Memory Dump Source
                        • Source File: 00000013.00000002.1971480919.00007FFAAB520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB520000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_19_2_7ffaab520000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5db07babdb895b09b04c54010581e06de8801d5dab276c38c19563f53681a759
                        • Instruction ID: de1a27b45b0df7b864cae5d24647098be48ad14898897b16b9125c2fbefe1b47
                        • Opcode Fuzzy Hash: 5db07babdb895b09b04c54010581e06de8801d5dab276c38c19563f53681a759
                        • Instruction Fuzzy Hash: 90F068A7D1F7C28AE76647A858521F8AFD5DF532A4B1940FFD0CE86093D40B180953E2
                        Memory Dump Source
                        • Source File: 00000013.00000002.1966893681.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_19_2_7ffaab450000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d1a068ef165dde11b2eb0922c54ccd17bd7a6857efabd29fc98ea0d208b71201
                        • Instruction ID: 526e639100694fbed8dff80a190078cb195467303caa85c6241443221d5bf2e2
                        • Opcode Fuzzy Hash: d1a068ef165dde11b2eb0922c54ccd17bd7a6857efabd29fc98ea0d208b71201
                        • Instruction Fuzzy Hash: 03F0303275C6044FDB4CEA1CF8429B573E1E7D9335B10056EE48BC2656D926E8478685
                        Memory Dump Source
                        • Source File: 00000013.00000002.1966893681.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_19_2_7ffaab450000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 58b30047d7e44f079066e9e7afbe79efcaf13536441b5f12f160c6d55ce256cb
                        • Instruction ID: 3e4df2d08f533e6980e238f371f01d0ba7980f4bfbf13b00c8ade5150821e271
                        • Opcode Fuzzy Hash: 58b30047d7e44f079066e9e7afbe79efcaf13536441b5f12f160c6d55ce256cb
                        • Instruction Fuzzy Hash: 59F0373275C6058FDB4CAA1CF8429B573D1EB95321B10056EE48BC2696D917F8468685
                        Memory Dump Source
                        • Source File: 00000013.00000002.1971480919.00007FFAAB520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB520000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_19_2_7ffaab520000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: dd014351d91db75ce75de445f3952c9a613596bc6810c8580d0e0f7e1f014d6f
                        • Instruction ID: ec0bcac14497a860c35c88e9853e418cf60de410da4e7baeb3a9cacca6e06896
                        • Opcode Fuzzy Hash: dd014351d91db75ce75de445f3952c9a613596bc6810c8580d0e0f7e1f014d6f
                        • Instruction Fuzzy Hash: 33F0BE32A0E5458FE759EB5CE4428E877E8EF56360B2100BAE15EC7173CA25EC44C781
                        Memory Dump Source
                        • Source File: 00000013.00000002.1971480919.00007FFAAB520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB520000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_19_2_7ffaab520000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e21a3355fd79db5b8a7ebf1bf056e641e9c297c3a505e66d69cd61c9e013315f
                        • Instruction ID: 2445e7252ee77004be4fdef7ae52875833fae9711612026074c6074475845c82
                        • Opcode Fuzzy Hash: e21a3355fd79db5b8a7ebf1bf056e641e9c297c3a505e66d69cd61c9e013315f
                        • Instruction Fuzzy Hash: 2DF0BE32A0E5458FDB58FB1CE0418A87BE4EF0632072100F6E14ECB063CA25AC44C780
                        Memory Dump Source
                        • Source File: 00000013.00000002.1971480919.00007FFAAB520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB520000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_19_2_7ffaab520000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                        • Instruction ID: fe5f08e291aee2c4d3db72ba3887b7a35b338b57a6fb9361c72cb090c8b22fc2
                        • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                        • Instruction Fuzzy Hash: 50E01A31B0D809CFEA68DB0CE0419A973E5EB9936171141B7D24EC7572CA22EC558BC0
                        Strings
                        Memory Dump Source
                        • Source File: 00000013.00000002.1966893681.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_19_2_7ffaab450000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID: (0P$8,P$H1P$P/P$p0P$-P$/P
                        • API String ID: 0-1701350710
                        • Opcode ID: b6c7cb6d886085f344f91d5ba2f34eccf7c533e0313b85f36acc7275925096c6
                        • Instruction ID: 7b38ae8cf9bc566be2c86ab5b9ba49ad322d728aa8deaa3e4961e458a47de4f4
                        • Opcode Fuzzy Hash: b6c7cb6d886085f344f91d5ba2f34eccf7c533e0313b85f36acc7275925096c6
                        • Instruction Fuzzy Hash: 5E31938680FEC15FF719976918265A55FE4FFA3280B0881FFD0CC9A5EBA8549D0D83D1
                        Strings
                        Memory Dump Source
                        • Source File: 00000013.00000002.1966893681.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_19_2_7ffaab450000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID: M_^7$M_^8$M_^?$M_^@$M_^F
                        • API String ID: 0-3108979760
                        • Opcode ID: 5f22d3768f0a38e14fd60520b61bc508ca57ba240edf0974e43437eaa3365122
                        • Instruction ID: fe632cccd83ebf3ad269626758311851f3690176e09d0c5684591dd8d0f53f64
                        • Opcode Fuzzy Hash: 5f22d3768f0a38e14fd60520b61bc508ca57ba240edf0974e43437eaa3365122
                        • Instruction Fuzzy Hash: 26413BAB708419A9D2017B3CF8049E977A4EFD42767860BF6E08DCF083BC15788B86C4
                        Strings
                        Memory Dump Source
                        • Source File: 00000013.00000002.1966893681.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_19_2_7ffaab450000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID: M_^$M_^$M_^$M_^
                        • API String ID: 0-1397233021
                        • Opcode ID: 63cf3260f4d13193e949081774bd55c03b5868cd499e96ae2daea854c139d658
                        • Instruction ID: 04acfe180ee53156cc94199e66d0e370d65272ace149d0cc54fc84718403f90a
                        • Opcode Fuzzy Hash: 63cf3260f4d13193e949081774bd55c03b5868cd499e96ae2daea854c139d658
                        • Instruction Fuzzy Hash: 9F21467260DAC38FD30B972548661547FA0FF53258F4983FAC4AD8F0E3FD1929068655

