Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll

Overview

General Information

Sample name:fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll
renamed because original name is a hash value
Original sample name:fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.exe
Analysis ID:1493796
MD5:cd6bf0fea07fff98c49a1ef6ccd11207
SHA1:8c043e4f7778b90538944cb2aea806831bf79d32
SHA256:998b6a7ad1579c31d13a53c37e184b58491bbaed016fa55cec1cd411c6989e2e
Tags:exe
Infos:

Detection

Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Loading BitLocker PowerShell Module
Machine Learning detection for sample
PE file contains section with special chars
Powershell is started from unusual location (likely to bypass HIPS)
Reads the Security eventlog
Reads the System eventlog
Sigma detected: Execution from Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
Sigma detected: Powershell Defender Exclusion
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 6408 cmdline: loaddll64.exe "C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)
    • conhost.exe (PID: 7056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3192 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • rundll32.exe (PID: 1532 cmdline: rundll32.exe "C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)
        • esentutl.exe (PID: 320 cmdline: esentutl /y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe /d C:\\Users\\Public\\pha.pif /o MD5: E2098B56CF093E165D030E27591CE498)
          • conhost.exe (PID: 6720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • pha.pif (PID: 3996 cmdline: C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • rundll32.exe (PID: 1252 cmdline: rundll32.exe C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll,ASSnko MD5: EF3179D498793BF4234F708D3BE28633)
      • esentutl.exe (PID: 6036 cmdline: esentutl /y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe /d C:\\Users\\Public\\pha.pif /o MD5: E2098B56CF093E165D030E27591CE498)
        • conhost.exe (PID: 3996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • conhost.exe (PID: 4456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • pha.pif (PID: 6180 cmdline: C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 6520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • rundll32.exe (PID: 7216 cmdline: rundll32.exe C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll,FindProcessId MD5: EF3179D498793BF4234F708D3BE28633)
      • esentutl.exe (PID: 7228 cmdline: esentutl /y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe /d C:\\Users\\Public\\pha.pif /o MD5: E2098B56CF093E165D030E27591CE498)
        • conhost.exe (PID: 7240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • pha.pif (PID: 7348 cmdline: C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • rundll32.exe (PID: 7464 cmdline: rundll32.exe C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll,NetApiBufferFree MD5: EF3179D498793BF4234F708D3BE28633)
      • esentutl.exe (PID: 7480 cmdline: esentutl /y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe /d C:\\Users\\Public\\pha.pif /o MD5: E2098B56CF093E165D030E27591CE498)
        • conhost.exe (PID: 7492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • pha.pif (PID: 7632 cmdline: C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • esentutl.exe (PID: 7760 cmdline: esentutl /y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe /d C:\\Users\\Public\\pha.pif /o MD5: E2098B56CF093E165D030E27591CE498)
    • pha.pif (PID: 7844 cmdline: C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Execution from Suspicious Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Users\Public\pha.pif, NewProcessName: C:\Users\Public\pha.pif, OriginalFileName: C:\Users\Public\pha.pif, ParentCommandLine: rundll32.exe C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll,ASSnko, ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 1252, ParentProcessName: rundll32.exe, ProcessCommandLine: C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 6180, ProcessName: pha.pif
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Users\Public\pha.pif, NewProcessName: C:\Users\Public\pha.pif, OriginalFileName: C:\Users\Public\pha.pif, ParentCommandLine: rundll32.exe C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll,ASSnko, ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 1252, ParentProcessName: rundll32.exe, ProcessCommandLine: C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 6180, ProcessName: pha.pif
Sigma detected: Execution of Suspicious File Type Extension
Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Users\Public\pha.pif, NewProcessName: C:\Users\Public\pha.pif, OriginalFileName: C:\Users\Public\pha.pif, ParentCommandLine: rundll32.exe C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll,ASSnko, ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 1252, ParentProcessName: rundll32.exe, ProcessCommandLine: C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 6180, ProcessName: pha.pif
Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\Public\pha.pif, ProcessId: 6180, TargetFilename: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t52hvzge.tmf.ps1
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Users\Public\pha.pif, NewProcessName: C:\Users\Public\pha.pif, OriginalFileName: C:\Users\Public\pha.pif, ParentCommandLine: rundll32.exe C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll,ASSnko, ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 1252, ParentProcessName: rundll32.exe, ProcessCommandLine: C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 6180, ProcessName: pha.pif

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllVirustotal: Detection: 29%Perma Link
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllReversingLabs: Detection: 16%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.0% probability
Machine Learning detection for sample
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllJoe Sandbox ML: detected
Source: Binary string: powershell.pdbUGP source: esentutl.exe, 00000006.00000003.2093439581.00000197CCC30000.00000004.00001000.00020000.00000000.sdmp, pha.pif, 0000000A.00000000.2112401163.00007FF66AE1B000.00000002.00000001.01000000.00000005.sdmp, pha.pif.6.dr
Source: Binary string: powershell.pdb source: esentutl.exe, 00000006.00000003.2093439581.00000197CCC30000.00000004.00001000.00020000.00000000.sdmp, pha.pif, 0000000A.00000000.2112401163.00007FF66AE1B000.00000002.00000001.01000000.00000005.sdmp, pha.pif.6.dr
Source: pha.pif, 0000001A.00000002.2993327282.000002514297C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
Source: pha.pif, 0000001A.00000002.2993327282.000002514297C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micft.cMicRosof
Source: pha.pif, 00000017.00000002.2942073165.000002812A440000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
Source: pha.pif, 0000000A.00000002.2421603225.00000237DCA25000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 0000000B.00000002.2344518931.0000027E2BBF5000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 00000011.00000002.2711244361.00000260CA9C6000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 00000017.00000002.2853632094.00000281222D7000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 0000001A.00000002.2905349013.000002513A717000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: pha.pif, 0000001A.00000002.2350391567.000002512A8C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: pha.pif, 0000000A.00000002.2234969099.00000237CCBD9000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 0000000B.00000002.2232134749.0000027E1BDA8000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 00000011.00000002.2270345907.00000260BAB78000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 00000017.00000002.2308426212.0000028112487000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 0000001A.00000002.2350391567.000002512A8C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: pha.pif, 0000000A.00000002.2234969099.00000237CC9B1000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 0000000B.00000002.2232134749.0000027E1BB81000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 00000011.00000002.2270345907.00000260BA951000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 00000017.00000002.2308426212.0000028112261000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 0000001A.00000002.2350391567.000002512A6A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: pha.pif, 0000000A.00000002.2234969099.00000237CCBD9000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 0000000B.00000002.2232134749.0000027E1BDA8000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 00000011.00000002.2270345907.00000260BAB78000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 00000017.00000002.2308426212.0000028112487000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 0000001A.00000002.2350391567.000002512A8C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: pha.pif, 0000001A.00000002.2350391567.000002512A8C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: pha.pif, 0000000A.00000002.2540156835.00000237E4CCC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.c
Source: pha.pif, 0000000A.00000002.2234969099.00000237CC9B1000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 0000000B.00000002.2232134749.0000027E1BB81000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 00000011.00000002.2270345907.00000260BA951000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 00000017.00000002.2308426212.0000028112261000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 0000001A.00000002.2350391567.000002512A6A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: pha.pif, 0000001A.00000002.2905349013.000002513A717000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: pha.pif, 0000001A.00000002.2905349013.000002513A717000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: pha.pif, 0000001A.00000002.2905349013.000002513A717000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: pha.pif, 0000001A.00000002.2350391567.000002512A8C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: pha.pif, 00000011.00000002.2831818042.00000260D2B3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.mic
Source: pha.pif, 0000000A.00000002.2421603225.00000237DCA25000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 0000000B.00000002.2344518931.0000027E2BBF5000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 00000011.00000002.2711244361.00000260CA9C6000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 00000017.00000002.2853632094.00000281222D7000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 0000001A.00000002.2905349013.000002513A717000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

Spam, unwanted Advertisements and Ransom Demands

barindex
Reads the Security eventlog
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShellJump to behavior
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShellJump to behavior
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShellJump to behavior
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShellJump to behavior
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShellJump to behavior
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShell
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShell
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShell
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShell
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Reads the System eventlog
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShellJump to behavior
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShell
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShell
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\Public\pha.pifKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System

System Summary

barindex
PE file contains section with special chars
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: .
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: .
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: .
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: .
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: .
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: .
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: .
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: .
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: .
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: .
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: .
Source: C:\Users\Public\pha.pifCode function: 10_2_00007FF848E730E910_2_00007FF848E730E9
Source: C:\Users\Public\pha.pifCode function: 17_2_00007FF848E730E917_2_00007FF848E730E9
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: Number of sections : 19 > 10
Source: classification engineClassification label: mal96.evad.winDLL@40/27@0/0
Source: C:\Windows\System32\esentutl.exeFile created: C:\Users\Public\pha.pifJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3996:120:WilError_03
Source: C:\Users\Public\pha.pifMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6720:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7356:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7240:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7492:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7056:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6520:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4456:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7640:120:WilError_03
Source: C:\Users\Public\pha.pifFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t52hvzge.tmf.ps1Jump to behavior
Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll,ASSnko
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllVirustotal: Detection: 29%
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllReversingLabs: Detection: 16%
Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll"
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll,ASSnko
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll",#1
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\esentutl.exe esentutl /y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe /d C:\\Users\\Public\\pha.pif /o
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\esentutl.exe esentutl /y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe /d C:\\Users\\Public\\pha.pif /o
Source: C:\Windows\System32\esentutl.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\esentutl.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\Public\pha.pif C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\Public\pha.pif C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\pha.pifProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll,FindProcessId
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\esentutl.exe esentutl /y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe /d C:\\Users\\Public\\pha.pif /o
Source: C:\Windows\System32\esentutl.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\Public\pha.pif C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\Public\pha.pifProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll,NetApiBufferFree
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\esentutl.exe esentutl /y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe /d C:\\Users\\Public\\pha.pif /o
Source: C:\Windows\System32\esentutl.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\Public\pha.pif C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\Public\pha.pifProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\esentutl.exe esentutl /y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe /d C:\\Users\\Public\\pha.pif /o
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Users\Public\pha.pif C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll,ASSnkoJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll,FindProcessIdJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll,NetApiBufferFreeJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\esentutl.exe esentutl /y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe /d C:\\Users\\Public\\pha.pif /oJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Users\Public\pha.pif C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll",#1Jump to behavior
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\esentutl.exe esentutl /y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe /d C:\\Users\\Public\\pha.pif /oJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\Public\pha.pif C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\esentutl.exe esentutl /y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe /d C:\\Users\\Public\\pha.pif /oJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\esentutl.exe esentutl /y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe /d C:\\Users\\Public\\pha.pif /o
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\Public\pha.pif C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\esentutl.exe esentutl /y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe /d C:\\Users\\Public\\pha.pif /o
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\Public\pha.pif C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\loaddll64.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: ???.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: ???.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: ???.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: ???.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: ???.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: ???.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: ???.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: ???.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: ???.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: ???.dllJump to behavior
Source: C:\Windows\System32\esentutl.exeSection loaded: esent.dllJump to behavior
Source: C:\Windows\System32\esentutl.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\esentutl.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\esentutl.exeSection loaded: esent.dllJump to behavior
Source: C:\Windows\System32\esentutl.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\esentutl.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: atl.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: mscoree.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: version.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: amsi.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: userenv.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: profapi.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: wldp.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: msasn1.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: gpapi.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: msisip.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: wshext.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: appxsip.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: opcservices.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: secur32.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: sspicli.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: urlmon.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: iertutil.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: srvcli.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: netutils.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: propsys.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: wininet.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: mi.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: miutils.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: wmidcom.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: dpapi.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: atl.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: mscoree.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: version.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: amsi.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: userenv.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: profapi.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: wldp.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: msasn1.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: gpapi.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: msisip.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: wshext.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: appxsip.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: opcservices.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: secur32.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: sspicli.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: urlmon.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: iertutil.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: srvcli.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: netutils.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: propsys.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: wininet.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: mi.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: miutils.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: wmidcom.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: dpapi.dllJump to behavior
Source: C:\Users\Public\pha.pifSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\esentutl.exeSection loaded: esent.dll
Source: C:\Windows\System32\esentutl.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\esentutl.exeSection loaded: kernel.appcore.dll
Source: C:\Users\Public\pha.pifSection loaded: atl.dll
Source: C:\Users\Public\pha.pifSection loaded: mscoree.dll
Source: C:\Users\Public\pha.pifSection loaded: kernel.appcore.dll
Source: C:\Users\Public\pha.pifSection loaded: version.dll
Source: C:\Users\Public\pha.pifSection loaded: vcruntime140_clr0400.dll
Source: C:\Users\Public\pha.pifSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\pha.pifSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\pha.pifSection loaded: cryptsp.dll
Source: C:\Users\Public\pha.pifSection loaded: rsaenh.dll
Source: C:\Users\Public\pha.pifSection loaded: cryptbase.dll
Source: C:\Users\Public\pha.pifSection loaded: windows.storage.dll
Source: C:\Users\Public\pha.pifSection loaded: wldp.dll
Source: C:\Users\Public\pha.pifSection loaded: amsi.dll
Source: C:\Users\Public\pha.pifSection loaded: msasn1.dll
Source: C:\Users\Public\pha.pifSection loaded: userenv.dll
Source: C:\Users\Public\pha.pifSection loaded: profapi.dll
Source: C:\Users\Public\pha.pifSection loaded: msisip.dll
Source: C:\Users\Public\pha.pifSection loaded: wshext.dll
Source: C:\Users\Public\pha.pifSection loaded: appxsip.dll
Source: C:\Users\Public\pha.pifSection loaded: opcservices.dll
Source: C:\Users\Public\pha.pifSection loaded: gpapi.dll
Source: C:\Users\Public\pha.pifSection loaded: secur32.dll
Source: C:\Users\Public\pha.pifSection loaded: sspicli.dll
Source: C:\Users\Public\pha.pifSection loaded: uxtheme.dll
Source: C:\Users\Public\pha.pifSection loaded: urlmon.dll
Source: C:\Users\Public\pha.pifSection loaded: iertutil.dll
Source: C:\Users\Public\pha.pifSection loaded: srvcli.dll
Source: C:\Users\Public\pha.pifSection loaded: netutils.dll
Source: C:\Users\Public\pha.pifSection loaded: propsys.dll
Source: C:\Users\Public\pha.pifSection loaded: wininet.dll
Source: C:\Users\Public\pha.pifSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Users\Public\pha.pifSection loaded: mi.dll
Source: C:\Users\Public\pha.pifSection loaded: miutils.dll
Source: C:\Users\Public\pha.pifSection loaded: wmidcom.dll
Source: C:\Users\Public\pha.pifSection loaded: dpapi.dll
Source: C:\Users\Public\pha.pifSection loaded: wbemcomn.dll
Source: C:\Windows\System32\esentutl.exeSection loaded: esent.dll
Source: C:\Windows\System32\esentutl.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\esentutl.exeSection loaded: kernel.appcore.dll
Source: C:\Users\Public\pha.pifSection loaded: atl.dll
Source: C:\Users\Public\pha.pifSection loaded: mscoree.dll
Source: C:\Users\Public\pha.pifSection loaded: kernel.appcore.dll
Source: C:\Users\Public\pha.pifSection loaded: version.dll
Source: C:\Users\Public\pha.pifSection loaded: vcruntime140_clr0400.dll
Source: C:\Users\Public\pha.pifSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\pha.pifSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\pha.pifSection loaded: cryptsp.dll
Source: C:\Users\Public\pha.pifSection loaded: rsaenh.dll
Source: C:\Users\Public\pha.pifSection loaded: cryptbase.dll
Source: C:\Users\Public\pha.pifSection loaded: windows.storage.dll
Source: C:\Users\Public\pha.pifSection loaded: wldp.dll
Source: C:\Users\Public\pha.pifSection loaded: amsi.dll
Source: C:\Users\Public\pha.pifSection loaded: msasn1.dll
Source: C:\Users\Public\pha.pifSection loaded: userenv.dll
Source: C:\Users\Public\pha.pifSection loaded: profapi.dll
Source: C:\Users\Public\pha.pifSection loaded: gpapi.dll
Source: C:\Users\Public\pha.pifSection loaded: msisip.dll
Source: C:\Users\Public\pha.pifSection loaded: wshext.dll
Source: C:\Users\Public\pha.pifSection loaded: appxsip.dll
Source: C:\Users\Public\pha.pifSection loaded: opcservices.dll
Source: C:\Users\Public\pha.pifSection loaded: secur32.dll
Source: C:\Users\Public\pha.pifSection loaded: sspicli.dll
Source: C:\Users\Public\pha.pifSection loaded: uxtheme.dll
Source: C:\Users\Public\pha.pifSection loaded: urlmon.dll
Source: C:\Users\Public\pha.pifSection loaded: iertutil.dll
Source: C:\Users\Public\pha.pifSection loaded: srvcli.dll
Source: C:\Users\Public\pha.pifSection loaded: netutils.dll
Source: C:\Users\Public\pha.pifSection loaded: propsys.dll
Source: C:\Users\Public\pha.pifSection loaded: wininet.dll
Source: C:\Users\Public\pha.pifSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Users\Public\pha.pifSection loaded: mi.dll
Source: C:\Users\Public\pha.pifSection loaded: miutils.dll
Source: C:\Users\Public\pha.pifSection loaded: wmidcom.dll
Source: C:\Users\Public\pha.pifSection loaded: dpapi.dll
Source: C:\Users\Public\pha.pifSection loaded: wbemcomn.dll
Source: C:\Windows\System32\esentutl.exeSection loaded: esent.dll
Source: C:\Windows\System32\esentutl.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\esentutl.exeSection loaded: kernel.appcore.dll
Source: C:\Users\Public\pha.pifSection loaded: atl.dll
Source: C:\Users\Public\pha.pifSection loaded: mscoree.dll
Source: C:\Users\Public\pha.pifSection loaded: kernel.appcore.dll
Source: C:\Users\Public\pha.pifSection loaded: version.dll
Source: C:\Users\Public\pha.pifSection loaded: vcruntime140_clr0400.dll
Source: C:\Users\Public\pha.pifSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\pha.pifSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\pha.pifSection loaded: cryptsp.dll
Source: C:\Users\Public\pha.pifSection loaded: rsaenh.dll
Source: C:\Users\Public\pha.pifSection loaded: cryptbase.dll
Source: C:\Users\Public\pha.pifSection loaded: windows.storage.dll
Source: C:\Users\Public\pha.pifSection loaded: wldp.dll
Source: C:\Users\Public\pha.pifSection loaded: msasn1.dll
Source: C:\Users\Public\pha.pifSection loaded: amsi.dll
Source: C:\Users\Public\pha.pifSection loaded: userenv.dll
Source: C:\Users\Public\pha.pifSection loaded: profapi.dll
Source: C:\Users\Public\pha.pifSection loaded: gpapi.dll
Source: C:\Users\Public\pha.pifSection loaded: msisip.dll
Source: C:\Users\Public\pha.pifSection loaded: wshext.dll
Source: C:\Users\Public\pha.pifSection loaded: appxsip.dll
Source: C:\Users\Public\pha.pifSection loaded: opcservices.dll
Source: C:\Users\Public\pha.pifSection loaded: secur32.dll
Source: C:\Users\Public\pha.pifSection loaded: sspicli.dll
Source: C:\Users\Public\pha.pifSection loaded: uxtheme.dll
Source: C:\Users\Public\pha.pifSection loaded: urlmon.dll
Source: C:\Users\Public\pha.pifSection loaded: iertutil.dll
Source: C:\Users\Public\pha.pifSection loaded: srvcli.dll
Source: C:\Users\Public\pha.pifSection loaded: netutils.dll
Source: C:\Users\Public\pha.pifSection loaded: propsys.dll
Source: C:\Users\Public\pha.pifSection loaded: wininet.dll
Source: C:\Users\Public\pha.pifSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Users\Public\pha.pifSection loaded: mi.dll
Source: C:\Users\Public\pha.pifSection loaded: miutils.dll
Source: C:\Users\Public\pha.pifSection loaded: wmidcom.dll
Source: C:\Users\Public\pha.pifSection loaded: dpapi.dll
Source: C:\Users\Public\pha.pifSection loaded: wbemcomn.dll
Source: C:\Users\Public\pha.pifKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: Image base 0x613c0000 > 0x60000000
Source: Binary string: powershell.pdbUGP source: esentutl.exe, 00000006.00000003.2093439581.00000197CCC30000.00000004.00001000.00020000.00000000.sdmp, pha.pif, 0000000A.00000000.2112401163.00007FF66AE1B000.00000002.00000001.01000000.00000005.sdmp, pha.pif.6.dr
Source: Binary string: powershell.pdb source: esentutl.exe, 00000006.00000003.2093439581.00000197CCC30000.00000004.00001000.00020000.00000000.sdmp, pha.pif, 0000000A.00000000.2112401163.00007FF66AE1B000.00000002.00000001.01000000.00000005.sdmp, pha.pif.6.dr
Source: pha.pif.6.drStatic PE information: 0x7EDA4115 [Wed Jun 10 07:45:25 2037 UTC]
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_613C1D0E LoadLibraryW,GetProcAddress,GetCurrentProcess,WriteProcessMemory,0_2_613C1D0E
Source: initial sampleStatic PE information: section where entry point is pointing to: .
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: .
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: .
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: .
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: .
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: .
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: .
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: .
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: .
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: .
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: .
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: .
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: /4
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: /19
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: /31
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: /45
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: /57
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: /70
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: /81
Source: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllStatic PE information: section name: /92
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_613D0021 pushfq ; iretd 0_2_613D002A
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_613D0D00 pushfq ; ret 0_2_613D0D01
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_613D1DFE push rsp; iretd 0_2_613D1DFF
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_613D0021 pushfq ; iretd 3_2_613D002A
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_613D0D00 pushfq ; ret 3_2_613D0D01
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_613D1DFE push rsp; iretd 3_2_613D1DFF
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_613D0021 pushfq ; iretd 4_2_613D002A
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_613D0D00 pushfq ; ret 4_2_613D0D01
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_613D1DFE push rsp; iretd 4_2_613D1DFF
Source: C:\Users\Public\pha.pifCode function: 10_2_00007FF848C8D2A5 pushad ; iretd 10_2_00007FF848C8D2A6
Source: C:\Users\Public\pha.pifCode function: 10_2_00007FF848DA09E8 push E85D835Dh; ret 10_2_00007FF848DA09F9
Source: C:\Users\Public\pha.pifCode function: 11_2_00007FF848C9D2A5 pushad ; iretd 11_2_00007FF848C9D2A6
Source: C:\Windows\System32\rundll32.exeCode function: 14_2_613D0021 pushfq ; iretd 14_2_613D002A
Source: C:\Windows\System32\rundll32.exeCode function: 14_2_613D0D00 pushfq ; ret 14_2_613D0D01
Source: C:\Windows\System32\rundll32.exeCode function: 14_2_613D1DFE push rsp; iretd 14_2_613D1DFF
Source: C:\Users\Public\pha.pifCode function: 17_2_00007FF848C8D2A5 pushad ; iretd 17_2_00007FF848C8D2A6
Source: C:\Users\Public\pha.pifCode function: 17_2_00007FF848DABA7A push E85AACD7h; ret 17_2_00007FF848DABAF9
Source: C:\Users\Public\pha.pifCode function: 17_2_00007FF848DAB9FA push E85AACD7h; ret 17_2_00007FF848DABAF9
Source: C:\Windows\System32\rundll32.exeCode function: 19_2_613D0021 pushfq ; iretd 19_2_613D002A
Source: C:\Windows\System32\rundll32.exeCode function: 19_2_613D0D00 pushfq ; ret 19_2_613D0D01
Source: C:\Windows\System32\rundll32.exeCode function: 19_2_613D1DFE push rsp; iretd 19_2_613D1DFF
Source: C:\Users\Public\pha.pifCode function: 23_2_00007FF848C8D2A5 pushad ; iretd 23_2_00007FF848C8D2A6
Source: C:\Users\Public\pha.pifCode function: 26_2_00007FF848C9D2A5 pushad ; iretd 26_2_00007FF848C9D2A6
Source: C:\Users\Public\pha.pifCode function: 26_2_00007FF848DB8615 push ebx; ret 26_2_00007FF848DB86EA
Source: C:\Users\Public\pha.pifCode function: 26_2_00007FF848DB38BA pushad ; retf 26_2_00007FF848DB38C9

Persistence and Installation Behavior

barindex
Drops PE files with a suspicious file extension
Source: C:\Windows\System32\esentutl.exeFile created: C:\Users\Public\pha.pifJump to dropped file
Source: C:\Windows\System32\esentutl.exeFile created: C:\Users\Public\pha.pifJump to dropped file
Source: C:\Windows\System32\esentutl.exeFile created: C:\Users\Public\pha.pifJump to dropped file