                        Execution Graph

                        Execution Coverage:20.1%
                        Dynamic/Decrypted Code Coverage:0%
                        Signature Coverage:0%
                        Total number of Nodes:148
                        Total number of Limit Nodes:2
                        execution_graph 835 613c13e0 836 613c13f6 835->836 841 613c2830 836->841 838 613c1413 845 613c2bc0 838->845 842 613c2859 841->842 843 613c2870 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 841->843 842->838 844 613c28cd 843->844 844->838 847 613c2bcf 845->847 846 613c1418 847->846 848 613c2c90 RtlAddFunctionTable 847->848 848->846 849 613c1290 850 613c12af 849->850 851 613c12f0 849->851 854 613c2470 6 API calls 850->854 855 613c12d6 850->855 876 613c2470 851->876 853 613c12f5 856 613c1305 853->856 857 613c12be 853->857 854->857 896 613c1050 856->896 859 613c222b 5 API calls 857->859 861 613c12cb 859->861 860 613c130a 860->855 862 613c1370 860->862 863 613c1353 860->863 861->855 866 613c1050 2 API calls 861->866 864 613c1375 862->864 865 613c13c0 862->865 863->855 867 613c1050 2 API calls 863->867 902 613c2810 864->902 868 613c222b 5 API calls 865->868 866->855 867->855 868->861 870 613c137a 907 613c222b 870->907 873 613c222b 5 API calls 874 613c13a1 873->874 875 613c1050 2 API calls 874->875 875->861 879 613c24a0 876->879 881 613c248b 876->881 877 613c2650 878 613c2659 877->878 877->881 880 613c2300 4 API calls 878->880 883 613c2688 878->883 879->877 879->881 882 613c253c 879->882 880->878 881->853 882->881 885 613c26f6 882->885 886 613c268d 882->886 888 613c2594 882->888 893 613c26c1 882->893 887 613c25c4 883->887 884 613c2300 4 API calls 884->885 890 613c2300 4 API calls 885->890 886->885 889 613c2300 4 API calls 886->889 887->881 894 613c2613 VirtualQuery 887->894 888->882 888->885 888->887 911 613c2300 888->911 889->893 891 613c2739 890->891 891->881 893->884 894->881 895 613c262c VirtualProtect 894->895 895->887 897 613c1066 896->897 898 613c10e0 896->898 899 613c1094 Sleep 897->899 901 613c10a8 897->901 900 613c1119 Sleep 898->900 898->901 899->897 900->898 901->860 903 613c281a 902->903 904 613c27b0 902->904 903->870 920 613c2f20 904->920 908 613c138a 907->908 909 613c2244 907->909 908->855 908->873 929 613c1e6b 909->929 912 613c2332 911->912 913 613c2393 VirtualQuery 912->913 916 613c2435 912->916 914 613c23c1 memcpy 913->914 913->916 917 613c248b 916->917 918 613c2613 VirtualQuery 916->918 917->888 918->917 919 613c262c VirtualProtect 918->919 919->916 921 613c2f34 920->921 922 613c2fb5 921->922 927 613c36b0 _lock 921->927 922->870 928 613ca324 927->928 930 613c1ea5 929->930 959 613c1d97 LoadLibraryW 930->959 932 613c1f55 933 613c1d97 LoadLibraryW 932->933 934 613c1f81 933->934 935 613c1d97 LoadLibraryW 934->935 936 613c1fe5 935->936 937 613c1d97 LoadLibraryW 936->937 938 613c2011 937->938 939 613c201d WinExec 938->939 961 613c3620 Sleep 939->961 941 613c2038 942 613c1d97 LoadLibraryW 941->942 943 613c2064 942->943 944 613c1d97 LoadLibraryW 943->944 945 613c2090 944->945 946 613c1d97 LoadLibraryW 945->946 947 613c217b 946->947 948 613c1d97 LoadLibraryW 947->948 949 613c21a7 948->949 950 613c21b3 WinExec 949->950 951 613c21d3 950->951 952 613c1d97 LoadLibraryW 951->952 953 613c21f0 952->953 954 613c1d97 LoadLibraryW 953->954 955 613c221c ExitProcess 954->955 957 613c222b 955->957 956 613c2258 956->908 957->956 958 613c1e6b 2 API calls 957->958 958->956 960 613c1dc1 959->960 960->932 961->941 962 613c2e70 963 613c2e78 962->963 964 613c2e7d 963->964 967 613c3530 963->967 966 613c2e95 968 613c3539 967->968 969 613c3582 967->969 972 613c353b 968->972 973 613c3554 968->973 970 613c358c 969->970 971 613c35a0 InitializeCriticalSection 969->971 970->966 971->970 975 613c354a 972->975 979 613c33a0 EnterCriticalSection 972->979 974 613c355e 973->974 977 613c33a0 3 API calls 973->977 974->975 976 613c3569 DeleteCriticalSection 974->976 975->966 976->975 977->974 980 613c33f4 979->980 982 613c33c1 979->982 981 613c33d0 TlsGetValue GetLastError 981->982 982->980 982->981 984 613c2ea0 985 613c2eb2 984->985 986 613c3530 5 API calls 985->986 987 613c2ec2 985->987 986->987 988 613c2910 RtlCaptureContext RtlLookupFunctionEntry 989 613c294d RtlVirtualUnwind 988->989 990 613c29f0 988->990 991 613c2983 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 989->991 990->991 991->990 992 613c3410 993 613c3430 992->993 994 613c3421 992->994 993->994 995 613c344c EnterCriticalSection LeaveCriticalSection 993->995 996 613c3490 997 613c349f 996->997 998 613c34b0 EnterCriticalSection 996->998 999 613c34e7 LeaveCriticalSection 998->999 1000 613c34cb 998->1000 1001 613c34f4 999->1001 1000->999 1002 613c34d1 1000->1002 1003 613c3510 LeaveCriticalSection 1002->1003 1003->1001 983 613c37b1 RtlAddFunctionTable

                        Callgraph

                        • Executed
                        • Not Executed
                        • Opacity -> Relevance
                        • Disassembly available
                        callgraph 0 Function_613D16BF 1 Function_613C36B8 2 Function_613C19B9 3 Function_613C3030 4 Function_613C3530 17 Function_613C33A0 4->17 5 Function_613C2CB0 28 Function_613C3390 5->28 6 Function_613C1430 7 Function_613C36B0 8 Function_613C2830 9 Function_613C31B0 45 Function_613C2FF0 9->45 10 Function_613C37B1 11 Function_613C36A9 12 Function_613C192A 13 Function_613C222B 50 Function_613C1E6B 13->50 51 Function_613C1E65 13->51 56 Function_613C1E5F 13->56 57 Function_613C1E59 13->57 14 Function_613C3620 15 Function_613C3120 15->45 16 Function_613C2F20 16->1 16->7 36 Function_613C2280 16->36 48 Function_613C2270 16->48 18 Function_613C2EA0 18->4 19 Function_613D0021 20 Function_613D039A 21 Function_613CA294 22 Function_613C1D97 23 Function_613C2F10 24 Function_613C1290 24->13 25 Function_613C3610 24->25 26 Function_613C2810 24->26 47 Function_613C2470 24->47 58 Function_613C1050 24->58 26->16 27 Function_613C2910 29 Function_613C2A10 29->28 30 Function_613C3410 31 Function_613C3490 32 Function_613C3012 33 Function_613D0513 34 Function_613C1D0E 55 Function_613C16DC 34->55 35 Function_613C3080 35->45 37 Function_613C1000 37->36 38 Function_613C2300 38->15 38->38 44 Function_613C3170 38->44 59 Function_613C35D0 38->59 64 Function_613C3240 38->64 39 Function_613C3280 39->3 39->45 40 Function_613D0D00 41 Function_613D1DFE 42 Function_613C1C79 42->55 43 Function_613D057A 44->45 46 Function_613C2E70 46->4 47->38 47->44 47->59 49 Function_613C22ED 50->12 50->14 50->22 50->50 50->51 50->55 50->56 50->57 52 Function_613C13E0 52->8 63 Function_613C2BC0 52->63 53 Function_613C32E0 53->3 53->45 54 Function_613C1B61 58->48 60 Function_613D1CCD 61 Function_613C1848 62 Function_613D1E4B 63->9 63->35 63->64 64->45

                        Control-flow Graph

                        APIs
                          • Part of subcall function 613C1D97: LoadLibraryW.KERNELBASE(?,?,?,?,?,?,?,?,?,613C1F55), ref: 613C1DB2
                        • WinExec.KERNEL32 ref: 613C202C
                          • Part of subcall function 613C3620: Sleep.KERNEL32 ref: 613C362A
                        • WinExec.KERNEL32 ref: 613C21C2
                        • ExitProcess.KERNEL32 ref: 613C2228
                        Strings
                        Memory Dump Source
                        • Source File: 00000015.00000002.1381017096.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                        • Associated: 00000015.00000002.1380961276.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000015.00000002.1381130780.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000015.00000002.1381195236.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000015.00000002.1381433413.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000015.00000002.1381991931.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000015.00000002.1382571230.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_21_2_613c0000_rundll32.jbxd
                        Similarity
                        • API ID: Exec$ExitLibraryLoadProcessSleep
                        • String ID: 4VULgU2Y$=82LgYWaw5SYoBHXcNWasJWdQxFXzJXZzVFXcpzQgQ2LgUGel5CbsVGazJXZ39GccxFMuEjdcxFbsVGaTJXZ39GUzd3bk5WaXxFXyMTblR3c5NFXcN3dvRmbpdFXcpzQgk3LgwGd1RnblNXZ$==Qaz1WQ$=cmbpJHd$=cmbpJHd$T5WYjNVa$T5WYjNVa$gYWaw5SY$ggGdhBlb$h1WbvNUL$icCX6M0J$kFkIgQmb$oBHXcNWa$sJWdQxFX$uVmclZWZ$vl2c1x2Y$yBFcN1CZ$z1WQ$z1WQ$zJXZzVFX
                        • API String ID: 1758684399-1342957281
                        • Opcode ID: 4d1f63c8848b9324423b377315b3159e9dcea841206612359d24d613c9a9fc1c
                        • Instruction ID: a98b6bfe7a99aebf3bb0dc4532f6b7cdca838be127f0f4748d87de296261d5c7
                        • Opcode Fuzzy Hash: 4d1f63c8848b9324423b377315b3159e9dcea841206612359d24d613c9a9fc1c
                        • Instruction Fuzzy Hash: 74813E75701B869DCF24EBA6A8543E873A5A785F8CF4480398E8E5FB18FF38C6159341

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 87 613c2bc0-613c2bda call 613c3240 90 613c2bdc-613c2bdf 87->90 91 613c2c01-613c2c0b 87->91 90->91 92 613c2be1-613c2bfa call 613c3080 90->92 95 613c2bfc 92->95 96 613c2c10-613c2c40 92->96 95->91 97 613c2c70-613c2c7b call 613c31b0 96->97 100 613c2c7d-613c2c80 97->100 101 613c2c42-613c2c6e 97->101 100->95 102 613c2c86-613c2c88 100->102 101->97 103 613c2ca5-613c2caa 101->103 104 613c2c90-613c2ca0 RtlAddFunctionTable 102->104 103->104 104->95
                        APIs
                        • RtlAddFunctionTable.KERNEL32 ref: 613C2C9A
                        Strings
                        Memory Dump Source
                        • Source File: 00000015.00000002.1381017096.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                        • Associated: 00000015.00000002.1380961276.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000015.00000002.1381130780.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000015.00000002.1381195236.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000015.00000002.1381433413.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000015.00000002.1381991931.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000015.00000002.1382571230.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_21_2_613c0000_rundll32.jbxd
                        Similarity
                        • API ID: FunctionTable
                        • String ID: .pdata
                        • API String ID: 1252446317-4177594709
                        • Opcode ID: 52976069890d9e3f5a635ecf40bf80e2661f8a198458f1dda444388e4e8995d7
                        • Instruction ID: a98d7effac0a08117c3fa1e10c50b581c5c7b73d9eed72f9ca58742f97c7602a
                        • Opcode Fuzzy Hash: 52976069890d9e3f5a635ecf40bf80e2661f8a198458f1dda444388e4e8995d7
                        • Instruction Fuzzy Hash: 4621B472B022609AFB058FA9DA443947B62A788F98F4CD024CE0B57314EB3A9A61D755

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 105 613c1d97-613c1dca LoadLibraryW 107 613c1dcc-613c1e2d 105->107 108 613c1e31-613c1e58 105->108 107->108
                        APIs
                        • LoadLibraryW.KERNELBASE(?,?,?,?,?,?,?,?,?,613C1F55), ref: 613C1DB2
                        Memory Dump Source
                        • Source File: 00000015.00000002.1381017096.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                        • Associated: 00000015.00000002.1380961276.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000015.00000002.1381130780.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000015.00000002.1381195236.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000015.00000002.1381433413.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000015.00000002.1381991931.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000015.00000002.1382571230.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_21_2_613c0000_rundll32.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: 4127155981cb20e6f2d50b37ca81e7bbd812f1fa0de4aab2728d0d118f7055a4
                        • Instruction ID: c1c33eecdd383886d2d8d2bb6f1c2682b4f93b08dfe668e5ddc8be9d462bd23a
                        • Opcode Fuzzy Hash: 4127155981cb20e6f2d50b37ca81e7bbd812f1fa0de4aab2728d0d118f7055a4
                        • Instruction Fuzzy Hash: 06210B72B11B608CE700DBB9EC4439C3B71A348B98F044515DE6DA7BA8EF39C650C394

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 160 613c3620-613c3636 Sleep
                        APIs
                        Memory Dump Source
                        • Source File: 00000015.00000002.1381017096.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                        • Associated: 00000015.00000002.1380961276.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000015.00000002.1381130780.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000015.00000002.1381195236.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000015.00000002.1381433413.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000015.00000002.1381991931.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000015.00000002.1382571230.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_21_2_613c0000_rundll32.jbxd
                        Similarity
                        • API ID: Sleep
                        • String ID:
                        • API String ID: 3472027048-0
                        • Opcode ID: fe2ac243386cde0167416a04810260f3cbc85ba1deb6f6aec3d46932f2df1739
                        • Instruction ID: e9c459437bb93fbad0663031f86f151610a23291e51109e838943003221a6897
                        • Opcode Fuzzy Hash: fe2ac243386cde0167416a04810260f3cbc85ba1deb6f6aec3d46932f2df1739
                        • Instruction Fuzzy Hash: F0B01220F13160C3D70C33769C9635850D5574C300FD000288107842A0DC9D02A64640

                        Control-flow Graph

                        APIs
                        • RtlCaptureContext.KERNEL32 ref: 613C2924
                        • RtlLookupFunctionEntry.KERNEL32 ref: 613C293B
                        • RtlVirtualUnwind.KERNEL32 ref: 613C297D
                        • SetUnhandledExceptionFilter.KERNEL32 ref: 613C29C4
                        • UnhandledExceptionFilter.KERNEL32 ref: 613C29D1
                        • GetCurrentProcess.KERNEL32 ref: 613C29D7
                        • TerminateProcess.KERNEL32 ref: 613C29E5
                        Memory Dump Source
                        • Source File: 00000015.00000002.1381017096.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                        • Associated: 00000015.00000002.1380961276.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000015.00000002.1381130780.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000015.00000002.1381195236.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000015.00000002.1381433413.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000015.00000002.1381991931.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000015.00000002.1382571230.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_21_2_613c0000_rundll32.jbxd
                        Similarity
                        • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentEntryFunctionLookupTerminateUnwindVirtual
                        • String ID:
                        • API String ID: 3266983031-0
                        • Opcode ID: d20c4be697a3212f516fb3c4bcd7d35ad969eae838489b411cfbb6ecde053262
                        • Instruction ID: e8e25b836daba40db766a00739c45693a0588c7fa2b6924b27fae8a827f53c88
                        • Opcode Fuzzy Hash: d20c4be697a3212f516fb3c4bcd7d35ad969eae838489b411cfbb6ecde053262
                        • Instruction Fuzzy Hash: E421D375611B31D9EB008B61F8843C937AAB748B98F480566D94F67734EF3AC764C780

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 188 613c2470-613c2489 189 613c248b-613c2498 188->189 190 613c24a0-613c24f7 call 613c3170 call 613c35d0 188->190 190->189 195 613c24f9-613c24fd 190->195 196 613c24ff-613c2505 195->196 197 613c2525-613c252b 195->197 198 613c250b-613c2512 196->198 199 613c2650-613c2653 196->199 197->199 200 613c2531-613c2536 197->200 198->199 201 613c2518-613c251f 198->201 199->189 203 613c2659-613c2660 199->203 200->199 202 613c253c-613c2542 200->202 201->202 204 613c2521 201->204 205 613c275c-613c2781 call 613c2290 202->205 206 613c2548-613c254f 202->206 207 613c2664-613c2686 call 613c2300 203->207 204->197 217 613c27a0-613c27a4 205->217 218 613c2783-613c279e 205->218 206->189 210 613c2555-613c2560 206->210 216 613c2688 207->216 211 613c256a-613c257f 210->211 214 613c2585 211->214 215 613c26c6-613c26f6 call 613c2300 211->215 219 613c268d-613c2690 214->219 220 613c258b-613c258e 214->220 225 613c26fb-613c270a call 613c2290 215->225 221 613c25c4-613c25d0 216->221 218->217 219->225 226 613c2692-613c26c1 call 613c2300 219->226 223 613c270f-613c2739 call 613c2300 220->223 224 613c2594-613c2597 220->224 221->189 227 613c25d6-613c25e8 221->227 242 613c273e-613c2757 call 613c2290 223->242 224->225 230 613c259d-613c25c2 call 613c2300 224->230 225->223 226->215 232 613c2603-613c2611 227->232 230->211 230->221 238 613c25f0-613c25fd 232->238 239 613c2613-613c2626 VirtualQuery 232->239 238->189 238->232 241 613c262c-613c2645 VirtualProtect 239->241 239->242 241->238 242->205
                        APIs
                        • VirtualQuery.KERNEL32(?,?,?,?,?,?,613C4054,?,?,?,?,613C12F5), ref: 613C2620
                        • VirtualProtect.KERNEL32(?,?,?,?,?,?,613C4054,?,?,?,?,613C12F5), ref: 613C2642
                        Strings
                        Memory Dump Source
                        • Source File: 00000015.00000002.1381017096.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                        • Associated: 00000015.00000002.1380961276.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000015.00000002.1381130780.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000015.00000002.1381195236.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000015.00000002.1381433413.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000015.00000002.1381991931.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000015.00000002.1382571230.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_21_2_613c0000_rundll32.jbxd
                        Similarity
                        • API ID: Virtual$ProtectQuery
                        • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$ VirtualQuery failed for %d bytes at address %p$T@<a
                        • API String ID: 1027372294-2627587640
                        • Opcode ID: e52f81ac41c2342fd462fc3170bb2c56cf49e9c9a5294d6a356940808a4d1b69
                        • Instruction ID: 62939e9ad82f9327e1e07ec4eefc127d92b0ac663fd755b0084f4618bd059482
                        • Opcode Fuzzy Hash: e52f81ac41c2342fd462fc3170bb2c56cf49e9c9a5294d6a356940808a4d1b69
                        • Instruction Fuzzy Hash: 2771DE76B11A2489EB01CF76EA8078AB362B748FACF48D115CD1F17358DB3AC911C352