Boot Survival

barindex
Drops PE files to the user root directory
Source: C:\Windows\System32\esentutl.exeFile created: C:\Users\Public\pha.pifJump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Users\Public\pha.pifFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\pha.pifProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Powershell is started from unusual location (likely to bypass HIPS)
Source: c:\users\public\pha.pifKey value queried: Powershell behaviorJump to behavior
Source: c:\users\public\pha.pifKey value queried: Powershell behavior
Source: c:\users\public\pha.pifKey value queried: Powershell behavior
Source: c:\users\public\pha.pifKey value queried: Powershell behavior
Source: c:\users\public\pha.pifKey value queried: Powershell behaviorJump to behavior
Source: C:\Users\Public\pha.pifMemory allocated: 237CC2B0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\Public\pha.pifMemory allocated: 237CC320000 memory reserve | memory write watchJump to behavior
Source: C:\Users\Public\pha.pifMemory allocated: 27E19EE0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\Public\pha.pifMemory allocated: 27E1BA40000 memory reserve | memory write watchJump to behavior
Source: C:\Users\Public\pha.pifMemory allocated: 260B8CA0000 memory reserve | memory write watch
Source: C:\Users\Public\pha.pifMemory allocated: 260BA800000 memory reserve | memory write watch
Source: C:\Users\Public\pha.pifMemory allocated: 28110540000 memory reserve | memory write watch
Source: C:\Users\Public\pha.pifMemory allocated: 28110540000 memory reserve | memory write watch
Source: C:\Users\Public\pha.pifMemory allocated: 25128880000 memory reserve | memory write watch
Source: C:\Users\Public\pha.pifMemory allocated: 25128880000 memory reserve | memory write watch
Source: C:\Users\Public\pha.pifThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\Public\pha.pifThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\Public\pha.pifThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\Public\pha.pifThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\Public\pha.pifThread delayed: delay time: 922337203685477
Source: C:\Users\Public\pha.pifThread delayed: delay time: 922337203685477
Source: C:\Users\Public\pha.pifThread delayed: delay time: 922337203685477
Source: C:\Users\Public\pha.pifThread delayed: delay time: 922337203685477
Source: C:\Users\Public\pha.pifThread delayed: delay time: 922337203685477
Source: C:\Users\Public\pha.pifWindow / User API: threadDelayed 7345Jump to behavior
Source: C:\Users\Public\pha.pifWindow / User API: threadDelayed 837Jump to behavior
Source: C:\Users\Public\pha.pifWindow / User API: threadDelayed 6703Jump to behavior
Source: C:\Users\Public\pha.pifWindow / User API: threadDelayed 987Jump to behavior
Source: C:\Users\Public\pha.pifWindow / User API: threadDelayed 6250
Source: C:\Users\Public\pha.pifWindow / User API: threadDelayed 359
Source: C:\Users\Public\pha.pifWindow / User API: threadDelayed 6589
Source: C:\Users\Public\pha.pifWindow / User API: threadDelayed 1758
Source: C:\Users\Public\pha.pifWindow / User API: threadDelayed 7597
Source: C:\Users\Public\pha.pifWindow / User API: threadDelayed 1985
Source: C:\Users\Public\pha.pif TID: 7176Thread sleep count: 7345 > 30Jump to behavior
Source: C:\Users\Public\pha.pif TID: 528Thread sleep count: 837 > 30Jump to behavior
Source: C:\Users\Public\pha.pif TID: 7332Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\Public\pha.pif TID: 7268Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\Public\pha.pif TID: 7328Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\Public\pha.pif TID: 7260Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\Public\pha.pif TID: 7432Thread sleep count: 6250 > 30
Source: C:\Users\Public\pha.pif TID: 7436Thread sleep count: 359 > 30
Source: C:\Users\Public\pha.pif TID: 7500Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Public\pha.pif TID: 7456Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\Public\pha.pif TID: 7800Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Public\pha.pif TID: 7736Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Public\pha.pif TID: 7940Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\Public\pha.pifLast function: Thread delayed
Source: C:\Users\Public\pha.pifThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\Public\pha.pifThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\Public\pha.pifThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\Public\pha.pifThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\Public\pha.pifThread delayed: delay time: 922337203685477
Source: C:\Users\Public\pha.pifThread delayed: delay time: 922337203685477
Source: C:\Users\Public\pha.pifThread delayed: delay time: 922337203685477
Source: C:\Users\Public\pha.pifThread delayed: delay time: 922337203685477
Source: C:\Users\Public\pha.pifThread delayed: delay time: 922337203685477
Source: C:\Users\Public\pha.pifProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_613C1D0E LoadLibraryW,GetProcAddress,GetCurrentProcess,WriteProcessMemory,0_2_613C1D0E
Source: C:\Users\Public\pha.pifProcess token adjusted: DebugJump to behavior
Source: C:\Users\Public\pha.pifProcess token adjusted: DebugJump to behavior
Source: C:\Users\Public\pha.pifProcess token adjusted: Debug
Source: C:\Users\Public\pha.pifProcess token adjusted: Debug
Source: C:\Users\Public\pha.pifProcess token adjusted: Debug
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_613C2910 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_613C2910
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_613C2910 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_613C2910
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_613C2910 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_613C2910
Source: C:\Windows\System32\rundll32.exeCode function: 14_2_613C2910 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_2_613C2910
Source: C:\Windows\System32\rundll32.exeCode function: 19_2_613C2910 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,19_2_613C2910
Source: C:\Users\Public\pha.pifMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\Public\pha.pif C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\Public\pha.pif C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\Public\pha.pif C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\Public\pha.pif C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Users\Public\pha.pif C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Users\Public\pha.pif C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\Public\pha.pif C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\Public\pha.pif C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\Public\pha.pif C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll",#1Jump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\ VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\ VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\ VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\Public\pha.pifQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_613C2830 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_613C2830
Source: C:\Users\Public\pha.pifKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Native API		1
DLL Side-Loading		11
Process Injection		211
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		11
Disable or Modify Tools		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
Virtualization/Sandbox Evasion		Security Account Manager31
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Process Injection		NTDS1
Application Window Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information		LSA Secrets13
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Rundll32		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Timestomp		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1493796 Sample: fed1bc0d4bf498ec8909dbc9611... Startdate: 16/08/2024 Architecture: WINDOWS Score: 96 68 Multi AV Scanner detection for submitted file 2->68 70 Machine Learning detection for sample 2->70 72 PE file contains section with special chars 2->72 74 3 other signatures 2->74 9 loaddll64.exe 1 2->9         started        process3 signatures4 88 Adds a directory exclusion to Windows Defender 9->88 12 rundll32.exe 9->12         started        15 rundll32.exe 9->15         started        17 rundll32.exe 9->17         started        19 4 other processes 9->19 process5 signatures6 90 Adds a directory exclusion to Windows Defender 12->90 21 pha.pif 23 12->21         started        24 esentutl.exe 2 12->24         started        26 pha.pif 15->26         started        28 esentutl.exe 15->28         started        30 pha.pif 17->30         started        32 esentutl.exe 17->32         started        92 Powershell is started from unusual location (likely to bypass HIPS) 19->92 94 Loading BitLocker PowerShell Module 19->94 96 Reads the Security eventlog 19->96 98 Reads the System eventlog 19->98 34 rundll32.exe 19->34         started        process7 signatures8 76 Powershell is started from unusual location (likely to bypass HIPS) 21->76 78 Loading BitLocker PowerShell Module 21->78 80 Reads the Security eventlog 21->80 36 conhost.exe 21->36         started        82 Drops PE files to the user root directory 24->82 84 Drops PE files with a suspicious file extension 24->84 38 conhost.exe 24->38         started        86 Reads the System eventlog 26->86 40 conhost.exe 26->40         started        42 conhost.exe 28->42         started        44 conhost.exe 30->44         started        46 conhost.exe 32->46         started        48 pha.pif 24 34->48         started        51 esentutl.exe 2 34->51         started        process9 file10 54 conhost.exe 38->54         started        60 Powershell is started from unusual location (likely to bypass HIPS) 48->60 62 Loading BitLocker PowerShell Module 48->62 64 Reads the Security eventlog 48->64 66 Reads the System eventlog 48->66 58 C:\Users\Public\pha.pif, PE32+ 51->58 dropped 56 conhost.exe 51->56         started        signatures11 process12

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll29%VirustotalBrowse
fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll16%ReversingLabsWin64.Trojan.Barys
fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\Public\pha.pif0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://nuget.org/NuGet.exe0%URL Reputationsafe
http://nuget.org/NuGet.exe0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://nuget.org/nuget.exe0%URL Reputationsafe
https://nuget.org/nuget.exe0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
http://crl.mic0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
https://aka.ms/pscore680%URL Reputationsafe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
https://go.mic0%Avira URL Cloudsafe
http://www.apache.org/licenses/LICENSE-2.0.html0%Avira URL Cloudsafe
http://www.microsoft.c0%Avira URL Cloudsafe
http://crl.micft.cMicRosof0%Avira URL Cloudsafe
https://github.com/Pester/Pester0%Avira URL Cloudsafe
http://crl.micros0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://nuget.org/NuGet.exepha.pif, 0000000A.00000002.2421603225.00000237DCA25000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 0000000B.00000002.2344518931.0000027E2BBF5000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 00000011.00000002.2711244361.00000260CA9C6000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 00000017.00000002.2853632094.00000281222D7000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 0000001A.00000002.2905349013.000002513A717000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
https://go.micpha.pif, 00000011.00000002.2831818042.00000260D2B3D000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://pesterbdd.com/images/Pester.pngpha.pif, 0000001A.00000002.2350391567.000002512A8C8000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://schemas.xmlsoap.org/soap/encoding/pha.pif, 0000000A.00000002.2234969099.00000237CCBD9000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 0000000B.00000002.2232134749.0000027E1BDA8000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 00000011.00000002.2270345907.00000260BAB78000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 00000017.00000002.2308426212.0000028112487000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 0000001A.00000002.2350391567.000002512A8C8000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
http://www.apache.org/licenses/LICENSE-2.0.htmlpha.pif, 0000001A.00000002.2350391567.000002512A8C8000.00000004.00000800.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://schemas.xmlsoap.org/wsdl/pha.pif, 0000000A.00000002.2234969099.00000237CCBD9000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 0000000B.00000002.2232134749.0000027E1BDA8000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 00000011.00000002.2270345907.00000260BAB78000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 00000017.00000002.2308426212.0000028112487000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 0000001A.00000002.2350391567.000002512A8C8000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://contoso.com/pha.pif, 0000001A.00000002.2905349013.000002513A717000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://nuget.org/nuget.exepha.pif, 0000000A.00000002.2421603225.00000237DCA25000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 0000000B.00000002.2344518931.0000027E2BBF5000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 00000011.00000002.2711244361.00000260CA9C6000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 00000017.00000002.2853632094.00000281222D7000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 0000001A.00000002.2905349013.000002513A717000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
https://contoso.com/Licensepha.pif, 0000001A.00000002.2905349013.000002513A717000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://crl.micpha.pif, 0000001A.00000002.2993327282.000002514297C000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://contoso.com/Iconpha.pif, 0000001A.00000002.2905349013.000002513A717000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
http://crl.micft.cMicRosofpha.pif, 0000001A.00000002.2993327282.000002514297C000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://aka.ms/pscore68pha.pif, 0000000A.00000002.2234969099.00000237CC9B1000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 0000000B.00000002.2232134749.0000027E1BB81000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 00000011.00000002.2270345907.00000260BA951000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 00000017.00000002.2308426212.0000028112261000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 0000001A.00000002.2350391567.000002512A6A1000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.microsoft.cpha.pif, 0000000A.00000002.2540156835.00000237E4CCC000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepha.pif, 0000000A.00000002.2234969099.00000237CC9B1000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 0000000B.00000002.2232134749.0000027E1BB81000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 00000011.00000002.2270345907.00000260BA951000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 00000017.00000002.2308426212.0000028112261000.00000004.00000800.00020000.00000000.sdmp, pha.pif, 0000001A.00000002.2350391567.000002512A6A1000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://github.com/Pester/Pesterpha.pif, 0000001A.00000002.2350391567.000002512A8C8000.00000004.00000800.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://crl.microspha.pif, 00000017.00000002.2942073165.000002812A440000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1493796
Start date and time:2024-08-16 11:34:38 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 7m 53s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:Run with higher sleep bypass
Number of analysed new started processes analysed:29
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll
renamed because original name is a hash value
Original Sample Name:fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.exe
Detection:MAL
Classification:mal96.evad.winDLL@40/27@0/0
EGA Information:
  • Successful, ratio: 50%
HCA Information:
  • Successful, ratio: 97%
  • Number of executed functions: 118
  • Number of non-executed functions: 32
Cookbook Comments:
  • Found application associated with file extension: .dll
  • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
  • Stop behavior analysis, all processes terminated

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
  • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, 4.8.2.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.2.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Execution Graph export aborted for target pha.pif, PID 3996 because it is empty
  • Execution Graph export aborted for target pha.pif, PID 6180 because it is empty
  • Execution Graph export aborted for target pha.pif, PID 7348 because it is empty
  • Execution Graph export aborted for target pha.pif, PID 7632 because it is empty
  • Execution Graph export aborted for target pha.pif, PID 7844 because it is empty
  • Not all processes where analyzed, report is missing behavior information
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtCreateKey calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
C:\Users\Public\pha.piffile.exeGet hashmaliciousUnknownBrowse
    BrowserUpdater.lnkGet hashmaliciousUnknownBrowse
      Updater.lnkGet hashmaliciousUnknownBrowse
        ZG7UaFRPVW.exeGet hashmaliciousDBatLoader, RemcosBrowse
          IN-34823_PO39276-pdf.vbeGet hashmaliciousRemcos, DBatLoaderBrowse
            7XU2cRFInT.exeGet hashmaliciousRemcos, DBatLoaderBrowse
              megerosites.cmdGet hashmaliciousDBatLoader, LokibotBrowse
                Scan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-24.Pdf.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                  Payroll for July.exeGet hashmaliciousRemcos, DBatLoaderBrowse

                    Created / dropped Files

                    C:\Users\Public\pha.pif

                    Download File
                    Process:C:\Windows\System32\esentutl.exe
                    File Type:PE32+ executable (console) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):452608
                    Entropy (8bit):5.459268466661775
                    Encrypted:false
                    SSDEEP:6144:r2fdXxswSX0z/YWwO9sV1yZywi/PzNKXzJ7BapCK5d3klRzULOnWyjLsPhAQzqO:qVXqXEgW2KXzJ4pdd3klnnWosPhnzq
                    MD5:04029E121A0CFA5991749937DD22A1D9
                    SHA1:F43D9BB316E30AE1A3494AC5B0624F6BEA1BF054
                    SHA-256:9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F
                    SHA-512:6A2FB055473033FD8FDB8868823442875B5B60C115031AAEDA688A35A092F6278E8687E2AE2B8DC097F8F3F35D23959757BF0C408274A2EF5F40DDFA4B5C851B
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    Joe Sandbox View:
                    • Filename: file.exe, Detection: malicious, Browse
                    • Filename: BrowserUpdater.lnk, Detection: malicious, Browse
                    • Filename: Updater.lnk, Detection: malicious, Browse
                    • Filename: ZG7UaFRPVW.exe, Detection: malicious, Browse
                    • Filename: IN-34823_PO39276-pdf.vbe, Detection: malicious, Browse
                    • Filename: 7XU2cRFInT.exe, Detection: malicious, Browse
                    • Filename: megerosites.cmd, Detection: malicious, Browse
                    • Filename: Scan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-24.Pdf.exe, Detection: malicious, Browse
                    • Filename: Payroll for July.exe, Detection: malicious, Browse
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./..%k.ovk.ovk.ovu..vi.ovb..va.ov..lwi.ov..kwq.ovk.nv.ov..nwn.ov..jwb.ov..bwb.ov..vj.ov..mwj.ovRichk.ov........................PE..d....A.~.........."..........^......@=.........@..........................................`.......... .......................................L...........}...p..........................T......................(..................`................................text............................... ..`.rdata.............................@..@.data...,....`.......L..............@....pdata.......p.......T..............@..@.rsrc....}.......~...^..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\pha.pif.log

                    Download File
                    Process:C:\Users\Public\pha.pif
                    File Type:CSV text
                    Category:dropped
                    Size (bytes):3817
                    Entropy (8bit):5.359017561491687
                    Encrypted:false
                    SSDEEP:96:iqbYqGSI6o9xYsntpDxqKkWqmq1ftzHNYrKaqWiNLmSRIzQ0cBjwQyUII:iqbYqGcQtpDxqKkWqmq1ftzHuLqzIzQr
                    MD5:5E3DD85B96A2A1A844D35322C2A7CF80
                    SHA1:62541AED2E47BCFE4567D76D33D32DFDB19E220B
                    SHA-256:A2AA8EC59AEEC369CA207D72014F6F509805DDA6F61BBF27200769792DA40DA6
                    SHA-512:3251CE7E0ADD3A6485591A41F81BDBACE10BA0219E80B5C76FBC2AA285955BE02E9170D215CA21F16EEC7538BD840627035992030053F8B2FBE5D3BECDE20DAF
                    Malicious:false
                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.PowerShell.ConsoleHost, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07#\0827b790b8e74d0d12643297a812ae07\Microsoft.PowerShell.ConsoleHost.ni.dll",0..3,"System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\27947b366dfb4feddb2be787d72ca90d\System.Management.Automation.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d5

                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                    Download File
                    Process:C:\Users\Public\pha.pif
                    File Type:data
                    Category:dropped
                    Size (bytes):64
                    Entropy (8bit):0.34726597513537405
                    Encrypted:false
                    SSDEEP:3:Nlll:Nll
                    MD5:446DD1CF97EABA21CF14D03AEBC79F27
                    SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                    SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                    SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                    Malicious:false
                    Preview:@...e...........................................................

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_30jp4hhg.u0y.psm1

                    Download File
                    Process:C:\Users\Public\pha.pif
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3vsvx5th.1go.psm1

                    Download File
                    Process:C:\Users\Public\pha.pif
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cu4tjrpn.dvp.ps1

                    Download File
                    Process:C:\Users\Public\pha.pif
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cupegsih.mvb.psm1

                    Download File
                    Process:C:\Users\Public\pha.pif
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dblpebyj.bty.ps1

                    Download File
                    Process:C:\Users\Public\pha.pif
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e3kgemuk.f5d.psm1

                    Download File
                    Process:C:\Users\Public\pha.pif
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_elbfwcel.ccc.ps1

                    Download File
                    Process:C:\Users\Public\pha.pif
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f0od3eod.o5m.psm1

                    Download File
                    Process:C:\Users\Public\pha.pif
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fsmc4dib.fpc.psm1

                    Download File
                    Process:C:\Users\Public\pha.pif
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gp204hhm.lll.ps1

                    Download File
                    Process:C:\Users\Public\pha.pif
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gyxvo3zl.j2m.ps1

                    Download File
                    Process:C:\Users\Public\pha.pif
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hnflvr5r.wcl.ps1

                    Download File
                    Process:C:\Users\Public\pha.pif
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ja1pncjs.kqj.ps1

                    Download File
                    Process:C:\Users\Public\pha.pif
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n3iyf4rc.dpk.psm1

                    Download File
                    Process:C:\Users\Public\pha.pif
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oibgwtlr.d3y.psm1

                    Download File
                    Process:C:\Users\Public\pha.pif
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qdgdacl5.ao5.ps1

                    Download File
                    Process:C:\Users\Public\pha.pif
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qppw5eku.uhn.ps1

                    Download File
                    Process:C:\Users\Public\pha.pif
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sukfjbhz.wpk.psm1

                    Download File
                    Process:C:\Users\Public\pha.pif
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t52hvzge.tmf.ps1

                    Download File
                    Process:C:\Users\Public\pha.pif
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tk2eyo3b.f3d.psm1

                    Download File
                    Process:C:\Users\Public\pha.pif
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    \Device\ConDrv

                    Download File
                    Process:C:\Windows\System32\esentutl.exe
                    File Type:ASCII text, with CRLF, CR line terminators
                    Category:dropped
                    Size (bytes):517
                    Entropy (8bit):4.777892577067821
                    Encrypted:false
                    SSDEEP:12:q6pK8+n/xTnXceSbZ7u0wxDDDDDDDDjC43j/SXRYqjB:/pK1/xTXcp7u0wQAmuoB
                    MD5:9F5DE02CE9641D16449A4477957570EF
                    SHA1:DBDDF8DAC9D49669D676EF7E905F4D6D473D9086
                    SHA-256:8EECA75A47000743FB45D80D0ADB32BB8821F3F248E16FC3EF918724D0055B3D
                    SHA-512:B2702CD06DF160AB41A586D130D09F4F5C06A944DC06C964573E98C36ECAA19F0122A636B626A6FF8F6B4A9569031F950B0324B30837AEC4529F080078358A8E
                    Malicious:false
                    Preview:..Initiating COPY FILE mode..... Source File: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe...Destination File: C:\\Users\\Public\\pha.pif...... Copy Progress (% complete)...... 0 10 20 30 40 50 60 70 80 90 100... |----|----|----|----|----|----|----|----|----|----|... FAILURE: CreateFile: (80), The file exists............Operation terminated with error -1 (JET_wrnNyi, Function Not Yet Implemented) after 0.0 seconds.........

                    Static File Info

                    General

                    File type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                    Entropy (8bit):5.412847298517685
                    TrID:
                    • Win64 Dynamic Link Library (generic) (102004/3) 86.41%
                    • Win64 Executable (generic) (12005/4) 10.17%
                    • Generic Win/DOS Executable (2004/3) 1.70%
                    • DOS Executable Generic (2002/1) 1.70%
                    • VXD Driver (31/22) 0.03%
                    File name:fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll
                    File size:92'160 bytes
                    MD5:cd6bf0fea07fff98c49a1ef6ccd11207
                    SHA1:8c043e4f7778b90538944cb2aea806831bf79d32
                    SHA256:998b6a7ad1579c31d13a53c37e184b58491bbaed016fa55cec1cd411c6989e2e
                    SHA512:b3e924a50af5d9e8cc6378f5c18867f1e3707acd4f0e607b5af1c86e193609451c404dfb372f5ccf65440465c428d00b4b2a7b6c89b65e71898257e721b05688
                    SSDEEP:1536:AiZmst3xID3zvytXt9bmsvgcGw5jxM+oC8XEWCl7MbiRkR1:AiZmst3a/c9bqcGn+oC8XE0R1
                    TLSH:F1934B4EEF62DDABC817C73049E6431C1735E24416899B173E1A8A3D6E2F770EF98186
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.b......... .....*... ................<a.............................0................ ............................

                    File Icon

                    Icon Hash:7ae282899bbab082

                    Static PE Info

                    General

                    Entrypoint:0x613c13e0
                    Entrypoint Section:.
                    Digitally signed:false
                    Imagebase:0x613c0000
                    Subsystem:windows cui
                    Image File Characteristics:EXECUTABLE_IMAGE, DLL
                    DLL Characteristics:
                    Time Stamp:0x66A907D1 [Tue Jul 30 15:33:37 2024 UTC]
                    TLS Callbacks:0x613c2ea0
                    CLR (.Net) Version:
                    OS Version Major:4
                    OS Version Minor:0
                    File Version Major:4
                    File Version Minor:0
                    Subsystem Version Major:4
                    Subsystem Version Minor:0
                    Import Hash:b0ee9fca3049b669e21f2d2e0653be78

                    Entrypoint Preview

                    Instruction
                    dec eax
                    sub esp, 48h
                    dec eax
                    mov eax, dword ptr [00003F25h]
                    cmp edx, 01h
                    mov dword ptr [eax], 00000000h
                    je 00007F7F30D3B21Ch
                    dec eax
                    add esp, 48h
                    jmp 00007F7F30D3B0A6h
                    nop
                    dec esp
                    mov dword ptr [esp+38h], eax
                    mov dword ptr [esp+34h], edx
                    dec eax
                    mov dword ptr [esp+28h], ecx
                    call 00007F7F30D3C632h
                    call 00007F7F30D3C9BDh
                    dec esp
                    mov eax, dword ptr [esp+38h]
                    mov edx, dword ptr [esp+34h]
                    dec eax
                    mov ecx, dword ptr [esp+28h]
                    dec eax
                    add esp, 48h
                    jmp 00007F7F30D3B076h
                    nop
                    push ebp
                    dec eax
                    mov ebp, esp
                    dec eax
                    sub esp, 40h
                    dec eax
                    mov dword ptr [ebp+10h], ecx
                    mov byte ptr [ebp-01h], 00000000h
                    dec eax
                    mov ecx, dword ptr [ebp+10h]
                    call 00007F7F30D3D42Ch
                    dec eax
                    shl eax, 02h
                    dec eax
                    mov edx, AAAAAAABh
                    stosb
                    stosb
                    stosb
                    stosb
                    dec eax
                    mul edx
                    dec eax
                    mov eax, edx
                    dec eax
                    shr eax, 1
                    dec eax
                    add eax, 04h
                    dec eax
                    mov ecx, eax
                    call 00007F7F30D3D3E9h
                    dec eax
                    mov dword ptr [ebp-18h], eax
                    mov dword ptr [ebp-08h], 00000000h
                    mov dword ptr [ebp-0Ch], 00000000h
                    mov dword ptr [ebp-08h], 00000000h
                    jmp 00007F7F30D3B328h
                    movzx eax, byte ptr [ebp-01h]
                    mov edx, eax
                    add edx, 01h
                    mov byte ptr [ebp-01h], dl
                    movsx eax, al
                    mov edx, dword ptr [ebp-08h]
                    dec eax
                    arpl dx, cx
                    dec eax
                    mov edx, dword ptr [ebp+10h]
                    dec eax
                    add edx, ecx
                    movzx eax, byte ptr [eax]

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x90000x15c.
                    IMAGE_DIRECTORY_ENTRY_IMPORT0xa0000x800.
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x60000x27c.
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xd0000x5c.
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0xc0200x28.
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0xa1f40x1b8.
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    . 0x10000x28100x2a003c11d50f49f9ed91f93d10024f5d077aFalse0.5254836309523809data5.948288484710761IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    . 0x40000x900x20047819e70df701b21e3af22c27ddb88fcFalse0.20703125data1.7473416893362768IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    . 0x50000x5c00x600e03f7ecceeb971a657754c2442c5d91cFalse0.2994791666666667data4.03558142481659IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                    . 0x60000x27c0x400b8f2e4da2c68738a6d6ddfd9f6d7f2ceFalse0.35546875data2.7346732619257064IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                    . 0x70000x2340x40002be90b5fd30fc6e45ed1588be5fff26False0.232421875locale data table2.812013321884877IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                    . 0x80000x9800x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    . 0x90000x15c0x200cc9272152b0d60129d8c688f189e0c3fFalse0.529296875data3.6699039131979863IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                    . 0xa0000x8000x80085032acfe5935c0be1b5ee0b4f134aa3False0.36767578125data4.091512851560753IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    . 0xb0000x580x20076a8e01a43b5a2174a8cacbf4c7d16c6False0.056640625data0.20153937813451883IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    . 0xc0000x680x20007c7cdb09bba338a9276e71553c08c8eFalse0.05859375data0.27015680731160896IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    . 0xd0000x5c0x200d9a0c8f7d0bca650c24ea5dbb8769f65False0.185546875data1.0010043973382599IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                    /40xe0000x3400x4002a4fb0b4aa1e6ba712f9bc80194591a3False0.2109375data1.4775019099080853IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                    /190xf0000x9bde0x9c00c7016656cca867b8096b3536e343e7f5False0.4014423076923077data6.000965027226234IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                    /310x190000x16800x1800ebdc2ab2fbfba99053c0ee0c31fd8b24False0.24495442708333334data4.485717658585147IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                    /450x1b0000x15340x160058868bb7b28a2c5a847f526f71bdfdc3False0.3595525568181818data5.647940606243863IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                    /570x1d0000xa500xc00ea65fe74b5d1ace9a4fdfb8dad93191dFalse0.306640625data4.057482921881326IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                    /700x1e0000x12e0x200786a85e4e51a48bc8a3129bf00c60fa3False0.361328125data3.428488224423994IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                    /810x1f0000x2e890x300079147b589362b6aba64babc00cb76d57False0.19856770833333334data2.2846455098636906IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                    /920x220000x5500x600d0bbe15d06a55ed7ff30753ed519f32aFalse0.21028645833333334data1.3759351367840893IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                    Imports

                    DLLImport
                    KERNEL32.dllCloseHandle, CreateToolhelp32Snapshot, DeleteCriticalSection, EnterCriticalSection, ExitProcess, FreeLibrary, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetLastError, GetModuleHandleW, GetProcAddress, GetSystemTimeAsFileTime, GetTickCount, InitializeCriticalSection, LeaveCriticalSection, LoadLibraryW, Process32First, Process32Next, QueryPerformanceCounter, RtlAddFunctionTable, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, SetUnhandledExceptionFilter, Sleep, TerminateProcess, TlsGetValue, UnhandledExceptionFilter, VirtualProtect, VirtualQuery, WinExec, WriteProcessMemory
                    msvcrt.dll__dllonexit, __iob_func, _amsg_exit, _initterm, _lock, _onexit, _unlock, abort, calloc, free, fwrite, malloc, memcpy, puts, rand, signal, strcmp, strlen, strncmp, vfprintf