                        Control-flow Graph

                        APIs
                        • GetSystemTimeAsFileTime.KERNEL32 ref: 613C2875
                        • GetCurrentProcessId.KERNEL32 ref: 613C2880
                        • GetCurrentThreadId.KERNEL32 ref: 613C2888
                        • GetTickCount.KERNEL32 ref: 613C2890
                        • QueryPerformanceCounter.KERNEL32 ref: 613C289D
                        Memory Dump Source
                        • Source File: 00000015.00000002.1381017096.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                        • Associated: 00000015.00000002.1380961276.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000015.00000002.1381130780.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000015.00000002.1381195236.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000015.00000002.1381433413.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000015.00000002.1381991931.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000015.00000002.1382571230.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_21_2_613c0000_rundll32.jbxd
                        Similarity
                        • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                        • String ID:
                        • API String ID: 1445889803-0
                        • Opcode ID: 426e265ac137bbdeef0a01d9666284549597ad6e21c5f98ec00e579fb7b8abee
                        • Instruction ID: fbcbe058b436404562c126ae5aac31350f057f625ad19c487ba693073682924f
                        • Opcode Fuzzy Hash: 426e265ac137bbdeef0a01d9666284549597ad6e21c5f98ec00e579fb7b8abee
                        • Instruction Fuzzy Hash: 6411BF33756B3082F7005B25B904385B2A2B788BA0F0C5231EE5E53BA4EF3DC9968340