                    Exports

                    NameOrdinalAddress
                    ASSnko10x613c1d97
                    FindProcessId20x613c1848
                    NetApiBufferFree30x613c1e5f
                    NetpIsRemote40x613c1e6b
                    NetpwNameValidate50x613c1e59
                    NetpwPathType60x613c1e65
                    PxBu70x613c1c79
                    Pxon80x613c1d0e
                    base46_map90x613c4000
                    base64_decode100x613c16dc
                    base64_encode110x613c1430
                    decrypt120x613c1b61
                    encrypt130x613c19b9
                    revstr140x613c192a

                    Network Behavior

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Aug 16, 2024 11:36:23.093249083 CEST5357512162.159.36.2192.168.2.5
                    Aug 16, 2024 11:36:23.580545902 CEST53536891.1.1.1192.168.2.5

                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:0
                    Start time:05:35:35
                    Start date:16/08/2024
                    Path:C:\Windows\System32\loaddll64.exe
                    Wow64 process (32bit):false
                    Commandline:loaddll64.exe "C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll"
                    Imagebase:0x7ff6e5960000
                    File size:165'888 bytes
                    MD5 hash:763455F9DCB24DFEECC2B9D9F8D46D52
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:1
                    Start time:05:35:35
                    Start date:16/08/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff6d64d0000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:2
                    Start time:05:35:36
                    Start date:16/08/2024
                    Path:C:\Windows\System32\cmd.exe
                    Wow64 process (32bit):false
                    Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll",#1
                    Imagebase:0x7ff68c740000
                    File size:289'792 bytes
                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:3
                    Start time:05:35:36
                    Start date:16/08/2024
                    Path:C:\Windows\System32\rundll32.exe
                    Wow64 process (32bit):false
                    Commandline:rundll32.exe C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll,ASSnko
                    Imagebase:0x7ff6054a0000
                    File size:71'680 bytes
                    MD5 hash:EF3179D498793BF4234F708D3BE28633
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:4
                    Start time:05:35:36
                    Start date:16/08/2024
                    Path:C:\Windows\System32\rundll32.exe
                    Wow64 process (32bit):false
                    Commandline:rundll32.exe "C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll",#1
                    Imagebase:0x7ff6054a0000
                    File size:71'680 bytes
                    MD5 hash:EF3179D498793BF4234F708D3BE28633
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:5
                    Start time:05:35:36
                    Start date:16/08/2024
                    Path:C:\Windows\System32\esentutl.exe
                    Wow64 process (32bit):false
                    Commandline:esentutl /y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe /d C:\\Users\\Public\\pha.pif /o
                    Imagebase:0x7ff732fc0000
                    File size:409'600 bytes
                    MD5 hash:E2098B56CF093E165D030E27591CE498
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:6
                    Start time:05:35:36
                    Start date:16/08/2024
                    Path:C:\Windows\System32\esentutl.exe
                    Wow64 process (32bit):false
                    Commandline:esentutl /y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe /d C:\\Users\\Public\\pha.pif /o
                    Imagebase:0x7ff732fc0000
                    File size:409'600 bytes
                    MD5 hash:E2098B56CF093E165D030E27591CE498
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:7
                    Start time:05:35:36
                    Start date:16/08/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff6d64d0000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:8
                    Start time:05:35:36
                    Start date:16/08/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff6d64d0000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:10
                    Start time:05:35:38
                    Start date:16/08/2024
                    Path:C:\Users\Public\pha.pif
                    Wow64 process (32bit):false
                    Commandline:C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'"
                    Imagebase:0x7ff66ae10000
                    File size:452'608 bytes
                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Antivirus matches:
                    • Detection: 0%, ReversingLabs
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:11
                    Start time:05:35:38
                    Start date:16/08/2024
                    Path:C:\Users\Public\pha.pif
                    Wow64 process (32bit):false
                    Commandline:C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'"
                    Imagebase:0x7ff66ae10000
                    File size:452'608 bytes
                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:12
                    Start time:05:35:38
                    Start date:16/08/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff6d64d0000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:13
                    Start time:05:35:38
                    Start date:16/08/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff6d64d0000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:14
                    Start time:05:35:39
                    Start date:16/08/2024
                    Path:C:\Windows\System32\rundll32.exe
                    Wow64 process (32bit):false
                    Commandline:rundll32.exe C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll,FindProcessId
                    Imagebase:0x7ff6054a0000
                    File size:71'680 bytes
                    MD5 hash:EF3179D498793BF4234F708D3BE28633
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:15
                    Start time:05:35:39
                    Start date:16/08/2024
                    Path:C:\Windows\System32\esentutl.exe
                    Wow64 process (32bit):false
                    Commandline:esentutl /y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe /d C:\\Users\\Public\\pha.pif /o
                    Imagebase:0x7ff732fc0000
                    File size:409'600 bytes
                    MD5 hash:E2098B56CF093E165D030E27591CE498
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:16
                    Start time:05:35:39
                    Start date:16/08/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff6d64d0000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:17
                    Start time:05:35:41
                    Start date:16/08/2024
                    Path:C:\Users\Public\pha.pif
                    Wow64 process (32bit):false
                    Commandline:C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'"
                    Imagebase:0x7ff66ae10000
                    File size:452'608 bytes
                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:18
                    Start time:05:35:41
                    Start date:16/08/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff6d64d0000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:19
                    Start time:05:35:42
                    Start date:16/08/2024
                    Path:C:\Windows\System32\rundll32.exe
                    Wow64 process (32bit):false
                    Commandline:rundll32.exe C:\Users\user\Desktop\fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll,NetApiBufferFree
                    Imagebase:0x7ff6054a0000
                    File size:71'680 bytes
                    MD5 hash:EF3179D498793BF4234F708D3BE28633
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:20
                    Start time:05:35:42
                    Start date:16/08/2024
                    Path:C:\Windows\System32\esentutl.exe
                    Wow64 process (32bit):false
                    Commandline:esentutl /y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe /d C:\\Users\\Public\\pha.pif /o
                    Imagebase:0x7ff732fc0000
                    File size:409'600 bytes
                    MD5 hash:E2098B56CF093E165D030E27591CE498
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:21
                    Start time:05:35:42
                    Start date:16/08/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff6d64d0000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:23
                    Start time:05:35:44
                    Start date:16/08/2024
                    Path:C:\Users\Public\pha.pif
                    Wow64 process (32bit):false
                    Commandline:C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'"
                    Imagebase:0x7ff66ae10000
                    File size:452'608 bytes
                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:24
                    Start time:05:35:44
                    Start date:16/08/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff6d64d0000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:25
                    Start time:05:35:45
                    Start date:16/08/2024
                    Path:C:\Windows\System32\esentutl.exe
                    Wow64 process (32bit):false
                    Commandline:esentutl /y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe /d C:\\Users\\Public\\pha.pif /o
                    Imagebase:0x7ff732fc0000
                    File size:409'600 bytes
                    MD5 hash:E2098B56CF093E165D030E27591CE498
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:26
                    Start time:05:35:47
                    Start date:16/08/2024
                    Path:C:\Users\Public\pha.pif
                    Wow64 process (32bit):false
                    Commandline:C:\\Users\\Public\\pha.pif -Command "Add-MpPreference -ExclusionPath 'C:\'"
                    Imagebase:0x7ff66ae10000
                    File size:452'608 bytes
                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    Disassembly

                    Reset < >

                      Execution Graph

                      Execution Coverage:20.8%
                      Dynamic/Decrypted Code Coverage:0%
                      Signature Coverage:5.3%
                      Total number of Nodes:150
                      Total number of Limit Nodes:2
                      execution_graph 968 613c3789 RtlLookupFunctionEntry 800 613c13e0 801 613c13f6 800->801 806 613c2830 801->806 803 613c1413 810 613c2bc0 803->810 807 613c2859 806->807 808 613c2870 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 806->808 807->803 809 613c28cd 808->809 809->803 812 613c2bcf 810->812 811 613c1418 812->811 813 613c2c90 RtlAddFunctionTable 812->813 813->811 814 613c1290 815 613c12af 814->815 816 613c12f0 814->816 818 613c12d6 815->818 820 613c2470 6 API calls 815->820 841 613c2470 816->841 819 613c12f5 821 613c1305 819->821 822 613c12be 819->822 820->822 861 613c1050 821->861 824 613c222b 5 API calls 822->824 825 613c12cb 824->825 825->818 831 613c1050 2 API calls 825->831 826 613c130a 826->818 827 613c1370 826->827 828 613c1353 826->828 829 613c1375 827->829 830 613c13c0 827->830 828->818 832 613c1050 2 API calls 828->832 867 613c2810 829->867 833 613c222b 5 API calls 830->833 831->818 832->818 833->825 835 613c137a 872 613c222b 835->872 838 613c222b 5 API calls 839 613c13a1 838->839 840 613c1050 2 API calls 839->840 840->825 844 613c24a0 841->844 849 613c248b 841->849 842 613c2650 843 613c2659 842->843 842->849 845 613c2300 4 API calls 843->845 848 613c2688 843->848 844->842 846 613c253c 844->846 844->849 845->843 847 613c26c1 846->847 846->849 850 613c268d 846->850 853 613c2594 846->853 854 613c26f6 846->854 852 613c2300 4 API calls 847->852 851 613c25c4 848->851 849->819 850->854 855 613c2300 4 API calls 850->855 851->849 858 613c2613 VirtualQuery 851->858 852->854 853->846 853->851 853->854 876 613c2300 853->876 856 613c2300 4 API calls 854->856 855->847 859 613c2739 856->859 858->849 860 613c262c VirtualProtect 858->860 859->849 860->851 862 613c1066 861->862 863 613c10e0 861->863 864 613c1094 Sleep 862->864 866 613c10a8 862->866 865 613c1119 Sleep 863->865 863->866 864->862 865->863 866->826 868 613c281a 867->868 869 613c27b0 867->869 868->835 885 613c2f20 869->885 873 613c138a 872->873 874 613c2244 872->874 873->818 873->838 892 613c1e6b 874->892 877 613c2332 876->877 878 613c2393 VirtualQuery 877->878 881 613c2435 877->881 879 613c23c1 memcpy 878->879 878->881 882 613c248b 881->882 883 613c2613 VirtualQuery 881->883 882->853 883->882 884 613c262c VirtualProtect 883->884 884->881 887 613c2f34 885->887 886 613c2fb5 886->835 887->886 890 613c36b8 __dllonexit 887->890 891 613ca304 890->891 893 613c1ea5 892->893 922 613c1d97 LoadLibraryW 893->922 895 613c1f55 896 613c1d97 LoadLibraryW 895->896 897 613c1f81 896->897 898 613c1d97 LoadLibraryW 897->898 899 613c1fe5 898->899 900 613c1d97 LoadLibraryW 899->900 901 613c2011 900->901 902 613c201d WinExec 901->902 924 613c3620 Sleep 902->924 904 613c2038 905 613c1d97 LoadLibraryW 904->905 906 613c2064 905->906 907 613c1d97 LoadLibraryW 906->907 908 613c2090 907->908 909 613c1d97 LoadLibraryW 908->909 910 613c217b 909->910 911 613c1d97 LoadLibraryW 910->911 912 613c21a7 911->912 913 613c21b3 WinExec 912->913 914 613c21d3 913->914 915 613c1d97 LoadLibraryW 914->915 916 613c21f0 915->916 917 613c1d97 LoadLibraryW 916->917 918 613c221c ExitProcess 917->918 920 613c222b 918->920 919 613c2258 919->873 920->919 921 613c1e6b 2 API calls 920->921 921->919 923 613c1dc1 922->923 923->895 924->904 925 613c2e70 926 613c2e78 925->926 927 613c2e7d 926->927 930 613c3530 926->930 929 613c2e95 931 613c3539 930->931 932 613c3582 930->932 933 613c353b 931->933 934 613c3554 931->934 935 613c358c 932->935 936 613c35a0 InitializeCriticalSection 932->936 937 613c354a 933->937 942 613c33a0 EnterCriticalSection 933->942 938 613c355e 934->938 940 613c33a0 3 API calls 934->940 935->929 936->935 937->929 938->937 939 613c3569 DeleteCriticalSection 938->939 939->937 940->938 943 613c33f4 942->943 945 613c33c1 942->945 944 613c33d0 TlsGetValue GetLastError 944->945 945->943 945->944 948 613c2ea0 949 613c2eb2 948->949 950 613c3530 5 API calls 949->950 951 613c2ec2 949->951 950->951 952 613c2910 RtlCaptureContext RtlLookupFunctionEntry 953 613c294d RtlVirtualUnwind 952->953 954 613c29f0 952->954 955 613c2983 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 953->955 954->955 955->954 956 613c3410 957 613c3430 956->957 958 613c3421 956->958 957->958 959 613c344c EnterCriticalSection LeaveCriticalSection 957->959 960 613c3490 961 613c349f 960->961 962 613c34b0 EnterCriticalSection 960->962 963 613c34e7 LeaveCriticalSection 962->963 965 613c34cb 962->965 964 613c34f4 963->964 965->963 966 613c34d1 965->966 967 613c3510 LeaveCriticalSection 966->967 967->964 946 613c37b1 RtlAddFunctionTable 947 613ca294 946->947

                      Callgraph

                      • Executed
                      • Not Executed
                      • Opacity -> Relevance
                      • Disassembly available
                      callgraph 0 Function_613D16BF 1 Function_613C36B8 2 Function_613C19B9 3 Function_613C3030 4 Function_613C3530 16 Function_613C33A0 4->16 5 Function_613C2CB0 26 Function_613C3390 5->26 6 Function_613C1430 7 Function_613C2830 8 Function_613C31B0 44 Function_613C2FF0 8->44 9 Function_613C37B1 10 Function_613C192A 11 Function_613C222B 49 Function_613C1E6B 11->49 50 Function_613C1E65 11->50 55 Function_613C1E5F 11->55 56 Function_613C1E59 11->56 12 Function_613CA2A4 13 Function_613C3620 14 Function_613C3120 14->44 15 Function_613C2F20 15->1 35 Function_613C2280 15->35 47 Function_613C2270 15->47 17 Function_613C2EA0 17->4 18 Function_613D0021 19 Function_613D039A 20 Function_613C1D97 21 Function_613C2F10 22 Function_613C1290 22->11 23 Function_613C3610 22->23 24 Function_613C2810 22->24 46 Function_613C2470 22->46 57 Function_613C1050 22->57 24->15 25 Function_613C2910 27 Function_613C2A10 27->26 28 Function_613C3410 29 Function_613C3490 30 Function_613C3012 31 Function_613D0513 32 Function_613C1D0E 54 Function_613C16DC 32->54 33 Function_613C3789 34 Function_613C3080 34->44 36 Function_613C1000 36->35 37 Function_613C2300 37->14 37->37 43 Function_613C3170 37->43 58 Function_613C35D0 37->58 63 Function_613C3240 37->63 38 Function_613C3280 38->3 38->44 39 Function_613D0D00 40 Function_613D1DFE 41 Function_613C1C79 41->54 42 Function_613D057A 43->44 45 Function_613C2E70 45->4 46->37 46->43 46->58 48 Function_613C22ED 49->10 49->13 49->20 49->49 49->50 49->54 49->55 49->56 51 Function_613C13E0 51->7 62 Function_613C2BC0 51->62 52 Function_613C32E0 52->3 52->44 53 Function_613C1B61 57->47 59 Function_613D1CCD 60 Function_613C1848 61 Function_613D1E4B 62->8 62->34 62->63 63->44

                      Executed Functions

                      Function 613C1E6B Relevance: 40.5, APIs: 3, Strings: 20, Instructions: 210processCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                        • Part of subcall function 613C1D97: LoadLibraryW.KERNELBASE(?,?,?,?,?,?,?,?,?,613C1F55), ref: 613C1DB2
                      • WinExec.KERNEL32 ref: 613C202C
                        • Part of subcall function 613C3620: Sleep.KERNEL32 ref: 613C362A
                      • WinExec.KERNEL32 ref: 613C21C2
                      • ExitProcess.KERNEL32 ref: 613C2228
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2206704336.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                      • Associated: 00000000.00000002.2206684937.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2206722644.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2206747875.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2207046307.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2207067041.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2207083734.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_613c0000_loaddll64.jbxd
                      Similarity
                      • API ID: Exec$ExitLibraryLoadProcessSleep
                      • String ID: 4VULgU2Y$=82LgYWaw5SYoBHXcNWasJWdQxFXzJXZzVFXcpzQgQ2LgUGel5CbsVGazJXZ39GccxFMuEjdcxFbsVGaTJXZ39GUzd3bk5WaXxFXyMTblR3c5NFXcN3dvRmbpdFXcpzQgk3LgwGd1RnblNXZ$==Qaz1WQ$=cmbpJHd$=cmbpJHd$T5WYjNVa$T5WYjNVa$gYWaw5SY$ggGdhBlb$h1WbvNUL$icCX6M0J$kFkIgQmb$oBHXcNWa$sJWdQxFX$uVmclZWZ$vl2c1x2Y$yBFcN1CZ$z1WQ$z1WQ$zJXZzVFX
                      • API String ID: 1758684399-1342957281
                      • Opcode ID: 4d1f63c8848b9324423b377315b3159e9dcea841206612359d24d613c9a9fc1c
                      • Instruction ID: a98b6bfe7a99aebf3bb0dc4532f6b7cdca838be127f0f4748d87de296261d5c7
                      • Opcode Fuzzy Hash: 4d1f63c8848b9324423b377315b3159e9dcea841206612359d24d613c9a9fc1c
                      • Instruction Fuzzy Hash: 74813E75701B869DCF24EBA6A8543E873A5A785F8CF4480398E8E5FB18FF38C6159341
                      Function 613C2BC0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 87 613c2bc0-613c2bda call 613c3240 90 613c2bdc-613c2bdf 87->90 91 613c2c01-613c2c0b 87->91 90->91 92 613c2be1-613c2bfa call 613c3080 90->92 95 613c2bfc 92->95 96 613c2c10-613c2c40 92->96 95->91 97 613c2c70-613c2c7b call 613c31b0 96->97 100 613c2c7d-613c2c80 97->100 101 613c2c42-613c2c6e 97->101 100->95 102 613c2c86-613c2c88 100->102 101->97 103 613c2ca5-613c2caa 101->103 104 613c2c90-613c2ca0 RtlAddFunctionTable 102->104 103->104 104->95
                      APIs
                      • RtlAddFunctionTable.KERNEL32 ref: 613C2C9A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2206704336.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                      • Associated: 00000000.00000002.2206684937.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2206722644.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2206747875.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2207046307.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2207067041.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2207083734.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_613c0000_loaddll64.jbxd
                      Similarity
                      • API ID: FunctionTable
                      • String ID: .pdata
                      • API String ID: 1252446317-4177594709
                      • Opcode ID: 52976069890d9e3f5a635ecf40bf80e2661f8a198458f1dda444388e4e8995d7
                      • Instruction ID: a98d7effac0a08117c3fa1e10c50b581c5c7b73d9eed72f9ca58742f97c7602a
                      • Opcode Fuzzy Hash: 52976069890d9e3f5a635ecf40bf80e2661f8a198458f1dda444388e4e8995d7
                      • Instruction Fuzzy Hash: 4621B472B022609AFB058FA9DA443947B62A788F98F4CD024CE0B57314EB3A9A61D755
                      Function 613C1D97 Relevance: 1.5, APIs: 1, Instructions: 49libraryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 105 613c1d97-613c1dca LoadLibraryW 107 613c1dcc-613c1e2d 105->107 108 613c1e31-613c1e58 105->108 107->108
                      APIs
                      • LoadLibraryW.KERNELBASE(?,?,?,?,?,?,?,?,?,613C1F55), ref: 613C1DB2
                      Memory Dump Source
                      • Source File: 00000000.00000002.2206704336.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                      • Associated: 00000000.00000002.2206684937.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2206722644.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2206747875.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2207046307.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2207067041.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2207083734.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_613c0000_loaddll64.jbxd
                      Similarity
                      • API ID: LibraryLoad
                      • String ID:
                      • API String ID: 1029625771-0
                      • Opcode ID: 4127155981cb20e6f2d50b37ca81e7bbd812f1fa0de4aab2728d0d118f7055a4
                      • Instruction ID: c1c33eecdd383886d2d8d2bb6f1c2682b4f93b08dfe668e5ddc8be9d462bd23a
                      • Opcode Fuzzy Hash: 4127155981cb20e6f2d50b37ca81e7bbd812f1fa0de4aab2728d0d118f7055a4
                      • Instruction Fuzzy Hash: 06210B72B11B608CE700DBB9EC4439C3B71A348B98F044515DE6DA7BA8EF39C650C394
                      Function 613C3620 Relevance: 1.3, APIs: 1, Instructions: 6sleepCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 160 613c3620-613c3636 Sleep
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2206704336.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                      • Associated: 00000000.00000002.2206684937.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2206722644.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2206747875.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2207046307.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2207067041.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2207083734.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_613c0000_loaddll64.jbxd
                      Similarity
                      • API ID: Sleep
                      • String ID:
                      • API String ID: 3472027048-0
                      • Opcode ID: fe2ac243386cde0167416a04810260f3cbc85ba1deb6f6aec3d46932f2df1739
                      • Instruction ID: e9c459437bb93fbad0663031f86f151610a23291e51109e838943003221a6897
                      • Opcode Fuzzy Hash: fe2ac243386cde0167416a04810260f3cbc85ba1deb6f6aec3d46932f2df1739
                      • Instruction Fuzzy Hash: F0B01220F13160C3D70C33769C9635850D5574C300FD000288107842A0DC9D02A64640