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 270 613c2300-613c232e 271 613c2332-613c2359 270->271 273 613c235b-613c2369 call 613c3120 271->273 276 613c236f-613c23bf call 613c3240 VirtualQuery 273->276 277 613c2452-613c2489 call 613c2290 273->277 283 613c2435-613c244d call 613c2290 276->283 284 613c23c1-613c23cb 276->284 286 613c248b-613c2498 277->286 287 613c24a0-613c24f7 call 613c3170 call 613c35d0 277->287 283->277 288 613c23cd-613c23d3 284->288 289 613c23f9-613c36a0 memcpy 284->289 287->286 295 613c24f9-613c24fd 287->295 288->289 296 613c24ff-613c2505 295->296 297 613c2525-613c252b 295->297 298 613c250b-613c2512 296->298 299 613c2650-613c2653 296->299 297->299 300 613c2531-613c2536 297->300 298->299 301 613c2518-613c251f 298->301 299->286 303 613c2659-613c2660 299->303 300->299 302 613c253c-613c2542 300->302 301->302 304 613c2521 301->304 305 613c275c-613c2781 call 613c2290 302->305 306 613c2548-613c254f 302->306 307 613c2664-613c2686 call 613c2300 303->307 304->297 317 613c27a0-613c27a4 305->317 318 613c2783-613c279e 305->318 306->286 310 613c2555-613c2560 306->310 316 613c2688 307->316 311 613c256a-613c257f 310->311 314 613c2585 311->314 315 613c26c6-613c26f6 call 613c2300 311->315 319 613c268d-613c2690 314->319 320 613c258b-613c258e 314->320 325 613c26fb-613c270a call 613c2290 315->325 321 613c25c4-613c25d0 316->321 318->317 319->325 326 613c2692-613c26c1 call 613c2300 319->326 323 613c270f-613c2739 call 613c2300 320->323 324 613c2594-613c2597 320->324 321->286 327 613c25d6-613c25e8 321->327 342 613c273e-613c2757 call 613c2290 323->342 324->325 330 613c259d-613c25c2 call 613c2300 324->330 325->323 326->315 332 613c2603-613c2611 327->332 330->311 330->321 338 613c25f0-613c25fd 332->338 339 613c2613-613c2626 VirtualQuery 332->339 338->286 338->332 341 613c262c-613c2645 VirtualProtect 339->341 339->342 341->338 342->305
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000015.00000002.1381017096.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                        • Associated: 00000015.00000002.1380961276.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000015.00000002.1381130780.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000015.00000002.1381195236.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000015.00000002.1381433413.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000015.00000002.1381991931.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000015.00000002.1382571230.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_21_2_613c0000_rundll32.jbxd
                        Similarity
                        • API ID: QueryVirtual
                        • String ID: VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$T@<a
                        • API String ID: 1804819252-4232178576
                        • Opcode ID: 8e7eacb048b803b310af8d91aca0147f1e0aad4f005fb9ffc7c056ff4d3ee6e9
                        • Instruction ID: 6a292cefe7e1f4070340493715416b3679d18dd40189ba87be4cd8971f2c6506
                        • Opcode Fuzzy Hash: 8e7eacb048b803b310af8d91aca0147f1e0aad4f005fb9ffc7c056ff4d3ee6e9
                        • Instruction Fuzzy Hash: 2631F673701A649AE601DF12ED04B967B65F788FE8F48C121DE1E17320DB3AD652C740
                        Memory Dump Source
                        • Source File: 0000001A.00000002.2068306019.00007FFAAB530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_26_2_7ffaab530000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 37e1d381aad6f9288fe6e1c45b7dcf04f00b5fdc9be3c97b5f35076620885679
                        • Instruction ID: 43543338654be94f1f8f9445435092dbcf739cc7dab27257bfbe67071ab1d08d
                        • Opcode Fuzzy Hash: 37e1d381aad6f9288fe6e1c45b7dcf04f00b5fdc9be3c97b5f35076620885679
                        • Instruction Fuzzy Hash: 93125A62A0EBC64FE396976898655707FD5EF97260B0841FBD08EC72E3DD189C0A83D1
                        Strings
                        Memory Dump Source
                        • Source File: 0000001A.00000002.2065410420.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_26_2_7ffaab460000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID: 63$Y_H
                        • API String ID: 0-1662049399
                        • Opcode ID: a63a90fb68fa3b9f049f3b151bf82392511f79ce94ed7c5032c6571ae03c0bfe
                        • Instruction ID: 1010740308dee321abb7d8ca052629492b8688d316d24a7f20a43894d235ca72
                        • Opcode Fuzzy Hash: a63a90fb68fa3b9f049f3b151bf82392511f79ce94ed7c5032c6571ae03c0bfe
                        • Instruction Fuzzy Hash: 8AF1B131A18A498FDF88EF5CC891AA9B7F1FFA9350F144169D40DD72A6CA35E845CBC0
                        Strings
                        Memory Dump Source
                        • Source File: 0000001A.00000002.2065410420.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_26_2_7ffaab460000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID: 63
                        • API String ID: 0-3819469774
                        • Opcode ID: ee0095e190fb18a560dcfae4ec25a578de47764db386849dcf1fa7012f933fa3
                        • Instruction ID: cecaf2ea288b7df3888b23f5077fba96bc0ee16e14cacef6b2740cb1ce4adeb7
                        • Opcode Fuzzy Hash: ee0095e190fb18a560dcfae4ec25a578de47764db386849dcf1fa7012f933fa3
                        • Instruction Fuzzy Hash: 6FC16031A09A498FEF84EF58C455AE9BBF1FF69340F14416AD44DD7296CA34E845CBC0
                        Strings
                        Memory Dump Source
                        • Source File: 0000001A.00000002.2065410420.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_26_2_7ffaab460000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID: 63
                        • API String ID: 0-3819469774
                        • Opcode ID: 1907c2322decc36053d6d7194b36643caa659c8e916f166bb473ceed217cdee0
                        • Instruction ID: 43ddd6c3eebd1b71f3667a264da81b4e5227a513280df881fd7d6bfa3d713c76
                        • Opcode Fuzzy Hash: 1907c2322decc36053d6d7194b36643caa659c8e916f166bb473ceed217cdee0
                        • Instruction Fuzzy Hash: D0F1E331A18A498FDB88EF5CC495AA9B7F1FFA9350F14416AD40DD7296CA34EC46CBC0
                        Strings
                        Memory Dump Source
                        • Source File: 0000001A.00000002.2065410420.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_26_2_7ffaab460000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID: `
                        • API String ID: 0-2679148245
                        • Opcode ID: 063e2f294a70d5173c869b0af063eae5fe35927b2b3d891c5147430e834960a7
                        • Instruction ID: 35a00acc35609e74d229399bcc49bdfbb903e5263c07435c14359e0f9458bc8f
                        • Opcode Fuzzy Hash: 063e2f294a70d5173c869b0af063eae5fe35927b2b3d891c5147430e834960a7
                        • Instruction Fuzzy Hash: 16712CA7E0DFC29FE305AB5CD8760E97B90EF5326AB0940B3C58886063ED15141E46C3
                        Strings
                        Memory Dump Source
                        • Source File: 0000001A.00000002.2065410420.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_26_2_7ffaab460000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID: `
                        • API String ID: 0-2679148245
                        • Opcode ID: 9002d83d262f96958832a59b8a0a15cba40f0d232b267f52059935c92cdf1e75
                        • Instruction ID: 0ee18720363a75313100772e12741bee18350d2af4a8ee52e9407fe0e1bf4068
                        • Opcode Fuzzy Hash: 9002d83d262f96958832a59b8a0a15cba40f0d232b267f52059935c92cdf1e75
                        • Instruction Fuzzy Hash: 22411BA7E09FC1CFF3155B5CD8660E5BF90EF56796F088076C18946073E915181E5AC3
                        Memory Dump Source
                        • Source File: 0000001A.00000002.2068306019.00007FFAAB530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_26_2_7ffaab530000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b5428680ffaf919fa3603afd33ad72954e8fc1f7c55a53a846277ec2a5a855f1
                        • Instruction ID: b95ec291b2776d9b0f4f2e1aa01ae548e944217992bf3f1206013a67e0669d73
                        • Opcode Fuzzy Hash: b5428680ffaf919fa3603afd33ad72954e8fc1f7c55a53a846277ec2a5a855f1
                        • Instruction Fuzzy Hash: FA223B62E0EB8A8FE795A72898659B57BE5EF56350F0401BBD04DC72E3DD18AC09C3C1
                        Memory Dump Source
                        • Source File: 0000001A.00000002.2068306019.00007FFAAB530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_26_2_7ffaab530000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0a817b29c48b30342e0f1e9811720010b9aacd99246795a2ba6d783bbbf1a6ec
                        • Instruction ID: 220708437677a712e95550a548584914624d6c9c7000fd6b75b08e1207514053
                        • Opcode Fuzzy Hash: 0a817b29c48b30342e0f1e9811720010b9aacd99246795a2ba6d783bbbf1a6ec
                        • Instruction Fuzzy Hash: 3FE1576290EBC68FE797877858651A07FE5EF57250B0941FBD08DCB1E3C9195C0AC392
                        Memory Dump Source
                        • Source File: 0000001A.00000002.2068306019.00007FFAAB530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_26_2_7ffaab530000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8c8646f83293facba3aa35a93ea74e81c9ce3d485eac20a52e88be1fa3bfb13f
                        • Instruction ID: 5046a4d3925ef0128e8c3314d1fde31b152c3b0eeff50f3bcf5c8de8ecc54e27
                        • Opcode Fuzzy Hash: 8c8646f83293facba3aa35a93ea74e81c9ce3d485eac20a52e88be1fa3bfb13f