                      Non-executed Functions

                      Function 613C2910 Relevance: 10.6, APIs: 7, Instructions: 50COMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • RtlCaptureContext.KERNEL32 ref: 613C2924
                      • RtlLookupFunctionEntry.KERNEL32 ref: 613C293B
                      • RtlVirtualUnwind.KERNEL32 ref: 613C297D
                      • SetUnhandledExceptionFilter.KERNEL32 ref: 613C29C4
                      • UnhandledExceptionFilter.KERNEL32 ref: 613C29D1
                      • GetCurrentProcess.KERNEL32 ref: 613C29D7
                      • TerminateProcess.KERNEL32 ref: 613C29E5
                      Memory Dump Source
                      • Source File: 00000000.00000002.2206704336.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                      • Associated: 00000000.00000002.2206684937.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2206722644.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2206747875.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2207046307.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2207067041.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2207083734.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_613c0000_loaddll64.jbxd
                      Similarity
                      • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentEntryFunctionLookupTerminateUnwindVirtual
                      • String ID:
                      • API String ID: 3266983031-0
                      • Opcode ID: d20c4be697a3212f516fb3c4bcd7d35ad969eae838489b411cfbb6ecde053262
                      • Instruction ID: e8e25b836daba40db766a00739c45693a0588c7fa2b6924b27fae8a827f53c88
                      • Opcode Fuzzy Hash: d20c4be697a3212f516fb3c4bcd7d35ad969eae838489b411cfbb6ecde053262
                      • Instruction Fuzzy Hash: E421D375611B31D9EB008B61F8843C937AAB748B98F480566D94F67734EF3AC764C780
                      Function 613C2830 Relevance: 7.6, APIs: 5, Instructions: 57timethreadCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetSystemTimeAsFileTime.KERNEL32 ref: 613C2875
                      • GetCurrentProcessId.KERNEL32 ref: 613C2880
                      • GetCurrentThreadId.KERNEL32 ref: 613C2888
                      • GetTickCount.KERNEL32 ref: 613C2890
                      • QueryPerformanceCounter.KERNEL32 ref: 613C289D
                      Memory Dump Source
                      • Source File: 00000000.00000002.2206704336.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                      • Associated: 00000000.00000002.2206684937.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2206722644.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2206747875.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2207046307.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2207067041.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2207083734.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_613c0000_loaddll64.jbxd
                      Similarity
                      • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                      • String ID:
                      • API String ID: 1445889803-0
                      • Opcode ID: 426e265ac137bbdeef0a01d9666284549597ad6e21c5f98ec00e579fb7b8abee
                      • Instruction ID: fbcbe058b436404562c126ae5aac31350f057f625ad19c487ba693073682924f
                      • Opcode Fuzzy Hash: 426e265ac137bbdeef0a01d9666284549597ad6e21c5f98ec00e579fb7b8abee
                      • Instruction Fuzzy Hash: 6411BF33756B3082F7005B25B904385B2A2B788BA0F0C5231EE5E53BA4EF3DC9968340
                      Function 613C1D0E Relevance: 5.0, Strings: 4, Instructions: 34COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 344 613c1d0e-613c1d96 call 613c16dc
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2206704336.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                      • Associated: 00000000.00000002.2206684937.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2206722644.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2206747875.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2207046307.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2207067041.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2207083734.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_613c0000_loaddll64.jbxd
                      Similarity
                      • API ID:
                      • String ID: 1$H$QW1zaU9wZW5TZXNzaW9u$amsi
                      • API String ID: 0-2475992684
                      • Opcode ID: 1bb04ba2f0fa43a65cbcdff75b826ee074d1c3cac69b7fde60ac233b5bb34267
                      • Instruction ID: 48afebd15f5027fc2ff16c9ee842c811c6bede606a0100d88bde5cd432c053ef
                      • Opcode Fuzzy Hash: 1bb04ba2f0fa43a65cbcdff75b826ee074d1c3cac69b7fde60ac233b5bb34267
                      • Instruction Fuzzy Hash: AA012C32710B64CCEB019BB5EC413EC3772A358B88F480616CE5DA7764EF2AC3618390
                      Function 613C2470 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 210memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 188 613c2470-613c2489 189 613c248b-613c2498 188->189 190 613c24a0-613c24f7 call 613c3170 call 613c35d0 188->190 190->189 195 613c24f9-613c24fd 190->195 196 613c24ff-613c2505 195->196 197 613c2525-613c252b 195->197 198 613c250b-613c2512 196->198 199 613c2650-613c2653 196->199 197->199 200 613c2531-613c2536 197->200 198->199 201 613c2518-613c251f 198->201 199->189 203 613c2659-613c2660 199->203 200->199 202 613c253c-613c2542 200->202 201->202 204 613c2521 201->204 205 613c275c-613c2781 call 613c2290 202->205 206 613c2548-613c254f 202->206 207 613c2664-613c2686 call 613c2300 203->207 204->197 217 613c27a0-613c27a4 205->217 218 613c2783-613c279e 205->218 206->189 209 613c2555-613c2560 206->209 216 613c2688 207->216 213 613c256a-613c257f 209->213 214 613c2585 213->214 215 613c26c6-613c26f6 call 613c2300 213->215 219 613c268d-613c2690 214->219 220 613c258b-613c258e 214->220 225 613c26fb-613c270a call 613c2290 215->225 221 613c25c4-613c25d0 216->221 218->217 219->225 226 613c2692-613c26c1 call 613c2300 219->226 223 613c270f-613c2739 call 613c2300 220->223 224 613c2594-613c2597 220->224 221->189 227 613c25d6-613c25e8 221->227 242 613c273e-613c2757 call 613c2290 223->242 224->225 230 613c259d-613c25c2 call 613c2300 224->230 225->223 226->215 232 613c2603-613c2611 227->232 230->213 230->221 237 613c25f0-613c25fd 232->237 238 613c2613-613c2626 VirtualQuery 232->238 237->189 237->232 241 613c262c-613c2645 VirtualProtect 238->241 238->242 241->237 242->205
                      APIs
                      • VirtualQuery.KERNEL32(?,?,?,?,?,?,613C4054,?,?,?,?,613C12F5), ref: 613C2620
                      • VirtualProtect.KERNEL32(?,?,?,?,?,?,613C4054,?,?,?,?,613C12F5), ref: 613C2642
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2206704336.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                      • Associated: 00000000.00000002.2206684937.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2206722644.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2206747875.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2207046307.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2207067041.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2207083734.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_613c0000_loaddll64.jbxd
                      Similarity
                      • API ID: Virtual$ProtectQuery
                      • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$ VirtualQuery failed for %d bytes at address %p$T@<a
                      • API String ID: 1027372294-2627587640
                      • Opcode ID: e52f81ac41c2342fd462fc3170bb2c56cf49e9c9a5294d6a356940808a4d1b69
                      • Instruction ID: 62939e9ad82f9327e1e07ec4eefc127d92b0ac663fd755b0084f4618bd059482
                      • Opcode Fuzzy Hash: e52f81ac41c2342fd462fc3170bb2c56cf49e9c9a5294d6a356940808a4d1b69
                      • Instruction Fuzzy Hash: 2771DE76B11A2489EB01CF76EA8078AB362B748FACF48D115CD1F17358DB3AC911C352
                      Function 613C2300 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 96COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 270 613c2300-613c232e 271 613c2332-613c2359 270->271 273 613c235b-613c2369 call 613c3120 271->273 276 613c236f-613c23bf call 613c3240 VirtualQuery 273->276 277 613c2452-613c2489 call 613c2290 273->277 283 613c2435-613c244d call 613c2290 276->283 284 613c23c1-613c23cb 276->284 285 613c248b-613c2498 277->285 286 613c24a0-613c24f7 call 613c3170 call 613c35d0 277->286 283->277 287 613c23cd-613c23d3 284->287 288 613c23f9-613c36a0 memcpy 284->288 286->285 295 613c24f9-613c24fd 286->295 287->288 296 613c24ff-613c2505 295->296 297 613c2525-613c252b 295->297 298 613c250b-613c2512 296->298 299 613c2650-613c2653 296->299 297->299 300 613c2531-613c2536 297->300 298->299 301 613c2518-613c251f 298->301 299->285 303 613c2659-613c2660 299->303 300->299 302 613c253c-613c2542 300->302 301->302 304 613c2521 301->304 305 613c275c-613c2781 call 613c2290 302->305 306 613c2548-613c254f 302->306 307 613c2664-613c2686 call 613c2300 303->307 304->297 317 613c27a0-613c27a4 305->317 318 613c2783-613c279e 305->318 306->285 309 613c2555-613c2560 306->309 316 613c2688 307->316 313 613c256a-613c257f 309->313 314 613c2585 313->314 315 613c26c6-613c26f6 call 613c2300 313->315 319 613c268d-613c2690 314->319 320 613c258b-613c258e 314->320 325 613c26fb-613c270a call 613c2290 315->325 321 613c25c4-613c25d0 316->321 318->317 319->325 326 613c2692-613c26c1 call 613c2300 319->326 323 613c270f-613c2739 call 613c2300 320->323 324 613c2594-613c2597 320->324 321->285 327 613c25d6-613c25e8 321->327 342 613c273e-613c2757 call 613c2290 323->342 324->325 330 613c259d-613c25c2 call 613c2300 324->330 325->323 326->315 332 613c2603-613c2611 327->332 330->313 330->321 337 613c25f0-613c25fd 332->337 338 613c2613-613c2626 VirtualQuery 332->338 337->285 337->332 341 613c262c-613c2645 VirtualProtect 338->341 338->342 341->337 342->305
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2206704336.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                      • Associated: 00000000.00000002.2206684937.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2206722644.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2206747875.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2207046307.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2207067041.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2207083734.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_613c0000_loaddll64.jbxd
                      Similarity
                      • API ID: QueryVirtual
                      • String ID: VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$T@<a
                      • API String ID: 1804819252-4232178576
                      • Opcode ID: 8e7eacb048b803b310af8d91aca0147f1e0aad4f005fb9ffc7c056ff4d3ee6e9
                      • Instruction ID: 6a292cefe7e1f4070340493715416b3679d18dd40189ba87be4cd8971f2c6506
                      • Opcode Fuzzy Hash: 8e7eacb048b803b310af8d91aca0147f1e0aad4f005fb9ffc7c056ff4d3ee6e9
                      • Instruction Fuzzy Hash: 2631F673701A649AE601DF12ED04B967B65F788FE8F48C121DE1E17320DB3AD652C740

                      Execution Graph

                      Execution Coverage:20.8%
                      Dynamic/Decrypted Code Coverage:0%
                      Signature Coverage:0%
                      Total number of Nodes:150
                      Total number of Limit Nodes:2
                      execution_graph 968 613c3789 RtlLookupFunctionEntry 800 613c13e0 801 613c13f6 800->801 806 613c2830 801->806 803 613c1413 810 613c2bc0 803->810 807 613c2859 806->807 808 613c2870 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 806->808 807->803 809 613c28cd 808->809 809->803 812 613c2bcf 810->812 811 613c1418 812->811 813 613c2c90 RtlAddFunctionTable 812->813 813->811 814 613c1290 815 613c12af 814->815 816 613c12f0 814->816 818 613c12d6 815->818 820 613c2470 6 API calls 815->820 841 613c2470 816->841 819 613c12f5 821 613c1305 819->821 822 613c12be 819->822 820->822 861 613c1050 821->861 824 613c222b 5 API calls 822->824 825 613c12cb 824->825 825->818 831 613c1050 2 API calls 825->831 826 613c130a 826->818 827 613c1370 826->827 828 613c1353 826->828 829 613c1375 827->829 830 613c13c0 827->830 828->818 832 613c1050 2 API calls 828->832 867 613c2810 829->867 833 613c222b 5 API calls 830->833 831->818 832->818 833->825 835 613c137a 872 613c222b 835->872 838 613c222b 5 API calls 839 613c13a1 838->839 840 613c1050 2 API calls 839->840 840->825 844 613c24a0 841->844 849 613c248b 841->849 842 613c2650 843 613c2659 842->843 842->849 845 613c2300 4 API calls 843->845 848 613c2688 843->848 844->842 846 613c253c 844->846 844->849 845->843 847 613c26c1 846->847 846->849 850 613c268d 846->850 853 613c2594 846->853 854 613c26f6 846->854 852 613c2300 4 API calls 847->852 851 613c25c4 848->851 849->819 850->854 855 613c2300 4 API calls 850->855 851->849 858 613c2613 VirtualQuery 851->858 852->854 853->846 853->851 853->854 876 613c2300 853->876 856 613c2300 4 API calls 854->856 855->847 859 613c2739 856->859 858->849 860 613c262c VirtualProtect 858->860 859->849 860->851 862 613c1066 861->862 863 613c10e0 861->863 864 613c1094 Sleep 862->864 866 613c10a8 862->866 865 613c1119 Sleep 863->865 863->866 864->862 865->863 866->826 868 613c281a 867->868 869 613c27b0 867->869 868->835 885 613c2f20 869->885 873 613c138a 872->873 874 613c2244 872->874 873->818 873->838 892 613c1e6b 874->892 877 613c2332 876->877 878 613c2393 VirtualQuery 877->878 881 613c2435 877->881 879 613c23c1 memcpy 878->879 878->881 882 613c248b 881->882 883 613c2613 VirtualQuery 881->883 882->853 883->882 884 613c262c VirtualProtect 883->884 884->881 887 613c2f34 885->887 886 613c2fb5 886->835 887->886 890 613c36b8 __dllonexit 887->890 891 613ca304 890->891 893 613c1ea5 892->893 922 613c1d97 LoadLibraryW 893->922 895 613c1f55 896 613c1d97 LoadLibraryW 895->896 897 613c1f81 896->897 898 613c1d97 LoadLibraryW 897->898 899 613c1fe5 898->899 900 613c1d97 LoadLibraryW 899->900 901 613c2011 900->901 902 613c201d WinExec 901->902 924 613c3620 Sleep 902->924 904 613c2038 905 613c1d97 LoadLibraryW 904->905 906 613c2064 905->906 907 613c1d97 LoadLibraryW 906->907 908 613c2090 907->908 909 613c1d97 LoadLibraryW 908->909 910 613c217b 909->910 911 613c1d97 LoadLibraryW 910->911 912 613c21a7 911->912 913 613c21b3 WinExec 912->913 914 613c21d3 913->914 915 613c1d97 LoadLibraryW 914->915 916 613c21f0 915->916 917 613c1d97 LoadLibraryW 916->917 918 613c221c ExitProcess 917->918 920 613c222b 918->920 919 613c2258 919->873 920->919 921 613c1e6b 2 API calls 920->921 921->919 923 613c1dc1 922->923 923->895 924->904 925 613c2e70 926 613c2e78 925->926 927 613c2e7d 926->927 930 613c3530 926->930 929 613c2e95 931 613c3539 930->931 932 613c3582 930->932 933 613c353b 931->933 934 613c3554 931->934 935 613c358c 932->935 936 613c35a0 InitializeCriticalSection 932->936 937 613c354a 933->937 942 613c33a0 EnterCriticalSection 933->942 938 613c355e 934->938 940 613c33a0 3 API calls 934->940 935->929 936->935 937->929 938->937 939 613c3569 DeleteCriticalSection 938->939 939->937 940->938 943 613c33f4 942->943 945 613c33c1 942->945 944 613c33d0 TlsGetValue GetLastError 944->945 945->943 945->944 948 613c2ea0 949 613c2eb2 948->949 950 613c3530 5 API calls 949->950 951 613c2ec2 949->951 950->951 952 613c2910 RtlCaptureContext RtlLookupFunctionEntry 953 613c294d RtlVirtualUnwind 952->953 954 613c29f0 952->954 955 613c2983 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 953->955 954->955 955->954 956 613c3410 957 613c3430 956->957 958 613c3421 956->958 957->958 959 613c344c EnterCriticalSection LeaveCriticalSection 957->959 960 613c3490 961 613c349f 960->961 962 613c34b0 EnterCriticalSection 960->962 963 613c34e7 LeaveCriticalSection 962->963 965 613c34cb 962->965 964 613c34f4 963->964 965->963 966 613c34d1 965->966 967 613c3510 LeaveCriticalSection 966->967 967->964 946 613c37b1 RtlAddFunctionTable 947 613ca294 946->947

                      Callgraph

                      • Executed
                      • Not Executed
                      • Opacity -> Relevance
                      • Disassembly available
                      callgraph 0 Function_613D16BF 1 Function_613C36B8 2 Function_613C19B9 3 Function_613C3030 4 Function_613C3530 16 Function_613C33A0 4->16 5 Function_613C2CB0 26 Function_613C3390 5->26 6 Function_613C1430 7 Function_613C2830 8 Function_613C31B0 44 Function_613C2FF0 8->44 9 Function_613C37B1 10 Function_613C192A 11 Function_613C222B 49 Function_613C1E6B 11->49 50 Function_613C1E65 11->50 55 Function_613C1E5F 11->55 56 Function_613C1E59 11->56 12 Function_613CA2A4 13 Function_613C3620 14 Function_613C3120 14->44 15 Function_613C2F20 15->1 35 Function_613C2280 15->35 47 Function_613C2270 15->47 17 Function_613C2EA0 17->4 18 Function_613D0021 19 Function_613D039A 20 Function_613C1D97 21 Function_613C2F10 22 Function_613C1290 22->11 23 Function_613C3610 22->23 24 Function_613C2810 22->24 46 Function_613C2470 22->46 57 Function_613C1050 22->57 24->15 25 Function_613C2910 27 Function_613C2A10 27->26 28 Function_613C3410 29 Function_613C3490 30 Function_613C3012 31 Function_613D0513 32 Function_613C1D0E 54 Function_613C16DC 32->54 33 Function_613C3789 34 Function_613C3080 34->44 36 Function_613C1000 36->35 37 Function_613C2300 37->14 37->37 43 Function_613C3170 37->43 58 Function_613C35D0 37->58 63 Function_613C3240 37->63 38 Function_613C3280 38->3 38->44 39 Function_613D0D00 40 Function_613D1DFE 41 Function_613C1C79 41->54 42 Function_613D057A 43->44 45 Function_613C2E70 45->4 46->37 46->43 46->58 48 Function_613C22ED 49->10 49->13 49->20 49->49 49->50 49->54 49->55 49->56 51 Function_613C13E0 51->7 62 Function_613C2BC0 51->62 52 Function_613C32E0 52->3 52->44 53 Function_613C1B61 57->47 59 Function_613D1CCD 60 Function_613C1848 61 Function_613D1E4B 62->8 62->34 62->63 63->44

                      Executed Functions

                      Function 613C1E6B Relevance: 40.5, APIs: 3, Strings: 20, Instructions: 210processCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                        • Part of subcall function 613C1D97: LoadLibraryW.KERNELBASE(?,?,?,?,?,?,?,?,?,613C1F55), ref: 613C1DB2
                      • WinExec.KERNEL32 ref: 613C202C
                        • Part of subcall function 613C3620: Sleep.KERNEL32 ref: 613C362A
                      • WinExec.KERNEL32 ref: 613C21C2
                      • ExitProcess.KERNEL32 ref: 613C2228
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.2112962499.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                      • Associated: 00000003.00000002.2112940714.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000003.00000002.2112983423.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000003.00000002.2113006770.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000003.00000002.2113035391.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000003.00000002.2113055533.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000003.00000002.2113099480.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_613c0000_rundll32.jbxd
                      Similarity
                      • API ID: Exec$ExitLibraryLoadProcessSleep
                      • String ID: 4VULgU2Y$=82LgYWaw5SYoBHXcNWasJWdQxFXzJXZzVFXcpzQgQ2LgUGel5CbsVGazJXZ39GccxFMuEjdcxFbsVGaTJXZ39GUzd3bk5WaXxFXyMTblR3c5NFXcN3dvRmbpdFXcpzQgk3LgwGd1RnblNXZ$==Qaz1WQ$=cmbpJHd$=cmbpJHd$T5WYjNVa$T5WYjNVa$gYWaw5SY$ggGdhBlb$h1WbvNUL$icCX6M0J$kFkIgQmb$oBHXcNWa$sJWdQxFX$uVmclZWZ$vl2c1x2Y$yBFcN1CZ$z1WQ$z1WQ$zJXZzVFX
                      • API String ID: 1758684399-1342957281
                      • Opcode ID: 4d1f63c8848b9324423b377315b3159e9dcea841206612359d24d613c9a9fc1c
                      • Instruction ID: a98b6bfe7a99aebf3bb0dc4532f6b7cdca838be127f0f4748d87de296261d5c7
                      • Opcode Fuzzy Hash: 4d1f63c8848b9324423b377315b3159e9dcea841206612359d24d613c9a9fc1c
                      • Instruction Fuzzy Hash: 74813E75701B869DCF24EBA6A8543E873A5A785F8CF4480398E8E5FB18FF38C6159341
                      Function 613C2BC0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 87 613c2bc0-613c2bda call 613c3240 90 613c2bdc-613c2bdf 87->90 91 613c2c01-613c2c0b 87->91 90->91 92 613c2be1-613c2bfa call 613c3080 90->92 95 613c2bfc 92->95 96 613c2c10-613c2c40 92->96 95->91 97 613c2c70-613c2c7b call 613c31b0 96->97 100 613c2c7d-613c2c80 97->100 101 613c2c42-613c2c6e 97->101 100->95 102 613c2c86-613c2c88 100->102 101->97 103 613c2ca5-613c2caa 101->103 104 613c2c90-613c2ca0 RtlAddFunctionTable 102->104 103->104 104->95
                      APIs
                      • RtlAddFunctionTable.KERNEL32 ref: 613C2C9A
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.2112962499.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                      • Associated: 00000003.00000002.2112940714.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000003.00000002.2112983423.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000003.00000002.2113006770.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000003.00000002.2113035391.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000003.00000002.2113055533.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000003.00000002.2113099480.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_613c0000_rundll32.jbxd
                      Similarity
                      • API ID: FunctionTable
                      • String ID: .pdata
                      • API String ID: 1252446317-4177594709
                      • Opcode ID: 52976069890d9e3f5a635ecf40bf80e2661f8a198458f1dda444388e4e8995d7
                      • Instruction ID: a98d7effac0a08117c3fa1e10c50b581c5c7b73d9eed72f9ca58742f97c7602a
                      • Opcode Fuzzy Hash: 52976069890d9e3f5a635ecf40bf80e2661f8a198458f1dda444388e4e8995d7
                      • Instruction Fuzzy Hash: 4621B472B022609AFB058FA9DA443947B62A788F98F4CD024CE0B57314EB3A9A61D755
                      Function 613C1D97 Relevance: 1.5, APIs: 1, Instructions: 49libraryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 105 613c1d97-613c1dca LoadLibraryW 107 613c1dcc-613c1e2d 105->107 108 613c1e31-613c1e58 105->108 107->108
                      APIs
                      • LoadLibraryW.KERNELBASE(?,?,?,?,?,?,?,?,?,613C1F55), ref: 613C1DB2
                      Memory Dump Source
                      • Source File: 00000003.00000002.2112962499.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                      • Associated: 00000003.00000002.2112940714.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000003.00000002.2112983423.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000003.00000002.2113006770.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000003.00000002.2113035391.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000003.00000002.2113055533.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000003.00000002.2113099480.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_613c0000_rundll32.jbxd
                      Similarity
                      • API ID: LibraryLoad
                      • String ID:
                      • API String ID: 1029625771-0
                      • Opcode ID: 4127155981cb20e6f2d50b37ca81e7bbd812f1fa0de4aab2728d0d118f7055a4
                      • Instruction ID: c1c33eecdd383886d2d8d2bb6f1c2682b4f93b08dfe668e5ddc8be9d462bd23a
                      • Opcode Fuzzy Hash: 4127155981cb20e6f2d50b37ca81e7bbd812f1fa0de4aab2728d0d118f7055a4
                      • Instruction Fuzzy Hash: 06210B72B11B608CE700DBB9EC4439C3B71A348B98F044515DE6DA7BA8EF39C650C394
                      Function 613C3620 Relevance: 1.3, APIs: 1, Instructions: 6sleepCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 160 613c3620-613c3636 Sleep
                      APIs
                      Memory Dump Source
                      • Source File: 00000003.00000002.2112962499.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                      • Associated: 00000003.00000002.2112940714.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000003.00000002.2112983423.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000003.00000002.2113006770.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000003.00000002.2113035391.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000003.00000002.2113055533.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000003.00000002.2113099480.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_613c0000_rundll32.jbxd
                      Similarity
                      • API ID: Sleep
                      • String ID:
                      • API String ID: 3472027048-0
                      • Opcode ID: fe2ac243386cde0167416a04810260f3cbc85ba1deb6f6aec3d46932f2df1739
                      • Instruction ID: e9c459437bb93fbad0663031f86f151610a23291e51109e838943003221a6897
                      • Opcode Fuzzy Hash: fe2ac243386cde0167416a04810260f3cbc85ba1deb6f6aec3d46932f2df1739
                      • Instruction Fuzzy Hash: F0B01220F13160C3D70C33769C9635850D5574C300FD000288107842A0DC9D02A64640

                      Non-executed Functions

                      Function 613C2910 Relevance: 10.6, APIs: 7, Instructions: 50COMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • RtlCaptureContext.KERNEL32 ref: 613C2924
                      • RtlLookupFunctionEntry.KERNEL32 ref: 613C293B
                      • RtlVirtualUnwind.KERNEL32 ref: 613C297D
                      • SetUnhandledExceptionFilter.KERNEL32 ref: 613C29C4
                      • UnhandledExceptionFilter.KERNEL32 ref: 613C29D1
                      • GetCurrentProcess.KERNEL32 ref: 613C29D7
                      • TerminateProcess.KERNEL32 ref: 613C29E5
                      Memory Dump Source
                      • Source File: 00000003.00000002.2112962499.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                      • Associated: 00000003.00000002.2112940714.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000003.00000002.2112983423.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000003.00000002.2113006770.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000003.00000002.2113035391.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000003.00000002.2113055533.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000003.00000002.2113099480.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_613c0000_rundll32.jbxd
                      Similarity
                      • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentEntryFunctionLookupTerminateUnwindVirtual
                      • String ID:
                      • API String ID: 3266983031-0
                      • Opcode ID: d20c4be697a3212f516fb3c4bcd7d35ad969eae838489b411cfbb6ecde053262
                      • Instruction ID: e8e25b836daba40db766a00739c45693a0588c7fa2b6924b27fae8a827f53c88
                      • Opcode Fuzzy Hash: d20c4be697a3212f516fb3c4bcd7d35ad969eae838489b411cfbb6ecde053262
                      • Instruction Fuzzy Hash: E421D375611B31D9EB008B61F8843C937AAB748B98F480566D94F67734EF3AC764C780
                      Function 613C2470 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 210memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 188 613c2470-613c2489 189 613c248b-613c2498 188->189 190 613c24a0-613c24f7 call 613c3170 call 613c35d0 188->190 190->189 195 613c24f9-613c24fd 190->195 196 613c24ff-613c2505 195->196 197 613c2525-613c252b 195->197 198 613c250b-613c2512 196->198 199 613c2650-613c2653 196->199 197->199 200 613c2531-613c2536 197->200 198->199 201 613c2518-613c251f 198->201 199->189 203 613c2659-613c2660 199->203 200->199 202 613c253c-613c2542 200->202 201->202 204 613c2521 201->204 205 613c275c-613c2781 call 613c2290 202->205 206 613c2548-613c254f 202->206 207 613c2664-613c2686 call 613c2300 203->207 204->197 217 613c27a0-613c27a4 205->217 218 613c2783-613c279e 205->218 206->189 209 613c2555-613c2560 206->209 216 613c2688 207->216 213 613c256a-613c257f 209->213 214 613c2585 213->214 215 613c26c6-613c26f6 call 613c2300 213->215 219 613c268d-613c2690 214->219 220 613c258b-613c258e 214->220 225 613c26fb-613c270a call 613c2290 215->225 221 613c25c4-613c25d0 216->221 218->217 219->225 226 613c2692-613c26c1 call 613c2300 219->226 223 613c270f-613c2739 call 613c2300 220->223 224 613c2594-613c2597 220->224 221->189 227 613c25d6-613c25e8 221->227 242 613c273e-613c2757 call 613c2290 223->242 224->225 230 613c259d-613c25c2 call 613c2300 224->230 225->223 226->215 232 613c2603-613c2611 227->232 230->213 230->221 237 613c25f0-613c25fd 232->237 238 613c2613-613c2626 VirtualQuery 232->238 237->189 237->232 241 613c262c-613c2645 VirtualProtect 238->241 238->242 241->237 242->205
                      APIs
                      • VirtualQuery.KERNEL32(?,?,?,?,?,?,613C4054,?,?,?,?,613C12F5), ref: 613C2620
                      • VirtualProtect.KERNEL32(?,?,?,?,?,?,613C4054,?,?,?,?,613C12F5), ref: 613C2642
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.2112962499.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                      • Associated: 00000003.00000002.2112940714.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000003.00000002.2112983423.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000003.00000002.2113006770.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000003.00000002.2113035391.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000003.00000002.2113055533.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000003.00000002.2113099480.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_613c0000_rundll32.jbxd
                      Similarity
                      • API ID: Virtual$ProtectQuery
                      • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$ VirtualQuery failed for %d bytes at address %p$T@<a
                      • API String ID: 1027372294-2627587640
                      • Opcode ID: e52f81ac41c2342fd462fc3170bb2c56cf49e9c9a5294d6a356940808a4d1b69
                      • Instruction ID: 62939e9ad82f9327e1e07ec4eefc127d92b0ac663fd755b0084f4618bd059482
                      • Opcode Fuzzy Hash: e52f81ac41c2342fd462fc3170bb2c56cf49e9c9a5294d6a356940808a4d1b69
                      • Instruction Fuzzy Hash: 2771DE76B11A2489EB01CF76EA8078AB362B748FACF48D115CD1F17358DB3AC911C352
                      Function 613C2830 Relevance: 7.6, APIs: 5, Instructions: 57timethreadCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetSystemTimeAsFileTime.KERNEL32 ref: 613C2875
                      • GetCurrentProcessId.KERNEL32 ref: 613C2880
                      • GetCurrentThreadId.KERNEL32 ref: 613C2888
                      • GetTickCount.KERNEL32 ref: 613C2890
                      • QueryPerformanceCounter.KERNEL32 ref: 613C289D
                      Memory Dump Source
                      • Source File: 00000003.00000002.2112962499.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                      • Associated: 00000003.00000002.2112940714.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000003.00000002.2112983423.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000003.00000002.2113006770.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000003.00000002.2113035391.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000003.00000002.2113055533.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000003.00000002.2113099480.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_613c0000_rundll32.jbxd
                      Similarity
                      • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                      • String ID:
                      • API String ID: 1445889803-0
                      • Opcode ID: 426e265ac137bbdeef0a01d9666284549597ad6e21c5f98ec00e579fb7b8abee
                      • Instruction ID: fbcbe058b436404562c126ae5aac31350f057f625ad19c487ba693073682924f
                      • Opcode Fuzzy Hash: 426e265ac137bbdeef0a01d9666284549597ad6e21c5f98ec00e579fb7b8abee
                      • Instruction Fuzzy Hash: 6411BF33756B3082F7005B25B904385B2A2B788BA0F0C5231EE5E53BA4EF3DC9968340
                      Function 613C2300 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 96COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 270 613c2300-613c232e 271 613c2332-613c2359 270->271 273 613c235b-613c2369 call 613c3120 271->273 276 613c236f-613c23bf call 613c3240 VirtualQuery 273->276 277 613c2452-613c2489 call 613c2290 273->277 283 613c2435-613c244d call 613c2290 276->283 284 613c23c1-613c23cb 276->284 285 613c248b-613c2498 277->285 286 613c24a0-613c24f7 call 613c3170 call 613c35d0 277->286 283->277 287 613c23cd-613c23d3 284->287 288 613c23f9-613c36a0 memcpy 284->288 286->285 295 613c24f9-613c24fd 286->295 287->288 296 613c24ff-613c2505 295->296 297 613c2525-613c252b 295->297 298 613c250b-613c2512 296->298 299 613c2650-613c2653 296->299 297->299 300 613c2531-613c2536 297->300 298->299 301 613c2518-613c251f 298->301 299->285 303 613c2659-613c2660 299->303 300->299 302 613c253c-613c2542 300->302 301->302 304 613c2521 301->304 305 613c275c-613c2781 call 613c2290 302->305 306 613c2548-613c254f 302->306 307 613c2664-613c2686 call 613c2300 303->307 304->297 317 613c27a0-613c27a4 305->317 318 613c2783-613c279e 305->318 306->285 309 613c2555-613c2560 306->309 316 613c2688 307->316 313 613c256a-613c257f 309->313 314 613c2585 313->314 315 613c26c6-613c26f6 call 613c2300 313->315 319 613c268d-613c2690 314->319 320 613c258b-613c258e 314->320 325 613c26fb-613c270a call 613c2290 315->325 321 613c25c4-613c25d0 316->321 318->317 319->325 326 613c2692-613c26c1 call 613c2300 319->326 323 613c270f-613c2739 call 613c2300 320->323 324 613c2594-613c2597 320->324 321->285 327 613c25d6-613c25e8 321->327 342 613c273e-613c2757 call 613c2290 323->342 324->325 330 613c259d-613c25c2 call 613c2300 324->330 325->323 326->315 332 613c2603-613c2611 327->332 330->313 330->321 337 613c25f0-613c25fd 332->337 338 613c2613-613c2626 VirtualQuery 332->338 337->285 337->332 341 613c262c-613c2645 VirtualProtect 338->341 338->342 341->337 342->305
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.2112962499.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                      • Associated: 00000003.00000002.2112940714.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000003.00000002.2112983423.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000003.00000002.2113006770.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000003.00000002.2113035391.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000003.00000002.2113055533.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000003.00000002.2113099480.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_613c0000_rundll32.jbxd
                      Similarity
                      • API ID: QueryVirtual
                      • String ID: VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$T@<a
                      • API String ID: 1804819252-4232178576
                      • Opcode ID: 8e7eacb048b803b310af8d91aca0147f1e0aad4f005fb9ffc7c056ff4d3ee6e9
                      • Instruction ID: 6a292cefe7e1f4070340493715416b3679d18dd40189ba87be4cd8971f2c6506
                      • Opcode Fuzzy Hash: 8e7eacb048b803b310af8d91aca0147f1e0aad4f005fb9ffc7c056ff4d3ee6e9
                      • Instruction Fuzzy Hash: 2631F673701A649AE601DF12ED04B967B65F788FE8F48C121DE1E17320DB3AD652C740

                      Execution Graph

                      Execution Coverage:20.8%
                      Dynamic/Decrypted Code Coverage:0%
                      Signature Coverage:0%
                      Total number of Nodes:150
                      Total number of Limit Nodes:2
                      execution_graph 968 613c3789 RtlLookupFunctionEntry 800 613c13e0 801 613c13f6 800->801 806 613c2830 801->806 803 613c1413 810 613c2bc0 803->810 807 613c2859 806->807 808 613c2870 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 806->808 807->803 809 613c28cd 808->809 809->803 812 613c2bcf 810->812 811 613c1418 812->811 813 613c2c90 RtlAddFunctionTable 812->813 813->811 814 613c1290 815 613c12af 814->815 816 613c12f0 814->816 818 613c12d6 815->818 820 613c2470 6 API calls 815->820 841 613c2470 816->841 819 613c12f5 821 613c1305 819->821 822 613c12be 819->822 820->822 861 613c1050 821->861 824 613c222b 5 API calls 822->824 825 613c12cb 824->825 825->818 831 613c1050 2 API calls 825->831 826 613c130a 826->818 827 613c1370 826->827 828 613c1353 826->828 829 613c1375 827->829 830 613c13c0 827->830 828->818 832 613c1050 2 API calls 828->832 867 613c2810 829->867 833 613c222b 5 API calls 830->833 831->818 832->818 833->825 835 613c137a 872 613c222b 835->872 838 613c222b 5 API calls 839 613c13a1 838->839 840 613c1050 2 API calls 839->840 840->825 844 613c24a0 841->844 849 613c248b 841->849 842 613c2650 843 613c2659 842->843 842->849 845 613c2300 4 API calls 843->845 848 613c2688 843->848 844->842 846 613c253c 844->846 844->849 845->843 847 613c26c1 846->847 846->849 850 613c268d 846->850 853 613c2594 846->853 854 613c26f6 846->854 852 613c2300 4 API calls 847->852 851 613c25c4 848->851 849->819 850->854 855 613c2300 4 API calls 850->855 851->849 858 613c2613 VirtualQuery 851->858 852->854 853->846 853->851 853->854 876 613c2300 853->876 856 613c2300 4 API calls 854->856 855->847 859 613c2739 856->859 858->849 860 613c262c VirtualProtect 858->860 859->849 860->851 862 613c1066 861->862 863 613c10e0 861->863 864 613c1094 Sleep 862->864 866 613c10a8 862->866 865 613c1119 Sleep 863->865 863->866 864->862 865->863 866->826 868 613c281a 867->868 869 613c27b0 867->869 868->835 885 613c2f20 869->885 873 613c138a 872->873 874 613c2244 872->874 873->818 873->838 892 613c1e6b 874->892 877 613c2332 876->877 878 613c2393 VirtualQuery 877->878 881 613c2435 877->881 879 613c23c1 memcpy 878->879 878->881 882 613c248b 881->882 883 613c2613 VirtualQuery 881->883 882->853 883->882 884 613c262c VirtualProtect 883->884 884->881 887 613c2f34 885->887 886 613c2fb5 886->835 887->886 890 613c36b8 __dllonexit 887->890 891 613ca304 890->891 893 613c1ea5 892->893 922 613c1d97 LoadLibraryW 893->922 895 613c1f55 896 613c1d97 LoadLibraryW 895->896 897 613c1f81 896->897 898 613c1d97 LoadLibraryW 897->898 899 613c1fe5 898->899 900 613c1d97 LoadLibraryW 899->900 901 613c2011 900->901 902 613c201d WinExec 901->902 924 613c3620 Sleep 902->924 904 613c2038 905 613c1d97 LoadLibraryW 904->905 906 613c2064 905->906 907 613c1d97 LoadLibraryW 906->907 908 613c2090 907->908 909 613c1d97 LoadLibraryW 908->909 910 613c217b 909->910 911 613c1d97 LoadLibraryW 910->911 912 613c21a7 911->912 913 613c21b3 WinExec 912->913 914 613c21d3 913->914 915 613c1d97 LoadLibraryW 914->915 916 613c21f0 915->916 917 613c1d97 LoadLibraryW 916->917 918 613c221c ExitProcess 917->918 920 613c222b 918->920 919 613c2258 919->873 920->919 921 613c1e6b 2 API calls 920->921 921->919 923 613c1dc1 922->923 923->895 924->904 925 613c2e70 926 613c2e78 925->926 927 613c2e7d 926->927 930 613c3530 926->930 929 613c2e95 931 613c3539 930->931 932 613c3582 930->932 933 613c353b 931->933 934 613c3554 931->934 935 613c358c 932->935 936 613c35a0 InitializeCriticalSection 932->936 937 613c354a 933->937 942 613c33a0 EnterCriticalSection 933->942 938 613c355e 934->938 940 613c33a0 3 API calls 934->940 935->929 936->935 937->929 938->937 939 613c3569 DeleteCriticalSection 938->939 939->937 940->938 943 613c33f4 942->943 945 613c33c1 942->945 944 613c33d0 TlsGetValue GetLastError 944->945 945->943 945->944 948 613c2ea0 949 613c2eb2 948->949 950 613c3530 5 API calls 949->950 951 613c2ec2 949->951 950->951 952 613c2910 RtlCaptureContext RtlLookupFunctionEntry 953 613c294d RtlVirtualUnwind 952->953 954 613c29f0 952->954 955 613c2983 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 953->955 954->955 955->954 956 613c3410 957 613c3430 956->957 958 613c3421 956->958 957->958 959 613c344c EnterCriticalSection LeaveCriticalSection 957->959 960 613c3490 961 613c349f 960->961 962 613c34b0 EnterCriticalSection 960->962 963 613c34e7 LeaveCriticalSection 962->963 965 613c34cb 962->965 964 613c34f4 963->964 965->963 966 613c34d1 965->966 967 613c3510 LeaveCriticalSection 966->967 967->964 946 613c37b1 RtlAddFunctionTable 947 613ca294 946->947

                      Callgraph

                      • Executed
                      • Not Executed
                      • Opacity -> Relevance
                      • Disassembly available
                      callgraph 0 Function_613D16BF 1 Function_613C36B8 2 Function_613C19B9 3 Function_613C3030 4 Function_613C3530 16 Function_613C33A0 4->16 5 Function_613C2CB0 26 Function_613C3390 5->26 6 Function_613C1430 7 Function_613C2830 8 Function_613C31B0 44 Function_613C2FF0 8->44 9 Function_613C37B1 10 Function_613C192A 11 Function_613C222B 49 Function_613C1E6B 11->49 50 Function_613C1E65 11->50 55 Function_613C1E5F 11->55 56 Function_613C1E59 11->56 12 Function_613CA2A4 13 Function_613C3620 14 Function_613C3120 14->44 15 Function_613C2F20 15->1 35 Function_613C2280 15->35 47 Function_613C2270 15->47 17 Function_613C2EA0 17->4 18 Function_613D0021 19 Function_613D039A 20 Function_613C1D97 21 Function_613C2F10 22 Function_613C1290 22->11 23 Function_613C3610 22->23 24 Function_613C2810 22->24 46 Function_613C2470 22->46 57 Function_613C1050 22->57 24->15 25 Function_613C2910 27 Function_613C2A10 27->26 28 Function_613C3410 29 Function_613C3490 30 Function_613C3012 31 Function_613D0513 32 Function_613C1D0E 54 Function_613C16DC 32->54 33 Function_613C3789 34 Function_613C3080 34->44 36 Function_613C1000 36->35 37 Function_613C2300 37->14 37->37 43 Function_613C3170 37->43 58 Function_613C35D0 37->58 63 Function_613C3240 37->63 38 Function_613C3280 38->3 38->44 39 Function_613D0D00 40 Function_613D1DFE 41 Function_613C1C79 41->54 42 Function_613D057A 43->44 45 Function_613C2E70 45->4 46->37 46->43 46->58 48 Function_613C22ED 49->10 49->13 49->20 49->49 49->50 49->54 49->55 49->56 51 Function_613C13E0 51->7 62 Function_613C2BC0 51->62 52 Function_613C32E0 52->3 52->44 53 Function_613C1B61 57->47 59 Function_613D1CCD 60 Function_613C1848 61 Function_613D1E4B 62->8 62->34 62->63 63->44

                      Executed Functions

                      Function 613C1E6B Relevance: 40.5, APIs: 3, Strings: 20, Instructions: 210processCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                        • Part of subcall function 613C1D97: LoadLibraryW.KERNELBASE(?,?,?,?,?,?,?,?,?,613C1F55), ref: 613C1DB2
                      • WinExec.KERNEL32 ref: 613C202C
                        • Part of subcall function 613C3620: Sleep.KERNEL32 ref: 613C362A
                      • WinExec.KERNEL32 ref: 613C21C2
                      • ExitProcess.KERNEL32 ref: 613C2228
                      Strings
                      Memory Dump Source
                      • Source File: 00000004.00000002.2112951225.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                      • Associated: 00000004.00000002.2112927560.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000004.00000002.2112972189.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000004.00000002.2112993198.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000004.00000002.2113017912.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000004.00000002.2113037134.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000004.00000002.2113056871.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_613c0000_rundll32.jbxd
                      Similarity
                      • API ID: Exec$ExitLibraryLoadProcessSleep
                      • String ID: 4VULgU2Y$=82LgYWaw5SYoBHXcNWasJWdQxFXzJXZzVFXcpzQgQ2LgUGel5CbsVGazJXZ39GccxFMuEjdcxFbsVGaTJXZ39GUzd3bk5WaXxFXyMTblR3c5NFXcN3dvRmbpdFXcpzQgk3LgwGd1RnblNXZ$==Qaz1WQ$=cmbpJHd$=cmbpJHd$T5WYjNVa$T5WYjNVa$gYWaw5SY$ggGdhBlb$h1WbvNUL$icCX6M0J$kFkIgQmb$oBHXcNWa$sJWdQxFX$uVmclZWZ$vl2c1x2Y$yBFcN1CZ$z1WQ$z1WQ$zJXZzVFX
                      • API String ID: 1758684399-1342957281
                      • Opcode ID: 4d1f63c8848b9324423b377315b3159e9dcea841206612359d24d613c9a9fc1c
                      • Instruction ID: a98b6bfe7a99aebf3bb0dc4532f6b7cdca838be127f0f4748d87de296261d5c7
                      • Opcode Fuzzy Hash: 4d1f63c8848b9324423b377315b3159e9dcea841206612359d24d613c9a9fc1c
                      • Instruction Fuzzy Hash: 74813E75701B869DCF24EBA6A8543E873A5A785F8CF4480398E8E5FB18FF38C6159341
                      Function 613C2BC0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 87 613c2bc0-613c2bda call 613c3240 90 613c2bdc-613c2bdf 87->90 91 613c2c01-613c2c0b 87->91 90->91 92 613c2be1-613c2bfa call 613c3080 90->92 95 613c2bfc 92->95 96 613c2c10-613c2c40 92->96 95->91 97 613c2c70-613c2c7b call 613c31b0 96->97 100 613c2c7d-613c2c80 97->100 101 613c2c42-613c2c6e 97->101 100->95 102 613c2c86-613c2c88 100->102 101->97 103 613c2ca5-613c2caa 101->103 104 613c2c90-613c2ca0 RtlAddFunctionTable 102->104 103->104 104->95
                      APIs
                      • RtlAddFunctionTable.KERNEL32 ref: 613C2C9A
                      Strings
                      Memory Dump Source
                      • Source File: 00000004.00000002.2112951225.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                      • Associated: 00000004.00000002.2112927560.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000004.00000002.2112972189.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000004.00000002.2112993198.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000004.00000002.2113017912.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000004.00000002.2113037134.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000004.00000002.2113056871.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_613c0000_rundll32.jbxd
                      Similarity
                      • API ID: FunctionTable
                      • String ID: .pdata
                      • API String ID: 1252446317-4177594709
                      • Opcode ID: 52976069890d9e3f5a635ecf40bf80e2661f8a198458f1dda444388e4e8995d7
                      • Instruction ID: a98d7effac0a08117c3fa1e10c50b581c5c7b73d9eed72f9ca58742f97c7602a
                      • Opcode Fuzzy Hash: 52976069890d9e3f5a635ecf40bf80e2661f8a198458f1dda444388e4e8995d7
                      • Instruction Fuzzy Hash: 4621B472B022609AFB058FA9DA443947B62A788F98F4CD024CE0B57314EB3A9A61D755
                      Function 613C1D97 Relevance: 1.5, APIs: 1, Instructions: 49libraryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 105 613c1d97-613c1dca LoadLibraryW 107 613c1dcc-613c1e2d 105->107 108 613c1e31-613c1e58 105->108 107->108
                      APIs
                      • LoadLibraryW.KERNELBASE(?,?,?,?,?,?,?,?,?,613C1F55), ref: 613C1DB2
                      Memory Dump Source
                      • Source File: 00000004.00000002.2112951225.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                      • Associated: 00000004.00000002.2112927560.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000004.00000002.2112972189.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000004.00000002.2112993198.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000004.00000002.2113017912.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000004.00000002.2113037134.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000004.00000002.2113056871.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_613c0000_rundll32.jbxd
                      Similarity
                      • API ID: LibraryLoad
                      • String ID:
                      • API String ID: 1029625771-0
                      • Opcode ID: 4127155981cb20e6f2d50b37ca81e7bbd812f1fa0de4aab2728d0d118f7055a4
                      • Instruction ID: c1c33eecdd383886d2d8d2bb6f1c2682b4f93b08dfe668e5ddc8be9d462bd23a
                      • Opcode Fuzzy Hash: 4127155981cb20e6f2d50b37ca81e7bbd812f1fa0de4aab2728d0d118f7055a4
                      • Instruction Fuzzy Hash: 06210B72B11B608CE700DBB9EC4439C3B71A348B98F044515DE6DA7BA8EF39C650C394
                      Function 613C3620 Relevance: 1.3, APIs: 1, Instructions: 6sleepCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 160 613c3620-613c3636 Sleep
                      APIs
                      Memory Dump Source
                      • Source File: 00000004.00000002.2112951225.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                      • Associated: 00000004.00000002.2112927560.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000004.00000002.2112972189.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000004.00000002.2112993198.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000004.00000002.2113017912.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000004.00000002.2113037134.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000004.00000002.2113056871.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_613c0000_rundll32.jbxd
                      Similarity
                      • API ID: Sleep
                      • String ID:
                      • API String ID: 3472027048-0
                      • Opcode ID: fe2ac243386cde0167416a04810260f3cbc85ba1deb6f6aec3d46932f2df1739
                      • Instruction ID: e9c459437bb93fbad0663031f86f151610a23291e51109e838943003221a6897
                      • Opcode Fuzzy Hash: fe2ac243386cde0167416a04810260f3cbc85ba1deb6f6aec3d46932f2df1739
                      • Instruction Fuzzy Hash: F0B01220F13160C3D70C33769C9635850D5574C300FD000288107842A0DC9D02A64640

                      Non-executed Functions

                      Function 613C2910 Relevance: 10.6, APIs: 7, Instructions: 50COMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • RtlCaptureContext.KERNEL32 ref: 613C2924
                      • RtlLookupFunctionEntry.KERNEL32 ref: 613C293B
                      • RtlVirtualUnwind.KERNEL32 ref: 613C297D
                      • SetUnhandledExceptionFilter.KERNEL32 ref: 613C29C4
                      • UnhandledExceptionFilter.KERNEL32 ref: 613C29D1
                      • GetCurrentProcess.KERNEL32 ref: 613C29D7
                      • TerminateProcess.KERNEL32 ref: 613C29E5
                      Memory Dump Source
                      • Source File: 00000004.00000002.2112951225.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                      • Associated: 00000004.00000002.2112927560.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000004.00000002.2112972189.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000004.00000002.2112993198.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000004.00000002.2113017912.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000004.00000002.2113037134.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000004.00000002.2113056871.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_613c0000_rundll32.jbxd
                      Similarity
                      • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentEntryFunctionLookupTerminateUnwindVirtual
                      • String ID:
                      • API String ID: 3266983031-0
                      • Opcode ID: d20c4be697a3212f516fb3c4bcd7d35ad969eae838489b411cfbb6ecde053262
                      • Instruction ID: e8e25b836daba40db766a00739c45693a0588c7fa2b6924b27fae8a827f53c88
                      • Opcode Fuzzy Hash: d20c4be697a3212f516fb3c4bcd7d35ad969eae838489b411cfbb6ecde053262
                      • Instruction Fuzzy Hash: E421D375611B31D9EB008B61F8843C937AAB748B98F480566D94F67734EF3AC764C780
                      Function 613C2470 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 210memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 188 613c2470-613c2489 189 613c248b-613c2498 188->189 190 613c24a0-613c24f7 call 613c3170 call 613c35d0 188->190 190->189 195 613c24f9-613c24fd 190->195 196 613c24ff-613c2505 195->196 197 613c2525-613c252b 195->197 198 613c250b-613c2512 196->198 199 613c2650-613c2653 196->199 197->199 200 613c2531-613c2536 197->200 198->199 201 613c2518-613c251f 198->201 199->189 203 613c2659-613c2660 199->203 200->199 202 613c253c-613c2542 200->202 201->202 204 613c2521 201->204 205 613c275c-613c2781 call 613c2290 202->205 206 613c2548-613c254f 202->206 207 613c2664-613c2686 call 613c2300 203->207 204->197 217 613c27a0-613c27a4 205->217 218 613c2783-613c279e 205->218 206->189 209 613c2555-613c2560 206->209 216 613c2688 207->216 213 613c256a-613c257f 209->213 214 613c2585 213->214 215 613c26c6-613c26f6 call 613c2300 213->215 219 613c268d-613c2690 214->219 220 613c258b-613c258e 214->220 225 613c26fb-613c270a call 613c2290 215->225 221 613c25c4-613c25d0 216->221 218->217 219->225 226 613c2692-613c26c1 call 613c2300 219->226 223 613c270f-613c2739 call 613c2300 220->223 224 613c2594-613c2597 220->224 221->189 227 613c25d6-613c25e8 221->227 242 613c273e-613c2757 call 613c2290 223->242 224->225 230 613c259d-613c25c2 call 613c2300 224->230 225->223 226->215 232 613c2603-613c2611 227->232 230->213 230->221 237 613c25f0-613c25fd 232->237 238 613c2613-613c2626 VirtualQuery 232->238 237->189 237->232 241 613c262c-613c2645 VirtualProtect 238->241 238->242 241->237 242->205
                      APIs
                      • VirtualQuery.KERNEL32(?,?,?,?,?,?,613C4054,?,?,?,?,613C12F5), ref: 613C2620
                      • VirtualProtect.KERNEL32(?,?,?,?,?,?,613C4054,?,?,?,?,613C12F5), ref: 613C2642
                      Strings
                      Memory Dump Source
                      • Source File: 00000004.00000002.2112951225.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                      • Associated: 00000004.00000002.2112927560.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000004.00000002.2112972189.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000004.00000002.2112993198.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000004.00000002.2113017912.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000004.00000002.2113037134.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000004.00000002.2113056871.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_613c0000_rundll32.jbxd
                      Similarity
                      • API ID: Virtual$ProtectQuery
                      • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$ VirtualQuery failed for %d bytes at address %p$T@<a
                      • API String ID: 1027372294-2627587640
                      • Opcode ID: e52f81ac41c2342fd462fc3170bb2c56cf49e9c9a5294d6a356940808a4d1b69
                      • Instruction ID: 62939e9ad82f9327e1e07ec4eefc127d92b0ac663fd755b0084f4618bd059482
                      • Opcode Fuzzy Hash: e52f81ac41c2342fd462fc3170bb2c56cf49e9c9a5294d6a356940808a4d1b69
                      • Instruction Fuzzy Hash: 2771DE76B11A2489EB01CF76EA8078AB362B748FACF48D115CD1F17358DB3AC911C352
                      Function 613C2830 Relevance: 7.6, APIs: 5, Instructions: 57timethreadCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetSystemTimeAsFileTime.KERNEL32 ref: 613C2875
                      • GetCurrentProcessId.KERNEL32 ref: 613C2880
                      • GetCurrentThreadId.KERNEL32 ref: 613C2888
                      • GetTickCount.KERNEL32 ref: 613C2890
                      • QueryPerformanceCounter.KERNEL32 ref: 613C289D
                      Memory Dump Source
                      • Source File: 00000004.00000002.2112951225.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                      • Associated: 00000004.00000002.2112927560.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000004.00000002.2112972189.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000004.00000002.2112993198.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000004.00000002.2113017912.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000004.00000002.2113037134.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000004.00000002.2113056871.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_613c0000_rundll32.jbxd
                      Similarity
                      • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                      • String ID:
                      • API String ID: 1445889803-0
                      • Opcode ID: 426e265ac137bbdeef0a01d9666284549597ad6e21c5f98ec00e579fb7b8abee
                      • Instruction ID: fbcbe058b436404562c126ae5aac31350f057f625ad19c487ba693073682924f
                      • Opcode Fuzzy Hash: 426e265ac137bbdeef0a01d9666284549597ad6e21c5f98ec00e579fb7b8abee
                      • Instruction Fuzzy Hash: 6411BF33756B3082F7005B25B904385B2A2B788BA0F0C5231EE5E53BA4EF3DC9968340
                      Function 613C2300 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 96COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 270 613c2300-613c232e 271 613c2332-613c2359 270->271 273 613c235b-613c2369 call 613c3120 271->273 276 613c236f-613c23bf call 613c3240 VirtualQuery 273->276 277 613c2452-613c2489 call 613c2290 273->277 283 613c2435-613c244d call 613c2290 276->283 284 613c23c1-613c23cb 276->284 285 613c248b-613c2498 277->285 286 613c24a0-613c24f7 call 613c3170 call 613c35d0 277->286 283->277 287 613c23cd-613c23d3 284->287 288 613c23f9-613c36a0 memcpy 284->288 286->285 295 613c24f9-613c24fd 286->295 287->288 296 613c24ff-613c2505 295->296 297 613c2525-613c252b 295->297 298 613c250b-613c2512 296->298 299 613c2650-613c2653 296->299 297->299 300 613c2531-613c2536 297->300 298->299 301 613c2518-613c251f 298->301 299->285 303 613c2659-613c2660 299->303 300->299 302 613c253c-613c2542 300->302 301->302 304 613c2521 301->304 305 613c275c-613c2781 call 613c2290 302->305 306 613c2548-613c254f 302->306 307 613c2664-613c2686 call 613c2300 303->307 304->297 317 613c27a0-613c27a4 305->317 318 613c2783-613c279e 305->318 306->285 309 613c2555-613c2560 306->309 316 613c2688 307->316 313 613c256a-613c257f 309->313 314 613c2585 313->314 315 613c26c6-613c26f6 call 613c2300 313->315 319 613c268d-613c2690 314->319 320 613c258b-613c258e 314->320 325 613c26fb-613c270a call 613c2290 315->325 321 613c25c4-613c25d0 316->321 318->317 319->325 326 613c2692-613c26c1 call 613c2300 319->326 323 613c270f-613c2739 call 613c2300 320->323 324 613c2594-613c2597 320->324 321->285 327 613c25d6-613c25e8 321->327 342 613c273e-613c2757 call 613c2290 323->342 324->325 330 613c259d-613c25c2 call 613c2300 324->330 325->323 326->315 332 613c2603-613c2611 327->332 330->313 330->321 337 613c25f0-613c25fd 332->337 338 613c2613-613c2626 VirtualQuery 332->338 337->285 337->332 341 613c262c-613c2645 VirtualProtect 338->341 338->342 341->337 342->305
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000004.00000002.2112951225.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                      • Associated: 00000004.00000002.2112927560.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000004.00000002.2112972189.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000004.00000002.2112993198.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000004.00000002.2113017912.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000004.00000002.2113037134.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000004.00000002.2113056871.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_613c0000_rundll32.jbxd
                      Similarity
                      • API ID: QueryVirtual
                      • String ID: VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$T@<a
                      • API String ID: 1804819252-4232178576
                      • Opcode ID: 8e7eacb048b803b310af8d91aca0147f1e0aad4f005fb9ffc7c056ff4d3ee6e9
                      • Instruction ID: 6a292cefe7e1f4070340493715416b3679d18dd40189ba87be4cd8971f2c6506
                      • Opcode Fuzzy Hash: 8e7eacb048b803b310af8d91aca0147f1e0aad4f005fb9ffc7c056ff4d3ee6e9
                      • Instruction Fuzzy Hash: 2631F673701A649AE601DF12ED04B967B65F788FE8F48C121DE1E17320DB3AD652C740