                        • Instruction Fuzzy Hash: 19D17B6290EB8B8FE7A5AB6898255B5BBD4EF07390B1801FED04EC71E3D9149C09C3D1
                        Memory Dump Source
                        • Source File: 0000001A.00000002.2068306019.00007FFAAB530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_26_2_7ffaab530000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f1bd5e38ca934cb88efe9d81652e24115c8856069b0f25d82debf4e22a727bb1
                        • Instruction ID: 7f66c4fd067cdbe984cd75a0fb6271fa522a8beb4a40f2068a4c095c32b62af3
                        • Opcode Fuzzy Hash: f1bd5e38ca934cb88efe9d81652e24115c8856069b0f25d82debf4e22a727bb1
                        • Instruction Fuzzy Hash: E6D13A62C0F78A9FE756973898259B57FA4EF47260F0941FBD08DC71E3DA18580A83D2
                        Memory Dump Source
                        • Source File: 0000001A.00000002.2068306019.00007FFAAB530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_26_2_7ffaab530000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9c256f72bba4aa602ed84e892078a715b1312a47dfd4063f7fcbb57fe65cc53f
                        • Instruction ID: b8d469ea267854fe95fdb835b097b7554fadf71ace542745e5ac674f66ea9da3
                        • Opcode Fuzzy Hash: 9c256f72bba4aa602ed84e892078a715b1312a47dfd4063f7fcbb57fe65cc53f
                        • Instruction Fuzzy Hash: FE91496290EB8E9FE791AB6898645A53FE5FF56350F0501FFE04DC71E3DA289808C391
                        Memory Dump Source
                        • Source File: 0000001A.00000002.2065410420.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_26_2_7ffaab460000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7e4bf4ab7b5010a2565b936dab14e38ca6188043aab73337688f09ebf8069441
                        • Instruction ID: ce50430195d2ca08f4baf94316d18d635151969a48ed3cee445c00c2c790da53
                        • Opcode Fuzzy Hash: 7e4bf4ab7b5010a2565b936dab14e38ca6188043aab73337688f09ebf8069441
                        • Instruction Fuzzy Hash: 43815B7150DB884FD749DF2CC856AB5BBE0EF96321F0441BED08EC71A3DA25A846CB91
                        Memory Dump Source
                        • Source File: 0000001A.00000002.2068306019.00007FFAAB530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_26_2_7ffaab530000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 82cb27e4c7839e28531f59b219fea0817bbfabcaeb4c031b14f512224379d3c8
                        • Instruction ID: 3f55fcf3a7eab277785404d8c544675d5b51983e6df0750c985ea768a13ec1f0
                        • Opcode Fuzzy Hash: 82cb27e4c7839e28531f59b219fea0817bbfabcaeb4c031b14f512224379d3c8
                        • Instruction Fuzzy Hash: 8971286190EBC64FE396972898655707FD5FF57350B0991FAC08ECB2E3DC189C0A8382
                        Memory Dump Source
                        • Source File: 0000001A.00000002.2065410420.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_26_2_7ffaab460000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ee6989c33601b5f81ed9f5eb10fcd9c698946b78085494d62b4492c2de3efd48
                        • Instruction ID: e72d97d7e63aa4971189a49eaf818d08677e99c4cbe3b15c6fd6add08f4ff555
                        • Opcode Fuzzy Hash: ee6989c33601b5f81ed9f5eb10fcd9c698946b78085494d62b4492c2de3efd48
                        • Instruction Fuzzy Hash: AE411A7191CB488FEB1C9F5C98466B8BBE0FB99311F04816FE04993252DB74A855CBC2
                        Memory Dump Source
                        • Source File: 0000001A.00000002.2065410420.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_26_2_7ffaab460000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: feae12ddb65a3dcafbc2344af32120c786b654726cabe3bec6a1f83ca422be72
                        • Instruction ID: 3fc6ad2536c6a1c4014e2f90661b6e1db719235f24a8d4341fc6acddb12c5cbd
                        • Opcode Fuzzy Hash: feae12ddb65a3dcafbc2344af32120c786b654726cabe3bec6a1f83ca422be72
                        • Instruction Fuzzy Hash: EF313A72F0DE8AAFE794DF2C84A55A8F7D0FF562A170941BAD44CC7162ED15A8068381
                        Memory Dump Source
                        • Source File: 0000001A.00000002.2062126784.00007FFAAB34D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB34D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_26_2_7ffaab34d000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d3f69f802ee1c4b81ae5b3ccac004e09dc3d9f6804ea7057be2f0071a17248b4
                        • Instruction ID: 76715557c97b8bd8a12db7a681a0acdca8b5878ba51e75b76fd67bdad3c6663c
                        • Opcode Fuzzy Hash: d3f69f802ee1c4b81ae5b3ccac004e09dc3d9f6804ea7057be2f0071a17248b4
                        • Instruction Fuzzy Hash: 5E41F67140EBC48FD75A8B29D841A923FF0EF57221F1506DFD088CB5A3D625A84AC7A2
                        Memory Dump Source
                        • Source File: 0000001A.00000002.2068306019.00007FFAAB530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_26_2_7ffaab530000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ceb88318c4078ab60b3be2ec35a8a92943641286e33dfe020246f144db31f765
                        • Instruction ID: 20f8b8613551fee3964a3d5f07e2a9cfa0c46554ad9fed3a8795aca8c28ee6bc
                        • Opcode Fuzzy Hash: ceb88318c4078ab60b3be2ec35a8a92943641286e33dfe020246f144db31f765
                        • Instruction Fuzzy Hash: 4D213B63D0FA878FE7A5A71884B457566D5EF96290B1600BEE44EC72E3DD28980843C1
                        Memory Dump Source
                        • Source File: 0000001A.00000002.2065410420.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_26_2_7ffaab460000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                        • Instruction ID: 3ef69888561f25144325a793957f2d2c18edf44b07f592201fb8711670a00630
                        • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                        • Instruction Fuzzy Hash: 0801677111CB0C8FD744EF0CE451AA5B7E0FB95364F10056DE58AC3665DA36E892CB45
                        Memory Dump Source
                        • Source File: 0000001A.00000002.2068306019.00007FFAAB530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_26_2_7ffaab530000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 87e7b82cb10946218ed86d9c9c3f8030fe1c6efcdec85f363dac793e6b5f8cf7
                        • Instruction ID: edeba190272b0e90ca95fbf7e107c61071d212acb0ee117c2d308439d518f4a5
                        • Opcode Fuzzy Hash: 87e7b82cb10946218ed86d9c9c3f8030fe1c6efcdec85f363dac793e6b5f8cf7
                        • Instruction Fuzzy Hash: E8F044A3D1FBC28AEB6646A858721B8AED5DF432A471940FFD09E861D3D40A18095292
                        Memory Dump Source
                        • Source File: 0000001A.00000002.2065410420.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_26_2_7ffaab460000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 833b36e5ac0400503f9dda138b9b0031255c2190ea0a18dc5e69f4cd369d6f2b
                        • Instruction ID: 1efc551bd3ce492f2f0f999e6471f719876b5c6d1cd19f78669bdfbd876a7d63
                        • Opcode Fuzzy Hash: 833b36e5ac0400503f9dda138b9b0031255c2190ea0a18dc5e69f4cd369d6f2b
                        • Instruction Fuzzy Hash: 4FF0373275C6048FDB4CAA1CF8529B573D1E795321B10056EE48BC2696D917E8468685
                        Memory Dump Source
                        • Source File: 0000001A.00000002.2068306019.00007FFAAB530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_26_2_7ffaab530000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f8316ec8f5ab5d6db3ecc2aa87a1b73a6095751437d3d195851c3b87a456508b
                        • Instruction ID: 73cb04527e7492fb43b8ff54c3f62bfd5cd9e136df102ad7f14d46c526d74f51
                        • Opcode Fuzzy Hash: f8316ec8f5ab5d6db3ecc2aa87a1b73a6095751437d3d195851c3b87a456508b
                        • Instruction Fuzzy Hash: 5BF09A32A0D9458FD659EB5CE4428A877E8EF5636072100BAE05EC72B3CA25EC448781
                        Memory Dump Source
                        • Source File: 0000001A.00000002.2068306019.00007FFAAB530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_26_2_7ffaab530000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f3449adf093956111335be8b9cffc88c5f4941ff1e69ba9483cabd66cd0392d2
                        • Instruction ID: 8e703eedd3f4b6f649732739dede470cd25fdaa25fe93c63c8b5a770528ed208
                        • Opcode Fuzzy Hash: f3449adf093956111335be8b9cffc88c5f4941ff1e69ba9483cabd66cd0392d2
                        • Instruction Fuzzy Hash: FAF0BE32A0D5458FD794FB5CE0518A877E4EF0632071100F6E04EC71A3CA25EC54C780
                        Memory Dump Source
                        • Source File: 0000001A.00000002.2068306019.00007FFAAB530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_26_2_7ffaab530000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                        • Instruction ID: d24e56bdf2536747cc8ec9df9035f8cd4453d8ec71aafa1a8daee1cf9153b417
                        • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                        • Instruction Fuzzy Hash: ECE01A31B0C809CFDAA8DB0CE0519A973E5EB9936171141B7D14EC76B2CA32EC558BC0
                        Strings
                        Memory Dump Source
                        • Source File: 0000001A.00000002.2065410420.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_26_2_7ffaab460000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID: (0P$8,P$H1P$P/P$^$p0P$-P$/P
                        • API String ID: 0-635785767
                        • Opcode ID: 824a6171126d8f99df772a94100882906daf9e6c96a4313d65ec163b53f422ac