                      Executed Functions

                      Function 00007FF848E730E9 Relevance: .7, Instructions: 660COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2565176885.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_7ff848e70000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 45b56b03a0aa4683c99050c7292ae8d3679e69b29d7e25b67638e478a9bea7e1
                      • Instruction ID: 821050a6b3b87340a52242627cde4a542ded5a4fbf886fdcfea4834061cf57e1
                      • Opcode Fuzzy Hash: 45b56b03a0aa4683c99050c7292ae8d3679e69b29d7e25b67638e478a9bea7e1
                      • Instruction Fuzzy Hash: 43123722E0DBC94FE3E6A62CA8552B17BE1FF56660F4901FBC04DC7193DE299C068356
                      Function 00007FF848DABCC0 Relevance: 1.8, Strings: 1, Instructions: 573COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2561309605.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_7ff848da0000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID: Y_H
                      • API String ID: 0-219585648
                      • Opcode ID: fe32b26fe452c02d1ed986d878a356515c31eaa54252f694d18dea61ee59f4e6
                      • Instruction ID: cf0839628f20ee751432ce99443ab50ac7fa37018a747975defc63217f0aea8b
                      • Opcode Fuzzy Hash: fe32b26fe452c02d1ed986d878a356515c31eaa54252f694d18dea61ee59f4e6
                      • Instruction Fuzzy Hash: 5AF1B030A1CA498FDF98EF1CC495BA977E1FFA8350F24416AD409D7296CB35E846CB81
                      Function 00007FF848E7797D Relevance: 1.5, Instructions: 1538COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2565176885.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_7ff848e70000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e239fdcf10ec7a58c65f1ed78a9b8dabd451112501be97923ff08ca4c62394ca
                      • Instruction ID: 920881dfa41b5211c73e6aa9fb8677ff4c68105ee53a12906ac06394d8b8c9e1
                      • Opcode Fuzzy Hash: e239fdcf10ec7a58c65f1ed78a9b8dabd451112501be97923ff08ca4c62394ca
                      • Instruction Fuzzy Hash: B9A2F26190E7C95FE796A7385C545B57FA1FF57260F0901FBD088CB0A3DB289806C3AA
                      Function 00007FF848E77342 Relevance: .7, Instructions: 743COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2565176885.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_7ff848e70000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e44dcf42fa7f00e3aed7cc86917ef36039676fa0302362827650a94e7c83afd7
                      • Instruction ID: d8e4cf80e7b2a915ae711ce02441b502bf8160731bb51d66e0fca12627b081f7
                      • Opcode Fuzzy Hash: e44dcf42fa7f00e3aed7cc86917ef36039676fa0302362827650a94e7c83afd7
                      • Instruction Fuzzy Hash: B6222632E0DA895FE765AB285C556B53BE1FF56260F0801FBD44CC7193EB28AC06C356
                      Function 00007FF848DA644D Relevance: .7, Instructions: 661COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2561309605.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_7ff848da0000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 64f62a7bd4dba2897422d6c31f1e00224b00fa09a61bf941b07d1593c7c724c8
                      • Instruction ID: e8a13731e4ae31b24570805c20128395fb3eb9fda04eb9b8aa8929992b214819
                      • Opcode Fuzzy Hash: 64f62a7bd4dba2897422d6c31f1e00224b00fa09a61bf941b07d1593c7c724c8
                      • Instruction Fuzzy Hash: 3AC18E30A1DA4D8FDF84EF58D854BA97BE1FF68350F24416AD409D7296CB34E885CB81
                      Function 00007FF848E76053 Relevance: .6, Instructions: 619COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2565176885.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_7ff848e70000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ea7703364e2a9c5991523b72fb9d8af7adaa15755defcec963f6c3e50930d903
                      • Instruction ID: ea29902ad004b1238b69dbc8051a4a420dcbe767ba6c8870594826b4f746755a
                      • Opcode Fuzzy Hash: ea7703364e2a9c5991523b72fb9d8af7adaa15755defcec963f6c3e50930d903
                      • Instruction Fuzzy Hash: 4512142190EBCA9FE796B77858641A53FE1FF56254F0901FBD048CB0E7DA289C09C356
                      Function 00007FF848DAA71C Relevance: .5, Instructions: 526COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2561309605.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_7ff848da0000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d4dda8f88d459bf61ba52ee97eb949d00e3fb08017aae3af75c314ff6f9a0afd
                      • Instruction ID: 060ffe7e6d910942939d6e22f438c430e5cdb23ac8441c43a6f31325698c4a69
                      • Opcode Fuzzy Hash: d4dda8f88d459bf61ba52ee97eb949d00e3fb08017aae3af75c314ff6f9a0afd
                      • Instruction Fuzzy Hash: 38F1B330A1DA498FDB98EF18C445BA977F1FF68350F24426AD409D7296CB35EC86CB81
                      Function 00007FF848E76605 Relevance: .5, Instructions: 453COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2565176885.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_7ff848e70000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 285d130cf8b9a4cbc49a8455eadbd21471ca7cd29853f4b54b8610f59e44692d
                      • Instruction ID: 6e45200c31a1576073edd0f5b3d2a60f38527be42d196aa4cf7c518c5e2da641
                      • Opcode Fuzzy Hash: 285d130cf8b9a4cbc49a8455eadbd21471ca7cd29853f4b54b8610f59e44692d
                      • Instruction Fuzzy Hash: E5D15531D0EA8A9FFB99FB6858555B57BE0FF16398F0801FAD40DC70A3DA28A8058355
                      Function 00007FF848E720EB Relevance: .4, Instructions: 384COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2565176885.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_7ff848e70000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3b9fc9badddc9bf044739044d12c6898e4acaef7ffadbdf589220e641884d910
                      • Instruction ID: 4af236909b5d024981e338caf753345bfe1b1d2120b7cf8430260acbc377a98d
                      • Opcode Fuzzy Hash: 3b9fc9badddc9bf044739044d12c6898e4acaef7ffadbdf589220e641884d910
                      • Instruction Fuzzy Hash: 4EB12622E0DBCA4FE796A67868656B07FE1FF56260F0901FBC049C7193DA299C06C356
                      Function 00007FF848DAB6FC Relevance: .3, Instructions: 289COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2561309605.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_7ff848da0000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f122a63a063426d0dea63f2d24aacc72346ea75bc0663dcf471172339f32bd28
                      • Instruction ID: a50d4f6043957b45da83eee1270fd4088fe274200c7dbc77e0fa56a9424d8c71
                      • Opcode Fuzzy Hash: f122a63a063426d0dea63f2d24aacc72346ea75bc0663dcf471172339f32bd28
                      • Instruction Fuzzy Hash: 4E815A3091DB884FE749EF2CC8856B57BE0EF56360F1441BED08AC71A3DA25A84ACB51
                      Function 00007FF848E73360 Relevance: .2, Instructions: 236COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2565176885.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_7ff848e70000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e42d0da6cc71f2cd17b77ee65b898d727cb69db00d242d83a3db0090c15239c5
                      • Instruction ID: bf74bc442f8aa068b4800c1b001747dcd58c4e11389c7d146b825ee8f4bb2ff5
                      • Opcode Fuzzy Hash: e42d0da6cc71f2cd17b77ee65b898d727cb69db00d242d83a3db0090c15239c5
                      • Instruction Fuzzy Hash: C061F421D0DAC55FE7EAA72C98641713FE1FF56650F8901FBC088CB193EA29AC058356
                      Function 00007FF848DA9728 Relevance: .1, Instructions: 147COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2561309605.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_7ff848da0000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f221b7b3f3d6f69d444e99fa29e2ae3d0e3e64ea2fc6186894e9062dbcf9aa21
                      • Instruction ID: 25e8d30b016f95ae72572938bfbe105f3ed0e38bfebf5d128085a7269a85be8f
                      • Opcode Fuzzy Hash: f221b7b3f3d6f69d444e99fa29e2ae3d0e3e64ea2fc6186894e9062dbcf9aa21
                      • Instruction Fuzzy Hash: 29414C71D1DB889FDB089F5CA8063F87BE1FB55711F10416FD04983296DB30A84A87C6
                      Function 00007FF848DA9FFB Relevance: .1, Instructions: 138COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2561309605.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_7ff848da0000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e768fdc1d607bfeb0367d4c882955c430f6f552821a72ae419e7a933ea66fb8c
                      • Instruction ID: 0f0961b0fe4d989275ddc943cf0c6f3efcbe4b93f5e2f59cef1eeb3e80a008b6
                      • Opcode Fuzzy Hash: e768fdc1d607bfeb0367d4c882955c430f6f552821a72ae419e7a933ea66fb8c
                      • Instruction Fuzzy Hash: D041D97390FE824FE301671CD89D5E9BBA0FF51392F5401FBC455470A7EB26189A8B8A
                      Function 00007FF848C8E99F Relevance: .1, Instructions: 126COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2557041182.00007FF848C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C8D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_7ff848c8d000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2e60b991b4ff94bc37449b424402d84cdcfd1b2e7c483ad43f2748d4a5e5c98b
                      • Instruction ID: c78343c0e35ef6375e721045ca1fbfce57c8c112070ef0c959533fc7ceb562cb
                      • Opcode Fuzzy Hash: 2e60b991b4ff94bc37449b424402d84cdcfd1b2e7c483ad43f2748d4a5e5c98b
                      • Instruction Fuzzy Hash: 4A41F37180DBC48FD7979B3898559923FF0EF53260B1506DFD088CB1A3D629AC4AC7A2
                      Function 00007FF848E76254 Relevance: .1, Instructions: 115COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2565176885.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_7ff848e70000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: fdd5f1531e80327b034c31b9a6fa3757b59ef25f89d0af1ef96b6a3f16b0b6e8
                      • Instruction ID: 9983e162e165028113f43a3327c92485065e0331502bb165ed00c11b90b00920
                      • Opcode Fuzzy Hash: fdd5f1531e80327b034c31b9a6fa3757b59ef25f89d0af1ef96b6a3f16b0b6e8
                      • Instruction Fuzzy Hash: 49310232E0ED8A8FEBE5B62C54146B977E1FF94294F5401BAC44DC31A2DF28E8048395
                      Function 00007FF848E74148 Relevance: .1, Instructions: 91COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2565176885.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_7ff848e70000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 12c36df68e2dfae828fb71b5ecb8341dc297c588bb9b67171c3eef512dd6d890
                      • Instruction ID: cac0ad9ed29d13b320a79b64de7c4988e4ac1be177c9b567aa0cf9d8c5c05ff8
                      • Opcode Fuzzy Hash: 12c36df68e2dfae828fb71b5ecb8341dc297c588bb9b67171c3eef512dd6d890
                      • Instruction Fuzzy Hash: 1721AF32B0CA088FEB59EA1CA4419E8B7E1FB59370F1401BBD14AC31A3DB25E845C795
                      Function 00007FF848E743FB Relevance: .1, Instructions: 87COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2565176885.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_7ff848e70000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 214ed88d7852b17d88b69362955319da502630ba1ff87e3ad7336c5581d20f8f
                      • Instruction ID: 91218eab0e35872a6c23a8ee53a1b1491d397bf043514d2eef999f6bb611a0ce
                      • Opcode Fuzzy Hash: 214ed88d7852b17d88b69362955319da502630ba1ff87e3ad7336c5581d20f8f
                      • Instruction Fuzzy Hash: 5521BE32B0CA488FEB98EA1CA4419F8B7E0FB49360F1400BBD14AC3193EB25E8558795
                      Function 00007FF848E722E2 Relevance: .1, Instructions: 53COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2565176885.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_7ff848e70000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: eadb6b9a5cfbd99bc8540dc50ea9ba351c5976f0291ebf66d5d534c7fad04503
                      • Instruction ID: 5ed656b034f1bec0855fdcf98b0f785c38fe4f28492e207995178b5074a701d0
                      • Opcode Fuzzy Hash: eadb6b9a5cfbd99bc8540dc50ea9ba351c5976f0291ebf66d5d534c7fad04503
                      • Instruction Fuzzy Hash: D901A733E0E7D24FF765567838521F4BBD0FF452A4F1801BBD59AC20C3DA1DA8058269
                      Function 00007FF848DA33B5 Relevance: .0, Instructions: 49COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2561309605.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_7ff848da0000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                      • Instruction ID: 947609b87f0171a528e089c071280dd87983606f4429be7d1e91de7997688212
                      • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                      • Instruction Fuzzy Hash: 7A01447111CB084FDB48EF0CE451AA5B7E0FB95364F10056DE58AC3695DB26E882CB45
                      Function 00007FF848DABE48 Relevance: .0, Instructions: 39COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2561309605.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_7ff848da0000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 833b36e5ac0400503f9dda138b9b0031255c2190ea0a18dc5e69f4cd369d6f2b
                      • Instruction ID: 8d3742c611b58325f7b3f1f42429a0f791dfceabc0c31e40e09873ba95a8f46a
                      • Opcode Fuzzy Hash: 833b36e5ac0400503f9dda138b9b0031255c2190ea0a18dc5e69f4cd369d6f2b
                      • Instruction Fuzzy Hash: 24F0303275C6088FDB4CAA1CF842AB573D1EB99320F10016EE48BC3696D927E8468685

                      Non-executed Functions

                      Function 00007FF848DA8BFA Relevance: 6.4, Strings: 5, Instructions: 108COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2561309605.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_7ff848da0000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID: L_^6$L_^<$L_^F$L_^I$L_^J
                      • API String ID: 0-1031638419
                      • Opcode ID: 29f20752633a622bccb85734e48fb3802d9cf2ccd536da8569d3ae1380bf14dd
                      • Instruction ID: eb9de62e912a74deae67360533088e5aacd8f1344a88de0b3e2f148425bc61bc
                      • Opcode Fuzzy Hash: 29f20752633a622bccb85734e48fb3802d9cf2ccd536da8569d3ae1380bf14dd
                      • Instruction Fuzzy Hash: 72212777709516AED30177AEB8056EC7381EBD42B6B4851B3D358CB513DB14A08B8AF4
                      Function 00007FF848DA8995 Relevance: 5.1, Strings: 4, Instructions: 120COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2561309605.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_7ff848da0000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID: L_^$L_^$L_^$L_^
                      • API String ID: 0-2357752022
                      • Opcode ID: 2ce123c4d5d1e6af6dbdb39400f27c183b78abf5a01d689f84ef20d13978027d
                      • Instruction ID: ccd987af966f8fd5fad49e74098a2a2acc91045b89e063480772e4cd9b3d8e2b
                      • Opcode Fuzzy Hash: 2ce123c4d5d1e6af6dbdb39400f27c183b78abf5a01d689f84ef20d13978027d
                      • Instruction Fuzzy Hash: 1F41657290FBC24FE3465729886D159BFA0FF52358F1951F7C9848F0A3EB29180F9646

                      Executed Functions

                      Function 00007FF848E86605 Relevance: 6.7, Strings: 5, Instructions: 433COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2465648049.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_7ff848e80000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID: (BI$(BI$(BI$(BI$(BI
                      • API String ID: 0-700241826
                      • Opcode ID: 17e0a38d431545312ae1a21c4afb0f98dd076776c8f55ffe39ebb136bbba289e
                      • Instruction ID: 9309d043d8f2c2aaa56635a1a1a589d5c85423e75ca4e6f6c2419e6bbece7c60
                      • Opcode Fuzzy Hash: 17e0a38d431545312ae1a21c4afb0f98dd076776c8f55ffe39ebb136bbba289e
                      • Instruction Fuzzy Hash: ECD15831D0EACA9FE795AB2858185B97BE0FF16390F4409FAD44DC70E3EB29A805C355
                      Function 00007FF848E87CED Relevance: 3.0, Strings: 2, Instructions: 455COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2465648049.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_7ff848e80000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID: DI$ DI
                      • API String ID: 0-3655460065
                      • Opcode ID: d046643b9db36859b0f175bfa39ea69e52d78826b0fcd59479fd40362af97e8f
                      • Instruction ID: 2690be2cada4f59f2ceba767f7a709980c010070ef3f7b7f5f3af8937ef606d0
                      • Opcode Fuzzy Hash: d046643b9db36859b0f175bfa39ea69e52d78826b0fcd59479fd40362af97e8f
                      • Instruction Fuzzy Hash: 08D1143180E7895FE756AB299C155B97FA0FF53260F4901FBD08CC70A3DB28A8068796
                      Function 00007FF848DBB8FA Relevance: 2.3, Strings: 1, Instructions: 1035COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2461012963.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_7ff848db0000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID: X_H
                      • API String ID: 0-215283271
                      • Opcode ID: fc951d334ca72de6b6efd8e93b61d72e5b383d1b132e0b7ac94edfd24eaf9fcb
                      • Instruction ID: 87bca18e82fc5318a9db876e3a62d5f4e4a49a7d5d0bd22a502d6a6c84fca3c5
                      • Opcode Fuzzy Hash: fc951d334ca72de6b6efd8e93b61d72e5b383d1b132e0b7ac94edfd24eaf9fcb
                      • Instruction Fuzzy Hash: 01620531D0DA898FEB49EB2C8495AB97BE0FF65350F1801BEC089C7197DB25A846C785
                      Function 00007FF848E87342 Relevance: 2.0, Strings: 1, Instructions: 735COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2465648049.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_7ff848e80000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID: xCI
                      • API String ID: 0-1203626895
                      • Opcode ID: 5d6c5a13a2b2736d0a5d314517306a799b19bc43701f2efd947a2f3d4bf933b7
                      • Instruction ID: 6d4e8eac23a191d1cce3755a37f2af88542c63b3659ab4df1e0ea149fea041af
                      • Opcode Fuzzy Hash: 5d6c5a13a2b2736d0a5d314517306a799b19bc43701f2efd947a2f3d4bf933b7
                      • Instruction Fuzzy Hash: 46224732E0DA894FE7A5AB295C556B93BE1FF56250F4801FBC44CC7193EB28AC05C396
                      Function 00007FF848DB644D Relevance: .7, Instructions: 746COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2461012963.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_7ff848db0000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e82d3f53b7ec75946e64a52d542aa6063bff2de173eb919fd3825379c19a7df9
                      • Instruction ID: 70ceeec67a75549449f0eb8c365f21e4a30be78db6fce44c2e635d821126e68f
                      • Opcode Fuzzy Hash: e82d3f53b7ec75946e64a52d542aa6063bff2de173eb919fd3825379c19a7df9
                      • Instruction Fuzzy Hash: E8C17C30E0DA498FDF88EF58D855BA97BE1FF68350F1441AAD409D7296CB34E885CB81
                      Function 00007FF848E830E9 Relevance: .7, Instructions: 661COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2465648049.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_7ff848e80000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: bf232fe5f2d373b1442c29979efa117749be50d64420c4899c683a4356384d56
                      • Instruction ID: bf0031d5ff9338c3edae720a5ed53497221d2224a517ab819b37a1eb4bb86643
                      • Opcode Fuzzy Hash: bf232fe5f2d373b1442c29979efa117749be50d64420c4899c683a4356384d56
                      • Instruction Fuzzy Hash: 1E123822E0EBC50FE396A72C98552797BE1FF566A0F4911FBC04DC7193DE28AC068356
                      Function 00007FF848DBA71C Relevance: .5, Instructions: 526COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2461012963.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_7ff848db0000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8d69f7f3df56ee9513b8261a5b86c1643ec826972fd1a24b4d7efff83e58ac1c
                      • Instruction ID: 79a915a92775bc8fffe3b1b97b19d3659b6270177a0d99d9de2a7753dac3d609
                      • Opcode Fuzzy Hash: 8d69f7f3df56ee9513b8261a5b86c1643ec826972fd1a24b4d7efff83e58ac1c
                      • Instruction Fuzzy Hash: D9F1C030A1DA498FDB98EF1CC485AA9B7F1FF68350F14416AD409D7296CB35EC86CB81
                      Function 00007FF848E820EA Relevance: .4, Instructions: 356COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2465648049.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_7ff848e80000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1a0902ca9a3125924bc6c3d2046ae8629618c995495638da07cd6e54455cdc15
                      • Instruction ID: 5a19fc4f2b82589c7b3611a11fd4600649be1802ce35dc369b592fdae30aeab1
                      • Opcode Fuzzy Hash: 1a0902ca9a3125924bc6c3d2046ae8629618c995495638da07cd6e54455cdc15
                      • Instruction Fuzzy Hash: 92A12622E0DBCA4FE796AB7868616B47FE1FF56250F5901FBC048C71A3DA289C05C356
                      Function 00007FF848E83360 Relevance: .2, Instructions: 188COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2465648049.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_7ff848e80000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a87139bbd7974507e50fa2d36f4ce5ac9979c34164b08353d7d6cba3d1bc8c68
                      • Instruction ID: cdc351218d08cc7280fee7e4df606f12eaaf33ef1b3851cb9b23c77234416eb4
                      • Opcode Fuzzy Hash: a87139bbd7974507e50fa2d36f4ce5ac9979c34164b08353d7d6cba3d1bc8c68
                      • Instruction Fuzzy Hash: EE515B21E1DA8A0FE3A6E62C985427937D2FF95790F8911BEC04DC71D3DE39AC05435A
                      Function 00007FF848DB9728 Relevance: .1, Instructions: 145COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2461012963.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_7ff848db0000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6652fdbf30bac6c3289af91effff1cc25044973a6e148f2927a2d9f0a1f6b2bd
                      • Instruction ID: d04aed36f2c49a8aefc860bf18cac4c9a767f2151443ec1d9a7d59efaac671e3
                      • Opcode Fuzzy Hash: 6652fdbf30bac6c3289af91effff1cc25044973a6e148f2927a2d9f0a1f6b2bd
                      • Instruction Fuzzy Hash: 88412B71D1DB889FDB099F1CA80A7B87BE1FBA4711F10416FD04983297DB34A81A87C6
                      Function 00007FF848DB9FFB Relevance: .1, Instructions: 137COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2461012963.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_7ff848db0000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 04b613a112be930b7b6d8f406e778512f9560706e167c8a7f3d56455956691c2
                      • Instruction ID: fc30c3ef0cb762d83538229193d99ecef1152b968c73613aabb2ea43e639651d
                      • Opcode Fuzzy Hash: 04b613a112be930b7b6d8f406e778512f9560706e167c8a7f3d56455956691c2
                      • Instruction Fuzzy Hash: 1741D373D0FAC60FE712A6285C995D8BF90EF21299F1801FBC4894B097FE1A188A8745
                      Function 00007FF848C9E380 Relevance: .1, Instructions: 126COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2456873785.00007FF848C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C9D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_7ff848c9d000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3aea05eb15d9eb2be0c5a24b908f45c4b2f1e0cd115ac103edb7e83a32f9623d
                      • Instruction ID: 82231d9c46ac5f065483e19b4fc20ac9bdee4298f2ca3e197c301fd19f49ca58
                      • Opcode Fuzzy Hash: 3aea05eb15d9eb2be0c5a24b908f45c4b2f1e0cd115ac103edb7e83a32f9623d
                      • Instruction Fuzzy Hash: BF41F07180DBC48FE796DB28A8459523FB0EF62368F1505EFD088CB1A3D665E846C792
                      Function 00007FF848DBB53C Relevance: .1, Instructions: 119COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2461012963.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_7ff848db0000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: eda3dc3b7e82f6dbb36f282097f1d998ec96b1aa6a0703b4f695bdc98a6af138
                      • Instruction ID: 6435d573345acb560e4e706dd789e54378ddfd73e6a34e78e10ee5ff394adcf6
                      • Opcode Fuzzy Hash: eda3dc3b7e82f6dbb36f282097f1d998ec96b1aa6a0703b4f695bdc98a6af138
                      • Instruction Fuzzy Hash: C331243190DB8C8FEB59DF6C98497E97FE0EF66320F0441AFC049C7162DA68584ACB52
                      Function 00007FF848DB33B5 Relevance: .0, Instructions: 49COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2461012963.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_7ff848db0000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                      • Instruction ID: 3b57b3e9d12b2b9a0327dfef370fddf88df8e6630bec459fb2ef94491519d874
                      • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                      • Instruction Fuzzy Hash: D101447111CB084FDB48EF0CE451AA6B7E0FB95364F50056DE58AC3695DB26E882CB45
                      Function 00007FF848E822E2 Relevance: .0, Instructions: 40COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2465648049.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_7ff848e80000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 830da1fb6ab9e901dca133e08f10d00ecc30684f5f8435e9c5d3ad85c42d203c
                      • Instruction ID: 1f1557e88c318159c3ee8e3488178c40fcff8725d20baca449f2e7c0a0eb371c
                      • Opcode Fuzzy Hash: 830da1fb6ab9e901dca133e08f10d00ecc30684f5f8435e9c5d3ad85c42d203c
                      • Instruction Fuzzy Hash: 39F05423D0EA824FE75996683C621F87AD0FF46694F5900FAD459C71D3D92D5805422A
                      Function 00007FF848DBBE48 Relevance: .0, Instructions: 39COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2461012963.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_7ff848db0000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5f183dd218b1e7df1abb2e7f81492dd1ddbada4d126069de0cce3372576afe15
                      • Instruction ID: 4c59b27bfd68a7cf9755ba2d685773af681f829062f7d9d1ea0f90a1e4eaa714
                      • Opcode Fuzzy Hash: 5f183dd218b1e7df1abb2e7f81492dd1ddbada4d126069de0cce3372576afe15
                      • Instruction Fuzzy Hash: 2BF0303275C6088FDB4CAA1CF842AB573D1EB99320F10016EE48BC3696D927E846C685
                      Function 00007FF848E84148 Relevance: .0, Instructions: 38COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2465648049.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_7ff848e80000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6012a887133f2de63437c5c054fe55edd01caf714d699a42aecf4795b080f224
                      • Instruction ID: ea009ba0be21f5c7f889a3b8217c258374afa228fae33f1dcdbf94461fd5dbbf
                      • Opcode Fuzzy Hash: 6012a887133f2de63437c5c054fe55edd01caf714d699a42aecf4795b080f224
                      • Instruction Fuzzy Hash: 1EF09A32A0D9458FE799EB5CE4008A877E0FF553A0B1500FAE05DC71A3CB3AEC818B58
                      Function 00007FF848E843FB Relevance: .0, Instructions: 36COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2465648049.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_7ff848e80000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 194a6b34bc7c956eaefd2e5fe940ca792ec041e4c7ed27af4d6ad4a8f046a16b
                      • Instruction ID: 50ce96a983d0984163598180759fa97e756b87e3938ed022ca944956649bbe7d
                      • Opcode Fuzzy Hash: 194a6b34bc7c956eaefd2e5fe940ca792ec041e4c7ed27af4d6ad4a8f046a16b
                      • Instruction Fuzzy Hash: 6AF09A31A0D5458FEB95EB18A4408A877E0FF05364F4500B6E059C70A3CB2AAC508764
                      Function 00007FF848E841D1 Relevance: .0, Instructions: 29COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2465648049.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_7ff848e80000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                      • Instruction ID: 37c425a4b8cea45d88be890f7d16e2f4158ab5b0b4af2526eba9b59d36e71348
                      • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                      • Instruction Fuzzy Hash: E4E01A31B0C8088FDAA8EA0CE0409AD73E1FB98365B5101B7D14EC7562CB32EC518B84
                      Function 00007FF848DB78CD Relevance: .0, Instructions: 20COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2461012963.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_7ff848db0000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ebfce43fbbb43257d117de47f7652db7f18c1f6007cff692a1eb9af5f0380cd5
                      • Instruction ID: 72b5ac04772bb63759f75ae2fcaff9bf3d616b10b282b22d88145c4ed352cf68
                      • Opcode Fuzzy Hash: ebfce43fbbb43257d117de47f7652db7f18c1f6007cff692a1eb9af5f0380cd5
                      • Instruction Fuzzy Hash: 68E0C22064EA864FD345A22CA040BB9BA81AF95390F94187DF4CE87387CB8D68825362

                      Non-executed Functions

                      Function 00007FF848DB8BFA Relevance: 6.4, Strings: 5, Instructions: 108COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2461012963.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_7ff848db0000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID: K_^6$K_^<$K_^F$K_^I$K_^J
                      • API String ID: 0-3659583007
                      • Opcode ID: b51c032d8e036fa40f8934c4fd8bcd85e0c9190da3d2be33bda1ec95d6b239c8
                      • Instruction ID: 1a1642ee350d840f977f8f443d21846633559e33da9383a9b08d808a8ca8c343
                      • Opcode Fuzzy Hash: b51c032d8e036fa40f8934c4fd8bcd85e0c9190da3d2be33bda1ec95d6b239c8
                      • Instruction Fuzzy Hash: 05216B7730A4167FDB0177AEB8046EC7791EB942F5B4842B3D158CF503DE14A18746E4
                      Function 00007FF848DB8995 Relevance: 5.1, Strings: 4, Instructions: 120COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2461012963.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_7ff848db0000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID: K_^$K_^$K_^$K_^
                      • API String ID: 0-4267328068
                      • Opcode ID: 519f1c88b3c32617a291f56b6df12269c45a0c4a4264a88ca7db9d1cc21ad561
                      • Instruction ID: 972274d9f8ade8942749b5b349d4609b09bc9018eeb4b035e5585c8da5d7e84e
                      • Opcode Fuzzy Hash: 519f1c88b3c32617a291f56b6df12269c45a0c4a4264a88ca7db9d1cc21ad561
                      • Instruction Fuzzy Hash: 4041546390F6C25FE74792295C69195BFA0EF63298F1D41FAC4C88F093EE1A584B9306

                      Execution Graph

                      Execution Coverage:20.8%
                      Dynamic/Decrypted Code Coverage:0%
                      Signature Coverage:0%
                      Total number of Nodes:150
                      Total number of Limit Nodes:2
                      execution_graph 968 613c3789 RtlLookupFunctionEntry 800 613c13e0 801 613c13f6 800->801 806 613c2830 801->806 803 613c1413 810 613c2bc0 803->810 807 613c2859 806->807 808 613c2870 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 806->808 807->803 809 613c28cd 808->809 809->803 812 613c2bcf 810->812 811 613c1418 812->811 813 613c2c90 RtlAddFunctionTable 812->813 813->811 814 613c1290 815 613c12af 814->815 816 613c12f0 814->816 818 613c12d6 815->818 820 613c2470 6 API calls 815->820 841 613c2470 816->841 819 613c12f5 821 613c1305 819->821 822 613c12be 819->822 820->822 861 613c1050 821->861 824 613c222b 5 API calls 822->824 825 613c12cb 824->825 825->818 831 613c1050 2 API calls 825->831 826 613c130a 826->818 827 613c1370 826->827 828 613c1353 826->828 829 613c1375 827->829 830 613c13c0 827->830 828->818 832 613c1050 2 API calls 828->832 867 613c2810 829->867 833 613c222b 5 API calls 830->833 831->818 832->818 833->825 835 613c137a 872 613c222b 835->872 838 613c222b 5 API calls 839 613c13a1 838->839 840 613c1050 2 API calls 839->840 840->825 844 613c24a0 841->844 849 613c248b 841->849 842 613c2650 843 613c2659 842->843 842->849 845 613c2300 4 API calls 843->845 848 613c2688 843->848 844->842 846 613c253c 844->846 844->849 845->843 847 613c26c1 846->847 846->849 850 613c268d 846->850 853 613c2594 846->853 854 613c26f6 846->854 852 613c2300 4 API calls 847->852 851 613c25c4 848->851 849->819 850->854 855 613c2300 4 API calls 850->855 851->849 858 613c2613 VirtualQuery 851->858 852->854 853->846 853->851 853->854 876 613c2300 853->876 856 613c2300 4 API calls 854->856 855->847 859 613c2739 856->859 858->849 860 613c262c VirtualProtect 858->860 859->849 860->851 862 613c1066 861->862 863 613c10e0 861->863 864 613c1094 Sleep 862->864 866 613c10a8 862->866 865 613c1119 Sleep 863->865 863->866 864->862 865->863 866->826 868 613c281a 867->868 869 613c27b0 867->869 868->835 885 613c2f20 869->885 873 613c138a 872->873 874 613c2244 872->874 873->818 873->838 892 613c1e6b 874->892 877 613c2332 876->877 878 613c2393 VirtualQuery 877->878 881 613c2435 877->881 879 613c23c1 memcpy 878->879 878->881 882 613c248b 881->882 883 613c2613 VirtualQuery 881->883 882->853 883->882 884 613c262c VirtualProtect 883->884 884->881 887 613c2f34 885->887 886 613c2fb5 886->835 887->886 890 613c36b8 __dllonexit 887->890 891 613ca304 890->891 893 613c1ea5 892->893 922 613c1d97 LoadLibraryW 893->922 895 613c1f55 896 613c1d97 LoadLibraryW 895->896 897 613c1f81 896->897 898 613c1d97 LoadLibraryW 897->898 899 613c1fe5 898->899 900 613c1d97 LoadLibraryW 899->900 901 613c2011 900->901 902 613c201d WinExec 901->902 924 613c3620 Sleep 902->924 904 613c2038 905 613c1d97 LoadLibraryW 904->905 906 613c2064 905->906 907 613c1d97 LoadLibraryW 906->907 908 613c2090 907->908 909 613c1d97 LoadLibraryW 908->909 910 613c217b 909->910 911 613c1d97 LoadLibraryW 910->911 912 613c21a7 911->912 913 613c21b3 WinExec 912->913 914 613c21d3 913->914 915 613c1d97 LoadLibraryW 914->915 916 613c21f0 915->916 917 613c1d97 LoadLibraryW 916->917 918 613c221c ExitProcess 917->918 920 613c222b 918->920 919 613c2258 919->873 920->919 921 613c1e6b 2 API calls 920->921 921->919 923 613c1dc1 922->923 923->895 924->904 925 613c2e70 926 613c2e78 925->926 927 613c2e7d 926->927 930 613c3530 926->930 929 613c2e95 931 613c3539 930->931 932 613c3582 930->932 933 613c353b 931->933 934 613c3554 931->934 935 613c358c 932->935 936 613c35a0 InitializeCriticalSection 932->936 937 613c354a 933->937 942 613c33a0 EnterCriticalSection 933->942 938 613c355e 934->938 940 613c33a0 3 API calls 934->940 935->929 936->935 937->929 938->937 939 613c3569 DeleteCriticalSection 938->939 939->937 940->938 943 613c33f4 942->943 945 613c33c1 942->945 944 613c33d0 TlsGetValue GetLastError 944->945 945->943 945->944 948 613c2ea0 949 613c2eb2 948->949 950 613c3530 5 API calls 949->950 951 613c2ec2 949->951 950->951 952 613c2910 RtlCaptureContext RtlLookupFunctionEntry 953 613c294d RtlVirtualUnwind 952->953 954 613c29f0 952->954 955 613c2983 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 953->955 954->955 955->954 956 613c3410 957 613c3430 956->957 958 613c3421 956->958 957->958 959 613c344c EnterCriticalSection LeaveCriticalSection 957->959 960 613c3490 961 613c349f 960->961 962 613c34b0 EnterCriticalSection 960->962 963 613c34e7 LeaveCriticalSection 962->963 965 613c34cb 962->965 964 613c34f4 963->964 965->963 966 613c34d1 965->966 967 613c3510 LeaveCriticalSection 966->967 967->964 946 613c37b1 RtlAddFunctionTable 947 613ca294 946->947

                      Callgraph

                      • Executed
                      • Not Executed
                      • Opacity -> Relevance
                      • Disassembly available
                      callgraph 0 Function_613D16BF 1 Function_613C36B8 2 Function_613C19B9 3 Function_613C3030 4 Function_613C3530 16 Function_613C33A0 4->16 5 Function_613C2CB0 26 Function_613C3390 5->26 6 Function_613C1430 7 Function_613C2830 8 Function_613C31B0 44 Function_613C2FF0 8->44 9 Function_613C37B1 10 Function_613C192A 11 Function_613C222B 49 Function_613C1E6B 11->49 50 Function_613C1E65 11->50 55 Function_613C1E5F 11->55 56 Function_613C1E59 11->56 12 Function_613CA2A4 13 Function_613C3620 14 Function_613C3120 14->44 15 Function_613C2F20 15->1 35 Function_613C2280 15->35 47 Function_613C2270 15->47 17 Function_613C2EA0 17->4 18 Function_613D0021 19 Function_613D039A 20 Function_613C1D97 21 Function_613C2F10 22 Function_613C1290 22->11 23 Function_613C3610 22->23 24 Function_613C2810 22->24 46 Function_613C2470 22->46 57 Function_613C1050 22->57 24->15 25 Function_613C2910 27 Function_613C2A10 27->26 28 Function_613C3410 29 Function_613C3490 30 Function_613C3012 31 Function_613D0513 32 Function_613C1D0E 54 Function_613C16DC 32->54 33 Function_613C3789 34 Function_613C3080 34->44 36 Function_613C1000 36->35 37 Function_613C2300 37->14 37->37 43 Function_613C3170 37->43 58 Function_613C35D0 37->58 63 Function_613C3240 37->63 38 Function_613C3280 38->3 38->44 39 Function_613D0D00 40 Function_613D1DFE 41 Function_613C1C79 41->54 42 Function_613D057A 43->44 45 Function_613C2E70 45->4 46->37 46->43 46->58 48 Function_613C22ED 49->10 49->13 49->20 49->49 49->50 49->54 49->55 49->56 51 Function_613C13E0 51->7 62 Function_613C2BC0 51->62 52 Function_613C32E0 52->3 52->44 53 Function_613C1B61 57->47 59 Function_613D1CCD 60 Function_613C1848 61 Function_613D1E4B 62->8 62->34 62->63 63->44

                      Executed Functions

                      Function 613C1E6B Relevance: 40.5, APIs: 3, Strings: 20, Instructions: 210processCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                        • Part of subcall function 613C1D97: LoadLibraryW.KERNELBASE(?,?,?,?,?,?,?,?,?,613C1F55), ref: 613C1DB2
                      • WinExec.KERNEL32 ref: 613C202C
                        • Part of subcall function 613C3620: Sleep.KERNEL32 ref: 613C362A
                      • WinExec.KERNEL32 ref: 613C21C2
                      • ExitProcess.KERNEL32 ref: 613C2228
                      Strings
                      Memory Dump Source
                      • Source File: 0000000E.00000002.2142945232.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                      • Associated: 0000000E.00000002.2142916247.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 0000000E.00000002.2143029063.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 0000000E.00000002.2143051695.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 0000000E.00000002.2143106568.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 0000000E.00000002.2143122800.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 0000000E.00000002.2143150634.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_613c0000_rundll32.jbxd
                      Similarity
                      • API ID: Exec$ExitLibraryLoadProcessSleep
                      • String ID: 4VULgU2Y$=82LgYWaw5SYoBHXcNWasJWdQxFXzJXZzVFXcpzQgQ2LgUGel5CbsVGazJXZ39GccxFMuEjdcxFbsVGaTJXZ39GUzd3bk5WaXxFXyMTblR3c5NFXcN3dvRmbpdFXcpzQgk3LgwGd1RnblNXZ$==Qaz1WQ$=cmbpJHd$=cmbpJHd$T5WYjNVa$T5WYjNVa$gYWaw5SY$ggGdhBlb$h1WbvNUL$icCX6M0J$kFkIgQmb$oBHXcNWa$sJWdQxFX$uVmclZWZ$vl2c1x2Y$yBFcN1CZ$z1WQ$z1WQ$zJXZzVFX
                      • API String ID: 1758684399-1342957281
                      • Opcode ID: 4d1f63c8848b9324423b377315b3159e9dcea841206612359d24d613c9a9fc1c
                      • Instruction ID: a98b6bfe7a99aebf3bb0dc4532f6b7cdca838be127f0f4748d87de296261d5c7
                      • Opcode Fuzzy Hash: 4d1f63c8848b9324423b377315b3159e9dcea841206612359d24d613c9a9fc1c
                      • Instruction Fuzzy Hash: 74813E75701B869DCF24EBA6A8543E873A5A785F8CF4480398E8E5FB18FF38C6159341
                      Function 613C2BC0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 87 613c2bc0-613c2bda call 613c3240 90 613c2bdc-613c2bdf 87->90 91 613c2c01-613c2c0b 87->91 90->91 92 613c2be1-613c2bfa call 613c3080 90->92 95 613c2bfc 92->95 96 613c2c10-613c2c40 92->96 95->91 97 613c2c70-613c2c7b call 613c31b0 96->97 100 613c2c7d-613c2c80 97->100 101 613c2c42-613c2c6e 97->101 100->95 102 613c2c86-613c2c88 100->102 101->97 103 613c2ca5-613c2caa 101->103 104 613c2c90-613c2ca0 RtlAddFunctionTable 102->104 103->104 104->95
                      APIs
                      • RtlAddFunctionTable.KERNEL32 ref: 613C2C9A
                      Strings
                      Memory Dump Source
                      • Source File: 0000000E.00000002.2142945232.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                      • Associated: 0000000E.00000002.2142916247.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 0000000E.00000002.2143029063.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 0000000E.00000002.2143051695.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 0000000E.00000002.2143106568.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 0000000E.00000002.2143122800.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 0000000E.00000002.2143150634.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_613c0000_rundll32.jbxd
                      Similarity
                      • API ID: FunctionTable
                      • String ID: .pdata
                      • API String ID: 1252446317-4177594709
                      • Opcode ID: 52976069890d9e3f5a635ecf40bf80e2661f8a198458f1dda444388e4e8995d7
                      • Instruction ID: a98d7effac0a08117c3fa1e10c50b581c5c7b73d9eed72f9ca58742f97c7602a
                      • Opcode Fuzzy Hash: 52976069890d9e3f5a635ecf40bf80e2661f8a198458f1dda444388e4e8995d7
                      • Instruction Fuzzy Hash: 4621B472B022609AFB058FA9DA443947B62A788F98F4CD024CE0B57314EB3A9A61D755
                      Function 613C1D97 Relevance: 1.5, APIs: 1, Instructions: 49libraryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 105 613c1d97-613c1dca LoadLibraryW 107 613c1dcc-613c1e2d 105->107 108 613c1e31-613c1e58 105->108 107->108
                      APIs
                      • LoadLibraryW.KERNELBASE(?,?,?,?,?,?,?,?,?,613C1F55), ref: 613C1DB2
                      Memory Dump Source
                      • Source File: 0000000E.00000002.2142945232.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                      • Associated: 0000000E.00000002.2142916247.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 0000000E.00000002.2143029063.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 0000000E.00000002.2143051695.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 0000000E.00000002.2143106568.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 0000000E.00000002.2143122800.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 0000000E.00000002.2143150634.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_613c0000_rundll32.jbxd
                      Similarity
                      • API ID: LibraryLoad
                      • String ID:
                      • API String ID: 1029625771-0
                      • Opcode ID: 4127155981cb20e6f2d50b37ca81e7bbd812f1fa0de4aab2728d0d118f7055a4
                      • Instruction ID: c1c33eecdd383886d2d8d2bb6f1c2682b4f93b08dfe668e5ddc8be9d462bd23a
                      • Opcode Fuzzy Hash: 4127155981cb20e6f2d50b37ca81e7bbd812f1fa0de4aab2728d0d118f7055a4
                      • Instruction Fuzzy Hash: 06210B72B11B608CE700DBB9EC4439C3B71A348B98F044515DE6DA7BA8EF39C650C394
                      Function 613C3620 Relevance: 1.3, APIs: 1, Instructions: 6sleepCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 160 613c3620-613c3636 Sleep
                      APIs
                      Memory Dump Source
                      • Source File: 0000000E.00000002.2142945232.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                      • Associated: 0000000E.00000002.2142916247.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 0000000E.00000002.2143029063.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 0000000E.00000002.2143051695.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 0000000E.00000002.2143106568.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 0000000E.00000002.2143122800.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 0000000E.00000002.2143150634.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_613c0000_rundll32.jbxd
                      Similarity
                      • API ID: Sleep
                      • String ID:
                      • API String ID: 3472027048-0
                      • Opcode ID: fe2ac243386cde0167416a04810260f3cbc85ba1deb6f6aec3d46932f2df1739
                      • Instruction ID: e9c459437bb93fbad0663031f86f151610a23291e51109e838943003221a6897
                      • Opcode Fuzzy Hash: fe2ac243386cde0167416a04810260f3cbc85ba1deb6f6aec3d46932f2df1739
                      • Instruction Fuzzy Hash: F0B01220F13160C3D70C33769C9635850D5574C300FD000288107842A0DC9D02A64640

                      Non-executed Functions

                      Function 613C2910 Relevance: 10.6, APIs: 7, Instructions: 50COMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • RtlCaptureContext.KERNEL32 ref: 613C2924
                      • RtlLookupFunctionEntry.KERNEL32 ref: 613C293B
                      • RtlVirtualUnwind.KERNEL32 ref: 613C297D
                      • SetUnhandledExceptionFilter.KERNEL32 ref: 613C29C4
                      • UnhandledExceptionFilter.KERNEL32 ref: 613C29D1
                      • GetCurrentProcess.KERNEL32 ref: 613C29D7
                      • TerminateProcess.KERNEL32 ref: 613C29E5
                      Memory Dump Source
                      • Source File: 0000000E.00000002.2142945232.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                      • Associated: 0000000E.00000002.2142916247.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 0000000E.00000002.2143029063.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 0000000E.00000002.2143051695.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 0000000E.00000002.2143106568.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 0000000E.00000002.2143122800.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 0000000E.00000002.2143150634.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_613c0000_rundll32.jbxd
                      Similarity
                      • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentEntryFunctionLookupTerminateUnwindVirtual
                      • String ID:
                      • API String ID: 3266983031-0
                      • Opcode ID: d20c4be697a3212f516fb3c4bcd7d35ad969eae838489b411cfbb6ecde053262
                      • Instruction ID: e8e25b836daba40db766a00739c45693a0588c7fa2b6924b27fae8a827f53c88
                      • Opcode Fuzzy Hash: d20c4be697a3212f516fb3c4bcd7d35ad969eae838489b411cfbb6ecde053262
                      • Instruction Fuzzy Hash: E421D375611B31D9EB008B61F8843C937AAB748B98F480566D94F67734EF3AC764C780
                      Function 613C2470 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 210memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 188 613c2470-613c2489 189 613c248b-613c2498 188->189 190 613c24a0-613c24f7 call 613c3170 call 613c35d0 188->190 190->189 195 613c24f9-613c24fd 190->195 196 613c24ff-613c2505 195->196 197 613c2525-613c252b 195->197 198 613c250b-613c2512 196->198 199 613c2650-613c2653 196->199 197->199 200 613c2531-613c2536 197->200 198->199 201 613c2518-613c251f 198->201 199->189 203 613c2659-613c2660 199->203 200->199 202 613c253c-613c2542 200->202 201->202 204 613c2521 201->204 205 613c275c-613c2781 call 613c2290 202->205 206 613c2548-613c254f 202->206 207 613c2664-613c2686 call 613c2300 203->207 204->197 217 613c27a0-613c27a4 205->217 218 613c2783-613c279e 205->218 206->189 209 613c2555-613c2560 206->209 216 613c2688 207->216 213 613c256a-613c257f 209->213 214 613c2585 213->214 215 613c26c6-613c26f6 call 613c2300 213->215 219 613c268d-613c2690 214->219 220 613c258b-613c258e 214->220 225 613c26fb-613c270a call 613c2290 215->225 221 613c25c4-613c25d0 216->221 218->217 219->225 226 613c2692-613c26c1 call 613c2300 219->226 223 613c270f-613c2739 call 613c2300 220->223 224 613c2594-613c2597 220->224 221->189 227 613c25d6-613c25e8 221->227 242 613c273e-613c2757 call 613c2290 223->242 224->225 230 613c259d-613c25c2 call 613c2300 224->230 225->223 226->215 232 613c2603-613c2611 227->232 230->213 230->221 237 613c25f0-613c25fd 232->237 238 613c2613-613c2626 VirtualQuery 232->238 237->189 237->232 241 613c262c-613c2645 VirtualProtect 238->241 238->242 241->237 242->205
                      APIs
                      • VirtualQuery.KERNEL32(?,?,?,?,?,?,613C4054,?,?,?,?,613C12F5), ref: 613C2620
                      • VirtualProtect.KERNEL32(?,?,?,?,?,?,613C4054,?,?,?,?,613C12F5), ref: 613C2642
                      Strings
                      Memory Dump Source
                      • Source File: 0000000E.00000002.2142945232.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                      • Associated: 0000000E.00000002.2142916247.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 0000000E.00000002.2143029063.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 0000000E.00000002.2143051695.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 0000000E.00000002.2143106568.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 0000000E.00000002.2143122800.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 0000000E.00000002.2143150634.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_613c0000_rundll32.jbxd
                      Similarity
                      • API ID: Virtual$ProtectQuery
                      • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$ VirtualQuery failed for %d bytes at address %p$T@<a
                      • API String ID: 1027372294-2627587640
                      • Opcode ID: e52f81ac41c2342fd462fc3170bb2c56cf49e9c9a5294d6a356940808a4d1b69
                      • Instruction ID: 62939e9ad82f9327e1e07ec4eefc127d92b0ac663fd755b0084f4618bd059482
                      • Opcode Fuzzy Hash: e52f81ac41c2342fd462fc3170bb2c56cf49e9c9a5294d6a356940808a4d1b69
                      • Instruction Fuzzy Hash: 2771DE76B11A2489EB01CF76EA8078AB362B748FACF48D115CD1F17358DB3AC911C352
                      Function 613C2830 Relevance: 7.6, APIs: 5, Instructions: 57timethreadCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetSystemTimeAsFileTime.KERNEL32 ref: 613C2875
                      • GetCurrentProcessId.KERNEL32 ref: 613C2880
                      • GetCurrentThreadId.KERNEL32 ref: 613C2888
                      • GetTickCount.KERNEL32 ref: 613C2890
                      • QueryPerformanceCounter.KERNEL32 ref: 613C289D
                      Memory Dump Source
                      • Source File: 0000000E.00000002.2142945232.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                      • Associated: 0000000E.00000002.2142916247.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 0000000E.00000002.2143029063.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 0000000E.00000002.2143051695.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 0000000E.00000002.2143106568.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 0000000E.00000002.2143122800.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 0000000E.00000002.2143150634.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_613c0000_rundll32.jbxd
                      Similarity
                      • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                      • String ID:
                      • API String ID: 1445889803-0
                      • Opcode ID: 426e265ac137bbdeef0a01d9666284549597ad6e21c5f98ec00e579fb7b8abee
                      • Instruction ID: fbcbe058b436404562c126ae5aac31350f057f625ad19c487ba693073682924f
                      • Opcode Fuzzy Hash: 426e265ac137bbdeef0a01d9666284549597ad6e21c5f98ec00e579fb7b8abee
                      • Instruction Fuzzy Hash: 6411BF33756B3082F7005B25B904385B2A2B788BA0F0C5231EE5E53BA4EF3DC9968340
                      Function 613C2300 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 96COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 270 613c2300-613c232e 271 613c2332-613c2359 270->271 273 613c235b-613c2369 call 613c3120 271->273 276 613c236f-613c23bf call 613c3240 VirtualQuery 273->276 277 613c2452-613c2489 call 613c2290 273->277 283 613c2435-613c244d call 613c2290 276->283 284 613c23c1-613c23cb 276->284 285 613c248b-613c2498 277->285 286 613c24a0-613c24f7 call 613c3170 call 613c35d0 277->286 283->277 287 613c23cd-613c23d3 284->287 288 613c23f9-613c36a0 memcpy 284->288 286->285 295 613c24f9-613c24fd 286->295 287->288 296 613c24ff-613c2505 295->296 297 613c2525-613c252b 295->297 298 613c250b-613c2512 296->298 299 613c2650-613c2653 296->299 297->299 300 613c2531-613c2536 297->300 298->299 301 613c2518-613c251f 298->301 299->285 303 613c2659-613c2660 299->303 300->299 302 613c253c-613c2542 300->302 301->302 304 613c2521 301->304 305 613c275c-613c2781 call 613c2290 302->305 306 613c2548-613c254f 302->306 307 613c2664-613c2686 call 613c2300 303->307 304->297 317 613c27a0-613c27a4 305->317 318 613c2783-613c279e 305->318 306->285 309 613c2555-613c2560 306->309 316 613c2688 307->316 313 613c256a-613c257f 309->313 314 613c2585 313->314 315 613c26c6-613c26f6 call 613c2300 313->315 319 613c268d-613c2690 314->319 320 613c258b-613c258e 314->320 325 613c26fb-613c270a call 613c2290 315->325 321 613c25c4-613c25d0 316->321 318->317 319->325 326 613c2692-613c26c1 call 613c2300 319->326 323 613c270f-613c2739 call 613c2300 320->323 324 613c2594-613c2597 320->324 321->285 327 613c25d6-613c25e8 321->327 342 613c273e-613c2757 call 613c2290 323->342 324->325 330 613c259d-613c25c2 call 613c2300 324->330 325->323 326->315 332 613c2603-613c2611 327->332 330->313 330->321 337 613c25f0-613c25fd 332->337 338 613c2613-613c2626 VirtualQuery 332->338 337->285 337->332 341 613c262c-613c2645 VirtualProtect 338->341 338->342 341->337 342->305
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000E.00000002.2142945232.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                      • Associated: 0000000E.00000002.2142916247.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 0000000E.00000002.2143029063.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 0000000E.00000002.2143051695.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 0000000E.00000002.2143106568.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 0000000E.00000002.2143122800.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 0000000E.00000002.2143150634.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_613c0000_rundll32.jbxd
                      Similarity
                      • API ID: QueryVirtual
                      • String ID: VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$T@<a
                      • API String ID: 1804819252-4232178576
                      • Opcode ID: 8e7eacb048b803b310af8d91aca0147f1e0aad4f005fb9ffc7c056ff4d3ee6e9
                      • Instruction ID: 6a292cefe7e1f4070340493715416b3679d18dd40189ba87be4cd8971f2c6506
                      • Opcode Fuzzy Hash: 8e7eacb048b803b310af8d91aca0147f1e0aad4f005fb9ffc7c056ff4d3ee6e9
                      • Instruction Fuzzy Hash: 2631F673701A649AE601DF12ED04B967B65F788FE8F48C121DE1E17320DB3AD652C740