                        • Instruction ID: b6c8206431a99c753654aeb9ad7f0b2921421bdac10d0560b0a676cd48f2f0d9
                        • Opcode Fuzzy Hash: 824a6171126d8f99df772a94100882906daf9e6c96a4313d65ec163b53f422ac
                        • Instruction Fuzzy Hash: EC41818390FBC14FF35D8B982CA51659F95EBA3291B1880FFE0CC46AEF98559D0987C1
                        Strings
                        Memory Dump Source
                        • Source File: 0000001A.00000002.2065410420.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_26_2_7ffaab460000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID: L_^7$L_^8$L_^?$L_^@$L_^F
                        • API String ID: 0-3711972127
                        • Opcode ID: bf76e125d16ff9d24a8199eee5d34aad6103ce9738fad9af1909415e48979cf6
                        • Instruction ID: b8b155f57011046e6065e8325eb67ee91f8e67c9866ad7cce0f8672b23e42af2
                        • Opcode Fuzzy Hash: bf76e125d16ff9d24a8199eee5d34aad6103ce9738fad9af1909415e48979cf6
                        • Instruction Fuzzy Hash: 424159AB70841179D2013B7CF8059ED37A4EFD427A74649F6E28DCE043AE25748B86D0
                        Strings
                        Memory Dump Source
                        • Source File: 0000001A.00000002.2065410420.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_26_2_7ffaab460000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID: L_^$L_^$L_^$L_^
                        • API String ID: 0-2357752022
                        • Opcode ID: 0d572dcb4a36b8b3c2f7b52b551df72517c741260f3a280a188d30d3eb06dc66
                        • Instruction ID: 654dce38271c737ec8be39c80a8a1aff754f2458236b2f9c126c83da8055732f
                        • Opcode Fuzzy Hash: 0d572dcb4a36b8b3c2f7b52b551df72517c741260f3a280a188d30d3eb06dc66
                        • Instruction Fuzzy Hash: 1931BDE3A0EAC28FF31A47598835065BF90FF2325870D92F7C588874A3EE15180F86C2
                        Strings
                        Memory Dump Source
                        • Source File: 0000001D.00000002.2098393722.00007FFAAB440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB440000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_29_2_7ffaab440000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID: 63
                        • API String ID: 0-3819469774
                        • Opcode ID: d7f3c4d9255a625d73ebbce4c76f5ea480a35b3ede2bafc82bb01795d91adebc
                        • Instruction ID: 015bf85b04502a30e291c5028f1f5ca4bdd3a43b3a20309a4357a9a69b2f34fb
                        • Opcode Fuzzy Hash: d7f3c4d9255a625d73ebbce4c76f5ea480a35b3ede2bafc82bb01795d91adebc
                        • Instruction Fuzzy Hash: 8222E731A18A498FDB98EF5CC481AE97BE1FF99350F14416DD44EC72A6CA25E846CBC0
                        Strings
                        Memory Dump Source
                        • Source File: 0000001D.00000002.2098393722.00007FFAAB440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB440000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_29_2_7ffaab440000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID: 63
                        • API String ID: 0-3819469774
                        • Opcode ID: 71c3780a790e9534dadaed30dcb49cd8bbaff29161ef78faaf6666e709da7ba2
                        • Instruction ID: da48b594f4d3d84cc96d35f91b820e155807db1200b9e217a69005b7404367e4
                        • Opcode Fuzzy Hash: 71c3780a790e9534dadaed30dcb49cd8bbaff29161ef78faaf6666e709da7ba2
                        • Instruction Fuzzy Hash: D3F1E471A08A498FDB88EF1CC445AE977E1FF69310F144169D44ED72A6CA34EC86CBC1
                        Strings
                        Memory Dump Source
                        • Source File: 0000001D.00000002.2098393722.00007FFAAB440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB440000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_29_2_7ffaab440000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID: 63
                        • API String ID: 0-3819469774
                        • Opcode ID: 8d2e3a5423529e5ddcb4a6296a5925c3521fdb54fbbeafc31264f51b57675387
                        • Instruction ID: 890b0eab3e756ee7885623ec62ca5089eb3055f9d6fb15c0a99e112b232e85bc
                        • Opcode Fuzzy Hash: 8d2e3a5423529e5ddcb4a6296a5925c3521fdb54fbbeafc31264f51b57675387
                        • Instruction Fuzzy Hash: 73B16E31A18A4D8FEF98EF58C445AE977E1FF69340F1481AAD40ED7295CA34E895CBC0
                        Memory Dump Source
                        • Source File: 0000001D.00000002.2100504405.00007FFAAB510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB510000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_29_2_7ffaab510000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a54ddfa6ad7555aa4c61919e2941db5cb23a3dcb9472c3623152f592205a4103
                        • Instruction ID: bcdb6763c3b40c60e668bf8e13c90c87a4a5e0403b65fb7c175eff67cd5c574e
                        • Opcode Fuzzy Hash: a54ddfa6ad7555aa4c61919e2941db5cb23a3dcb9472c3623152f592205a4103
                        • Instruction Fuzzy Hash: AD2228A290EB8A8FE395A72CA8555B53BD5EF56250F0801FBD04FC71B3DD18A80AC3D1
                        Memory Dump Source
                        • Source File: 0000001D.00000002.2100504405.00007FFAAB510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB510000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_29_2_7ffaab510000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e8228c45492ecef76e89d40b29d0f3ffe6c29d61c5d7afb30084ba71514e4c56
                        • Instruction ID: 8f2784328bc2f19431ccdd184d58714bc95d55e5d4880cdbe8d2a630388a0fef
                        • Opcode Fuzzy Hash: e8228c45492ecef76e89d40b29d0f3ffe6c29d61c5d7afb30084ba71514e4c56
                        • Instruction Fuzzy Hash: 03D1786290EA8B9FE795BB68A8155B97BE4EF17350B1800FED14FC70B3D9189809C3D1
                        Memory Dump Source
                        • Source File: 0000001D.00000002.2100504405.00007FFAAB510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB510000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_29_2_7ffaab510000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e8079d8af559649ec2bcd8280b12000af5feda4785a743ccbe17cef41644ee72
                        • Instruction ID: 7769850f9a804ad34e670a968c95b915b2486a6008c7c42357922deeeeb3ffb8
                        • Opcode Fuzzy Hash: e8079d8af559649ec2bcd8280b12000af5feda4785a743ccbe17cef41644ee72
                        • Instruction Fuzzy Hash: 7BD1F652A0EBC65FE396A738A8655707FE5EF57250B0944FBC08ECB1B3D9095C0AC392
                        Memory Dump Source
                        • Source File: 0000001D.00000002.2100504405.00007FFAAB510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB510000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_29_2_7ffaab510000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 77573be76313245332bdf973e32b7f5b7642d00082f39669dccafaaa6bc7ab01
                        • Instruction ID: c34d36af06985418e58defef6fefe9cd3afe935bc9f04e479140baab485884d8
                        • Opcode Fuzzy Hash: 77573be76313245332bdf973e32b7f5b7642d00082f39669dccafaaa6bc7ab01
                        • Instruction Fuzzy Hash: A2D1FAA280E7CA5FD766A738A8155A57FE4EF57250B0941FBD08EC70B3DA189809C3D2
                        Memory Dump Source
                        • Source File: 0000001D.00000002.2100504405.00007FFAAB510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB510000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_29_2_7ffaab510000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a8e8782e68e04313e34aa2b2ebe13d315ee0aee397b56d0ea7e89976a53bf67a
                        • Instruction ID: 2b7ab5d8f7bb2d9d9b5baeef50329d3e67399d798b08966bd975afb1cf4731b5
                        • Opcode Fuzzy Hash: a8e8782e68e04313e34aa2b2ebe13d315ee0aee397b56d0ea7e89976a53bf67a
                        • Instruction Fuzzy Hash: 3BC1386290EBCA8FD792FB6898545A57FE5EF56350F1800FBD54EC70B3DA289809C381
                        Memory Dump Source
                        • Source File: 0000001D.00000002.2098393722.00007FFAAB440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB440000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_29_2_7ffaab440000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 690564cd81ab07e8b978858fcccee6b8db6c3fd6c44955a6c7dbfdbed1ec238b
                        • Instruction ID: 9a8230e769268395afbd9ab41dd597aec0135baf6ad3ea83f857d1a3d892c8d6
                        • Opcode Fuzzy Hash: 690564cd81ab07e8b978858fcccee6b8db6c3fd6c44955a6c7dbfdbed1ec238b
                        • Instruction Fuzzy Hash: 1131297191CB888FDB189B5CDC066E97BE0FB59321F04426FE049C3662DA746855CBC3
                        Memory Dump Source
                        • Source File: 0000001D.00000002.2096495643.00007FFAAB32D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB32D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_29_2_7ffaab32d000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 24caa0ec6f7917f350115e75adbe0eff91fcb6223f06b95a18eb0426eebefb79
                        • Instruction ID: f2f2d5dafadb1128bff5f5351899ebbdc7b0761d9fea7635b946a601bdbc4169
                        • Opcode Fuzzy Hash: 24caa0ec6f7917f350115e75adbe0eff91fcb6223f06b95a18eb0426eebefb79
                        • Instruction Fuzzy Hash: 0941263140EBC48FD7568B2898529523FF4EF63260F1905DFD48CCB5A3D625A84AC7A2
                        Memory Dump Source
                        • Source File: 0000001D.00000002.2098393722.00007FFAAB440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB440000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_29_2_7ffaab440000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 52ec64c70b874817b130244ffe912ff40f7b7888b03b5ac988337a49b0c36fcb
                        • Instruction ID: 032ea2c274e8bdd17d38dfda544c859d0e861b28e566c2f0dac13277657503e9
                        • Opcode Fuzzy Hash: 52ec64c70b874817b130244ffe912ff40f7b7888b03b5ac988337a49b0c36fcb
                        • Instruction Fuzzy Hash: A431257190DB888FDB59DFA8C8496E97FE0EF96320F0481AFD049C71A3D6745809CB92
                        Memory Dump Source
                        • Source File: 0000001D.00000002.2100504405.00007FFAAB510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB510000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_29_2_7ffaab510000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 72f6ce94369af882edaa86762f6f3754d4c7c8ea5e7c92ac787face3971e39ea
                        • Instruction ID: 7da54369e866c409ab2ccbf3ad21a1aa74770be0a1dd8163637d920611eb13d9
                        • Opcode Fuzzy Hash: 72f6ce94369af882edaa86762f6f3754d4c7c8ea5e7c92ac787face3971e39ea
                        • Instruction Fuzzy Hash: AC310632A0DA868FEBA5AB5868512B47BD1EF46260B1841BFC04FC30A3DA55980983C1
                        Memory Dump Source
                        • Source File: 0000001D.00000002.2098393722.00007FFAAB440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB440000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_29_2_7ffaab440000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 33bccafcd9faccf00660a282b214b375b8f4e0c65c0fdebe9fa9b0c163f7d598
                        • Instruction ID: 2eac16baa310da1df5e9b8f30a4b74f93342c1340f166dd1450738967443e93d
                        • Opcode Fuzzy Hash: 33bccafcd9faccf00660a282b214b375b8f4e0c65c0fdebe9fa9b0c163f7d598
                        • Instruction Fuzzy Hash: 67216E61B1DE8A9FE790DF2CC458AB93BD5EFAA25470540BBD44DC3162DD24DC068350
                        Memory Dump Source
                        • Source File: 0000001D.00000002.2100504405.00007FFAAB510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB510000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_29_2_7ffaab510000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 51cca0bd4e4051c6af78a2a1cf5380d04c328481fe6aeaaab72abad1b72ceaf5
                        • Instruction ID: 12f5df977212fe07a8de832097f652bb7394c2f2aed73c4cb871b045f32a7fd9
                        • Opcode Fuzzy Hash: 51cca0bd4e4051c6af78a2a1cf5380d04c328481fe6aeaaab72abad1b72ceaf5
                        • Instruction Fuzzy Hash: CA21F36290EA9B8BE7A5B71864505796AD5EF96290B5840BAD54FC30F3DD18E80883C1
                        Memory Dump Source
                        • Source File: 0000001D.00000002.2098393722.00007FFAAB440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB440000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_29_2_7ffaab440000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                        • Instruction ID: 718e74db34d11c32abd77556616b67ad033d569757b0435e39ffabc2895382b1
                        • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                        • Instruction Fuzzy Hash: F601677111CB0C8FD744EF0CE451AA5B7E0FB95364F10056DE58AC3665DA36E892CB45
                        Memory Dump Source
                        • Source File: 0000001D.00000002.2100504405.00007FFAAB510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB510000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_29_2_7ffaab510000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8bfa0b30415b7d211cc20b2c0aa7717ded1c0377e0ae5beddeac3ad5f0132c4e
                        • Instruction ID: 1e355c114dd6cf823ea8421f97ea0068daabb480ffd3b210827e0a643f8a3b41
                        • Opcode Fuzzy Hash: 8bfa0b30415b7d211cc20b2c0aa7717ded1c0377e0ae5beddeac3ad5f0132c4e
                        • Instruction Fuzzy Hash: 3DF0AF73D1F7C28AE76677A478621B87FD4DF032A071840FFD08F960A3998A18098392
                        Memory Dump Source
                        • Source File: 0000001D.00000002.2098393722.00007FFAAB440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB440000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_29_2_7ffaab440000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 70744461ae5ccc717cd413a90b27d3fe3270dfe4984880f8163348218504d8b2
                        • Instruction ID: ae82e6c0c0607cdf2b703a8c677fd105a007809a4c4f8019b00df039f7c26f88
                        • Opcode Fuzzy Hash: 70744461ae5ccc717cd413a90b27d3fe3270dfe4984880f8163348218504d8b2
                        • Instruction Fuzzy Hash: 79F0303275CA048FDB4CAA1CF8429B573E1EB99321B10056EF48BC2696D927E8468A85
                        Memory Dump Source
                        • Source File: 0000001D.00000002.2098393722.00007FFAAB440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB440000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_29_2_7ffaab440000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9450abb6836ee9c26b4c77e9e9f67e30bd9dbec61eda04d66a898bd4ae3af990
                        • Instruction ID: ac6ed5010e7f0b7fd86fa84be444ad5cb370324bcd8c48e2fbcc85d956042790
                        • Opcode Fuzzy Hash: 9450abb6836ee9c26b4c77e9e9f67e30bd9dbec61eda04d66a898bd4ae3af990
                        • Instruction Fuzzy Hash: 42F0243480868D8FDB4ADF68C8194D57FA0EF27350F04429BE44DC70B2DB659868CBC2
                        Memory Dump Source
                        • Source File: 0000001D.00000002.2100504405.00007FFAAB510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB510000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_29_2_7ffaab510000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8b3b5b283fcb19022b1c9bdc54483da79d81f1829bea148150299501166b50ca
                        • Instruction ID: b860e356ca9f2d1fe08ea5bf08d570672f3c04e801f199891c21448bdd306cb2
                        • Opcode Fuzzy Hash: 8b3b5b283fcb19022b1c9bdc54483da79d81f1829bea148150299501166b50ca
                        • Instruction Fuzzy Hash: 00F0BE32A0D9058FD668FB1CF4418A877E4EF46320B2045BAE06EC7077CA25EC84CB81
                        Memory Dump Source
                        • Source File: 0000001D.00000002.2100504405.00007FFAAB510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB510000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_29_2_7ffaab510000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ef0997bed550cfed14f1f92d6e95b88ed9aac1abdc0662e14432329a021afbc5
                        • Instruction ID: d42a6ab61670ef454ca0f56a548a9ec67b55582a49653ca82ee273333890447b
                        • Opcode Fuzzy Hash: ef0997bed550cfed14f1f92d6e95b88ed9aac1abdc0662e14432329a021afbc5
                        • Instruction Fuzzy Hash: B6F09A32A0D5058FD654FB2CE0818A877E4EF0632075500B6E04ECB073CA25AC448B80
                        Strings
                        Memory Dump Source
                        • Source File: 0000001D.00000002.2098393722.00007FFAAB440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB440000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_29_2_7ffaab440000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID: (0P$8,P$H1P$P/P$p0P$-P$/P
                        • API String ID: 0-1701350710
                        • Opcode ID: 88d3f4893b0145f4183c742fbf06966fd77322a98ff06e38fabca15f5ebd913d
                        • Instruction ID: 1c712dffe015834daabb33d0d9e1ea71196747273c634af1648217cf8e3ec6fb
                        • Opcode Fuzzy Hash: 88d3f4893b0145f4183c742fbf06966fd77322a98ff06e38fabca15f5ebd913d
                        • Instruction Fuzzy Hash: 9721A68380FAC00FF31986996C251A55FD9FBA6790B0880FFE0CD866EB58549D2D87D1
                        Strings
                        Memory Dump Source
                        • Source File: 0000001D.00000002.2098393722.00007FFAAB440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB440000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_29_2_7ffaab440000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID: N_^$N_^$N_^$N_^
                        • API String ID: 0-3900292545
                        • Opcode ID: 439360ab9f1b947a079557c02b6ba1721f3c2eb42e07b6f0c8f6e73daca01f69
                        • Instruction ID: ca4b342005a6658752553c0a14d9334340e73ae7cafe738e48b2fa697eb99ec1
                        • Opcode Fuzzy Hash: 439360ab9f1b947a079557c02b6ba1721f3c2eb42e07b6f0c8f6e73daca01f69
                        • Instruction Fuzzy Hash: 9851C562E0E7C35FD706976888E60D47FA4EF53254B0D42F7C5ED8E0A3F918641A83A6
                        Strings
                        Memory Dump Source
                        • Source File: 0000001D.00000002.2098393722.00007FFAAB440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB440000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_29_2_7ffaab440000_pha.jbxd
                        Similarity
                        • API ID:
                        • String ID: ;S^$<S^$HAd$l~[I
                        • API String ID: 0-2074214753
                        • Opcode ID: d98a96b9ab376c12411d9f387ec713f2542bd2a132822d02bf8f6c5d66cf1866
                        • Instruction ID: 26a6c69534484f0031c9445929433f353e6ccd2c4adf6a4dc17c7b5c615792a2
                        • Opcode Fuzzy Hash: d98a96b9ab376c12411d9f387ec713f2542bd2a132822d02bf8f6c5d66cf1866
                        • Instruction Fuzzy Hash: CA21A74290FBC2AFF75257B848554A5AEA1AFB328475C80FBC09D4A1E7E8459D3CC3D1