                      Executed Functions

                      Function 00007FF848E730E9 Relevance: .7, Instructions: 654COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000011.00000002.2878227092.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_7ff848e70000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 17f91e3ab1b97b189ed90ce9d0a8c127f416ab18c009e1a735a2d7146f2f1b1f
                      • Instruction ID: 4ffcdbeef70039a9955a389bfa95b17cd6c8882ac65c2fbf5a228b6fefc13382
                      • Opcode Fuzzy Hash: 17f91e3ab1b97b189ed90ce9d0a8c127f416ab18c009e1a735a2d7146f2f1b1f
                      • Instruction Fuzzy Hash: C5122622E0DBC94FE3E6A62C98552B17BE1FF96660F4901FBC04DC7193DE299C068356
                      Function 00007FF848DABB80 Relevance: 2.0, Strings: 1, Instructions: 746COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.2873857282.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_7ff848da0000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID: UQ_H
                      • API String ID: 0-4123913266
                      • Opcode ID: abccf5e9bc677c10a7e3ad2f0b6fd61af9bf527a40456ea965ef4174ea82cfbf
                      • Instruction ID: cf2b25698313816299257f1f6a1b8bc25881593abe76f0f85fdfbd8e4bb5de59
                      • Opcode Fuzzy Hash: abccf5e9bc677c10a7e3ad2f0b6fd61af9bf527a40456ea965ef4174ea82cfbf
                      • Instruction Fuzzy Hash: BA22D130A1DA498FDB98EF1CC495BB977E1FF98350F24016AD44AC7296CB35E846CB81
                      Function 00007FF848E7797D Relevance: 1.0, Instructions: 995COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000011.00000002.2878227092.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_7ff848e70000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: cc9ebfe8c80fb97c9cd0dcc9fa7ee0095537728b2fb48071bff58edb41f52d57
                      • Instruction ID: c025c59731a8c00211c2cff73658064440d9c66289d99d3483e2b78cb820b8fb
                      • Opcode Fuzzy Hash: cc9ebfe8c80fb97c9cd0dcc9fa7ee0095537728b2fb48071bff58edb41f52d57
                      • Instruction Fuzzy Hash: 4352DF7190E7895FE356A7285C155B57FA1FF57260F0901FBD08CCB0A3DB28A84AC3A6
                      Function 00007FF848DA644D Relevance: .7, Instructions: 749COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000011.00000002.2873857282.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_7ff848da0000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 516194b3dcdac655832833955835f487023f2b7afec6836a30f5444bd4147579
                      • Instruction ID: 1450908ab17054b31bbee8643ee761013880ea57d18f432a3517707f1b7e7728
                      • Opcode Fuzzy Hash: 516194b3dcdac655832833955835f487023f2b7afec6836a30f5444bd4147579
                      • Instruction Fuzzy Hash: D7C17D30A19A498FDF88EF58D855BA97BE1FF68350F24416AD009D7296CB34E885CB81
                      Function 00007FF848E77342 Relevance: .7, Instructions: 739COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000011.00000002.2878227092.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_7ff848e70000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8f8f7af084a6de9bdf35531fe476b99704ba405e11950fd0ed6acab56e819bba
                      • Instruction ID: 3d9a62e0260141ca132b4a0ac9267501f53bfd67d023ca22af670fe30009a147
                      • Opcode Fuzzy Hash: 8f8f7af084a6de9bdf35531fe476b99704ba405e11950fd0ed6acab56e819bba
                      • Instruction Fuzzy Hash: EE225632E0EA895FE795AB285C595B53BE1FF56260F0801FBC44DC7193EB28AC06C356
                      Function 00007FF848DAABF2 Relevance: .5, Instructions: 517COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000011.00000002.2873857282.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_7ff848da0000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9a3ed84919c6fd662cb5210301dd982b82bc683644594be8d2b9ea02d31cabdc
                      • Instruction ID: cbdc87d3421d1d16f593ec89cc1f6f31c38c8b91dff7e29d5ffc6238cb7ab69a
                      • Opcode Fuzzy Hash: 9a3ed84919c6fd662cb5210301dd982b82bc683644594be8d2b9ea02d31cabdc
                      • Instruction Fuzzy Hash: D102D331E0DB4A8FEB94EB1CD495AE977E1FF54354F2402BAD008C7192DF24A886C785
                      Function 00007FF848E71FD8 Relevance: .5, Instructions: 516COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000011.00000002.2878227092.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_7ff848e70000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5c01ce4c7d0402c735f74d8fabd050800a606391dc405fa3cadc8b8e42a880fd
                      • Instruction ID: 2e05e1e7c204bdfc164cc43be8f13d05ea417425ee440d5f3cf6777bd085971b
                      • Opcode Fuzzy Hash: 5c01ce4c7d0402c735f74d8fabd050800a606391dc405fa3cadc8b8e42a880fd
                      • Instruction Fuzzy Hash: 43E10632A0DBC54FE7969B3858656A17FE1FF57260F0901FBC089CB193DA289C46C366
                      Function 00007FF848E76605 Relevance: .4, Instructions: 434COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000011.00000002.2878227092.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_7ff848e70000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3dccfa7279a732e54e20b049e33e27247919c4cbe9bcf13c37de805bb680213e
                      • Instruction ID: 65be202892df8163bbaa6b1d3e57b9e08fdd8dc88c7b3b1212f79a0239cea68e
                      • Opcode Fuzzy Hash: 3dccfa7279a732e54e20b049e33e27247919c4cbe9bcf13c37de805bb680213e
                      • Instruction Fuzzy Hash: D6D14431D0EA8A9FFB95FB6858155B57BA0FF16398F0801FAD44DC70A3DB28A805C355
                      Function 00007FF848E77D79 Relevance: .2, Instructions: 240COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000011.00000002.2878227092.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_7ff848e70000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d5ef2f0bcc43a8fcb7bf1aa5b4e3dcfa294faefab4b3dd5aff17a1777da7d3d5
                      • Instruction ID: b9547c59b5db000fc95d598025d760e29cc6e3101c4799db4126f9d7609cb1c0
                      • Opcode Fuzzy Hash: d5ef2f0bcc43a8fcb7bf1aa5b4e3dcfa294faefab4b3dd5aff17a1777da7d3d5
                      • Instruction Fuzzy Hash: 25612632E1DA894FE7A5AB2C5C516B57BE1FF962A0F0901BAC04CC7193DF38AC058785
                      Function 00007FF848DAA808 Relevance: .2, Instructions: 213COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000011.00000002.2873857282.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_7ff848da0000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ab01be7578bf353976bbf289ee2db8db23a97f076032b3bf6184939a4b072f0d
                      • Instruction ID: 94d3c2b292bf4a9b1bbab49529b4fff41cd60c992c04e414f6e6aedfc3cc3c44
                      • Opcode Fuzzy Hash: ab01be7578bf353976bbf289ee2db8db23a97f076032b3bf6184939a4b072f0d
                      • Instruction Fuzzy Hash: FC615A3190DBC54FE34ADB2898955647BE0EF56358F2802FEC089CB193EE16A84BC756
                      Function 00007FF848DA2A98 Relevance: .2, Instructions: 206COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000011.00000002.2873857282.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_7ff848da0000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 40f5660d5de6f356eab09e5ff9201fe916b3a5522b06658a48f0fc8db3cf93ab
                      • Instruction ID: 880ae1ba065bed21cb5e5e0e1486969d5382bffe69fc17d0d9b529ba11992197
                      • Opcode Fuzzy Hash: 40f5660d5de6f356eab09e5ff9201fe916b3a5522b06658a48f0fc8db3cf93ab
                      • Instruction Fuzzy Hash: 0451F932F0EB8A4FF756AF3E58552B53BD0EF516A5F1900B7C448C7197DE19980A8324
                      Function 00007FF848E73360 Relevance: .2, Instructions: 190COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000011.00000002.2878227092.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_7ff848e70000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 25c2b00b4eb2812ea8118aab9fe86614b45480faa7cbf812e2706599e831baaf
                      • Instruction ID: 68a3f5b871b8d4ed37c4c0c98b423fd5f22a6748450f976556c7ca866c748899
                      • Opcode Fuzzy Hash: 25c2b00b4eb2812ea8118aab9fe86614b45480faa7cbf812e2706599e831baaf
                      • Instruction Fuzzy Hash: 00516C32E1DA8A4FE3E9E62C985413136D2FF95790F8901BEC45DC7193EE35AC05834A
                      Function 00007FF848DA9728 Relevance: .1, Instructions: 145COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000011.00000002.2873857282.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_7ff848da0000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 16535766d6f3a358263b58818d9d70a53aed3d192043548ea66709e8ea1b4c04
                      • Instruction ID: c8b4d198f6059a43ad815e8d3c37d8a29ba9044d9ab573b327c320ea81b845b0
                      • Opcode Fuzzy Hash: 16535766d6f3a358263b58818d9d70a53aed3d192043548ea66709e8ea1b4c04
                      • Instruction Fuzzy Hash: AC414C71D1DB889FDB099F5CA80A3F87BE0FB55311F14416FD04983256DB30A84A87C2
                      Function 00007FF848C8EB89 Relevance: .1, Instructions: 121COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000011.00000002.2868618180.00007FF848C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C8D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_7ff848c8d000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7b78d7d985c6bbe70c64782b4eb1ce9a6d0f084149affabf113bc85d79d21ae6
                      • Instruction ID: d7f98bd2900d0fdd2033fcced194a58826de955baf4e3b231eca5cab05bda4f0
                      • Opcode Fuzzy Hash: 7b78d7d985c6bbe70c64782b4eb1ce9a6d0f084149affabf113bc85d79d21ae6
                      • Instruction Fuzzy Hash: 7341257080DBC48FE79ADB3898419623FF0EF52365F1505EFD089CB1A3D629A846C792
                      Function 00007FF848DAA71C Relevance: .1, Instructions: 119COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000011.00000002.2873857282.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_7ff848da0000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 14e3e3b4512b8c649a5109fa86532e136c0b3a074d739c3c6792e7bbda71d3ab
                      • Instruction ID: 6eb25df4ee7653f8f7edd8e444fa311cd3566c3da85140cd42709b1065267b90
                      • Opcode Fuzzy Hash: 14e3e3b4512b8c649a5109fa86532e136c0b3a074d739c3c6792e7bbda71d3ab
                      • Instruction Fuzzy Hash: E431F33190DB8C8FEB59DB68D8496EA7FF0EB66320F1441AFC048C7163D664585ACB92
                      Function 00007FF848E74148 Relevance: .1, Instructions: 91COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000011.00000002.2878227092.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_7ff848e70000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 12c36df68e2dfae828fb71b5ecb8341dc297c588bb9b67171c3eef512dd6d890
                      • Instruction ID: cac0ad9ed29d13b320a79b64de7c4988e4ac1be177c9b567aa0cf9d8c5c05ff8
                      • Opcode Fuzzy Hash: 12c36df68e2dfae828fb71b5ecb8341dc297c588bb9b67171c3eef512dd6d890
                      • Instruction Fuzzy Hash: 1721AF32B0CA088FEB59EA1CA4419E8B7E1FB59370F1401BBD14AC31A3DB25E845C795
                      Function 00007FF848E743FB Relevance: .1, Instructions: 87COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000011.00000002.2878227092.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_7ff848e70000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 214ed88d7852b17d88b69362955319da502630ba1ff87e3ad7336c5581d20f8f
                      • Instruction ID: 91218eab0e35872a6c23a8ee53a1b1491d397bf043514d2eef999f6bb611a0ce
                      • Opcode Fuzzy Hash: 214ed88d7852b17d88b69362955319da502630ba1ff87e3ad7336c5581d20f8f
                      • Instruction Fuzzy Hash: 5521BE32B0CA488FEB98EA1CA4419F8B7E0FB49360F1400BBD14AC3193EB25E8558795
                      Function 00007FF848DAA060 Relevance: .1, Instructions: 78COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000011.00000002.2873857282.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_7ff848da0000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d39fac41956c252cb934a6c921b59dad5550b2778397d63246a100a4c00ffe69
                      • Instruction ID: d57c3312ce1e60450c72819497acdf3eca8768baa0d097cfe742a6ecbcd451cb
                      • Opcode Fuzzy Hash: d39fac41956c252cb934a6c921b59dad5550b2778397d63246a100a4c00ffe69
                      • Instruction Fuzzy Hash: CB21EB73C0EAC54FD702EB28589A5E97F90EF21398F2841BAC08847057EF1615998B4A
                      Function 00007FF848E722E2 Relevance: .1, Instructions: 53COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000011.00000002.2878227092.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_7ff848e70000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: eadb6b9a5cfbd99bc8540dc50ea9ba351c5976f0291ebf66d5d534c7fad04503
                      • Instruction ID: 5ed656b034f1bec0855fdcf98b0f785c38fe4f28492e207995178b5074a701d0
                      • Opcode Fuzzy Hash: eadb6b9a5cfbd99bc8540dc50ea9ba351c5976f0291ebf66d5d534c7fad04503
                      • Instruction Fuzzy Hash: D901A733E0E7D24FF765567838521F4BBD0FF452A4F1801BBD59AC20C3DA1DA8058269
                      Function 00007FF848DA33B5 Relevance: .0, Instructions: 49COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000011.00000002.2873857282.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_7ff848da0000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                      • Instruction ID: 947609b87f0171a528e089c071280dd87983606f4429be7d1e91de7997688212
                      • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                      • Instruction Fuzzy Hash: 7A01447111CB084FDB48EF0CE451AA5B7E0FB95364F10056DE58AC3695DB26E882CB45
                      Function 00007FF848DABE58 Relevance: .0, Instructions: 39COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000011.00000002.2873857282.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_7ff848da0000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 833b36e5ac0400503f9dda138b9b0031255c2190ea0a18dc5e69f4cd369d6f2b
                      • Instruction ID: bc3b2d7b573b2bc1ee2bc68bea3a5f1b6f26727a0704859f2369cccde83addf0
                      • Opcode Fuzzy Hash: 833b36e5ac0400503f9dda138b9b0031255c2190ea0a18dc5e69f4cd369d6f2b
                      • Instruction Fuzzy Hash: 81F0303275C6048FDB4CAA1CF842AB573D1EB99320F10016EE48BC3696D927E8468685
                      Function 00007FF848C8EC99 Relevance: .0, Instructions: 23COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000011.00000002.2868618180.00007FF848C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C8D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_7ff848c8d000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e63aa980c621b1ab46ed12b8e6cf817d741cefc90247e37344cc464b9e9b72d0
                      • Instruction ID: c7442c493f4889636a26b32f0702662be4deca15bb78f6ee44dbbe95a08e9b77
                      • Opcode Fuzzy Hash: e63aa980c621b1ab46ed12b8e6cf817d741cefc90247e37344cc464b9e9b72d0
                      • Instruction Fuzzy Hash: F8E07530A5DD09CFCA95FA29C485D2577E1FB58341B610468D04ACB661D728FC82CB45

                      Non-executed Functions

                      Function 00007FF848DA8BFA Relevance: 6.4, Strings: 5, Instructions: 108COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.2873857282.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_7ff848da0000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID: L_^6$L_^<$L_^F$L_^I$L_^J
                      • API String ID: 0-1031638419
                      • Opcode ID: 887ee41eb840c3575b88bb1e9db2925622a57a01fac4fbcb1af591c2fbfc1793
                      • Instruction ID: eb9de62e912a74deae67360533088e5aacd8f1344a88de0b3e2f148425bc61bc
                      • Opcode Fuzzy Hash: 887ee41eb840c3575b88bb1e9db2925622a57a01fac4fbcb1af591c2fbfc1793
                      • Instruction Fuzzy Hash: 72212777709516AED30177AEB8056EC7381EBD42B6B4851B3D358CB513DB14A08B8AF4
                      Function 00007FF848DA8995 Relevance: 5.1, Strings: 4, Instructions: 120COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.2873857282.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_7ff848da0000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID: L_^$L_^$L_^$L_^
                      • API String ID: 0-2357752022
                      • Opcode ID: 4081f8ea00b9a218504c9e296403cce4d2a5eae240f45bbd53927ded6ae75545
                      • Instruction ID: 4a3b40dd40affab97212611ee18f568c699f699ae0c53c2169d3ab677bafc391
                      • Opcode Fuzzy Hash: 4081f8ea00b9a218504c9e296403cce4d2a5eae240f45bbd53927ded6ae75545
                      • Instruction Fuzzy Hash: 644150A290F7C20FE34792295C69159BF90EF52258F2D41FAC5888F093EA1A580F9716

                      Execution Graph

                      Execution Coverage:20.8%
                      Dynamic/Decrypted Code Coverage:0%
                      Signature Coverage:0%
                      Total number of Nodes:150
                      Total number of Limit Nodes:2
                      execution_graph 968 613c3789 RtlLookupFunctionEntry 800 613c13e0 801 613c13f6 800->801 806 613c2830 801->806 803 613c1413 810 613c2bc0 803->810 807 613c2859 806->807 808 613c2870 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 806->808 807->803 809 613c28cd 808->809 809->803 812 613c2bcf 810->812 811 613c1418 812->811 813 613c2c90 RtlAddFunctionTable 812->813 813->811 814 613c1290 815 613c12af 814->815 816 613c12f0 814->816 818 613c12d6 815->818 820 613c2470 6 API calls 815->820 841 613c2470 816->841 819 613c12f5 821 613c1305 819->821 822 613c12be 819->822 820->822 861 613c1050 821->861 824 613c222b 5 API calls 822->824 825 613c12cb 824->825 825->818 831 613c1050 2 API calls 825->831 826 613c130a 826->818 827 613c1370 826->827 828 613c1353 826->828 829 613c1375 827->829 830 613c13c0 827->830 828->818 832 613c1050 2 API calls 828->832 867 613c2810 829->867 833 613c222b 5 API calls 830->833 831->818 832->818 833->825 835 613c137a 872 613c222b 835->872 838 613c222b 5 API calls 839 613c13a1 838->839 840 613c1050 2 API calls 839->840 840->825 844 613c24a0 841->844 849 613c248b 841->849 842 613c2650 843 613c2659 842->843 842->849 845 613c2300 4 API calls 843->845 848 613c2688 843->848 844->842 846 613c253c 844->846 844->849 845->843 847 613c26c1 846->847 846->849 850 613c268d 846->850 853 613c2594 846->853 854 613c26f6 846->854 852 613c2300 4 API calls 847->852 851 613c25c4 848->851 849->819 850->854 855 613c2300 4 API calls 850->855 851->849 858 613c2613 VirtualQuery 851->858 852->854 853->846 853->851 853->854 876 613c2300 853->876 856 613c2300 4 API calls 854->856 855->847 859 613c2739 856->859 858->849 860 613c262c VirtualProtect 858->860 859->849 860->851 862 613c1066 861->862 863 613c10e0 861->863 864 613c1094 Sleep 862->864 866 613c10a8 862->866 865 613c1119 Sleep 863->865 863->866 864->862 865->863 866->826 868 613c281a 867->868 869 613c27b0 867->869 868->835 885 613c2f20 869->885 873 613c138a 872->873 874 613c2244 872->874 873->818 873->838 892 613c1e6b 874->892 877 613c2332 876->877 878 613c2393 VirtualQuery 877->878 881 613c2435 877->881 879 613c23c1 memcpy 878->879 878->881 882 613c248b 881->882 883 613c2613 VirtualQuery 881->883 882->853 883->882 884 613c262c VirtualProtect 883->884 884->881 887 613c2f34 885->887 886 613c2fb5 886->835 887->886 890 613c36b8 __dllonexit 887->890 891 613ca304 890->891 893 613c1ea5 892->893 922 613c1d97 LoadLibraryW 893->922 895 613c1f55 896 613c1d97 LoadLibraryW 895->896 897 613c1f81 896->897 898 613c1d97 LoadLibraryW 897->898 899 613c1fe5 898->899 900 613c1d97 LoadLibraryW 899->900 901 613c2011 900->901 902 613c201d WinExec 901->902 924 613c3620 Sleep 902->924 904 613c2038 905 613c1d97 LoadLibraryW 904->905 906 613c2064 905->906 907 613c1d97 LoadLibraryW 906->907 908 613c2090 907->908 909 613c1d97 LoadLibraryW 908->909 910 613c217b 909->910 911 613c1d97 LoadLibraryW 910->911 912 613c21a7 911->912 913 613c21b3 WinExec 912->913 914 613c21d3 913->914 915 613c1d97 LoadLibraryW 914->915 916 613c21f0 915->916 917 613c1d97 LoadLibraryW 916->917 918 613c221c ExitProcess 917->918 920 613c222b 918->920 919 613c2258 919->873 920->919 921 613c1e6b 2 API calls 920->921 921->919 923 613c1dc1 922->923 923->895 924->904 925 613c2e70 926 613c2e78 925->926 927 613c2e7d 926->927 930 613c3530 926->930 929 613c2e95 931 613c3539 930->931 932 613c3582 930->932 933 613c353b 931->933 934 613c3554 931->934 935 613c358c 932->935 936 613c35a0 InitializeCriticalSection 932->936 937 613c354a 933->937 942 613c33a0 EnterCriticalSection 933->942 938 613c355e 934->938 940 613c33a0 3 API calls 934->940 935->929 936->935 937->929 938->937 939 613c3569 DeleteCriticalSection 938->939 939->937 940->938 943 613c33f4 942->943 945 613c33c1 942->945 944 613c33d0 TlsGetValue GetLastError 944->945 945->943 945->944 948 613c2ea0 949 613c2eb2 948->949 950 613c3530 5 API calls 949->950 951 613c2ec2 949->951 950->951 952 613c2910 RtlCaptureContext RtlLookupFunctionEntry 953 613c294d RtlVirtualUnwind 952->953 954 613c29f0 952->954 955 613c2983 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 953->955 954->955 955->954 956 613c3410 957 613c3430 956->957 958 613c3421 956->958 957->958 959 613c344c EnterCriticalSection LeaveCriticalSection 957->959 960 613c3490 961 613c349f 960->961 962 613c34b0 EnterCriticalSection 960->962 963 613c34e7 LeaveCriticalSection 962->963 965 613c34cb 962->965 964 613c34f4 963->964 965->963 966 613c34d1 965->966 967 613c3510 LeaveCriticalSection 966->967 967->964 946 613c37b1 RtlAddFunctionTable 947 613ca294 946->947

                      Callgraph

                      • Executed
                      • Not Executed
                      • Opacity -> Relevance
                      • Disassembly available
                      callgraph 0 Function_613D16BF 1 Function_613C36B8 2 Function_613C19B9 3 Function_613C3030 4 Function_613C3530 16 Function_613C33A0 4->16 5 Function_613C2CB0 26 Function_613C3390 5->26 6 Function_613C1430 7 Function_613C2830 8 Function_613C31B0 44 Function_613C2FF0 8->44 9 Function_613C37B1 10 Function_613C192A 11 Function_613C222B 49 Function_613C1E6B 11->49 50 Function_613C1E65 11->50 55 Function_613C1E5F 11->55 56 Function_613C1E59 11->56 12 Function_613CA2A4 13 Function_613C3620 14 Function_613C3120 14->44 15 Function_613C2F20 15->1 35 Function_613C2280 15->35 47 Function_613C2270 15->47 17 Function_613C2EA0 17->4 18 Function_613D0021 19 Function_613D039A 20 Function_613C1D97 21 Function_613C2F10 22 Function_613C1290 22->11 23 Function_613C3610 22->23 24 Function_613C2810 22->24 46 Function_613C2470 22->46 57 Function_613C1050 22->57 24->15 25 Function_613C2910 27 Function_613C2A10 27->26 28 Function_613C3410 29 Function_613C3490 30 Function_613C3012 31 Function_613D0513 32 Function_613C1D0E 54 Function_613C16DC 32->54 33 Function_613C3789 34 Function_613C3080 34->44 36 Function_613C1000 36->35 37 Function_613C2300 37->14 37->37 43 Function_613C3170 37->43 58 Function_613C35D0 37->58 63 Function_613C3240 37->63 38 Function_613C3280 38->3 38->44 39 Function_613D0D00 40 Function_613D1DFE 41 Function_613C1C79 41->54 42 Function_613D057A 43->44 45 Function_613C2E70 45->4 46->37 46->43 46->58 48 Function_613C22ED 49->10 49->13 49->20 49->49 49->50 49->54 49->55 49->56 51 Function_613C13E0 51->7 62 Function_613C2BC0 51->62 52 Function_613C32E0 52->3 52->44 53 Function_613C1B61 57->47 59 Function_613D1CCD 60 Function_613C1848 61 Function_613D1E4B 62->8 62->34 62->63 63->44

                      Executed Functions

                      Function 613C1E6B Relevance: 40.5, APIs: 3, Strings: 20, Instructions: 210processCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                        • Part of subcall function 613C1D97: LoadLibraryW.KERNELBASE(?,?,?,?,?,?,?,?,?,613C1F55), ref: 613C1DB2
                      • WinExec.KERNEL32 ref: 613C202C
                        • Part of subcall function 613C3620: Sleep.KERNEL32 ref: 613C362A
                      • WinExec.KERNEL32 ref: 613C21C2
                      • ExitProcess.KERNEL32 ref: 613C2228
                      Strings
                      Memory Dump Source
                      • Source File: 00000013.00000002.2174636011.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                      • Associated: 00000013.00000002.2174607927.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000013.00000002.2174659375.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000013.00000002.2174683927.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000013.00000002.2174708998.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000013.00000002.2174738251.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000013.00000002.2174784392.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_19_2_613c0000_rundll32.jbxd
                      Similarity
                      • API ID: Exec$ExitLibraryLoadProcessSleep
                      • String ID: 4VULgU2Y$=82LgYWaw5SYoBHXcNWasJWdQxFXzJXZzVFXcpzQgQ2LgUGel5CbsVGazJXZ39GccxFMuEjdcxFbsVGaTJXZ39GUzd3bk5WaXxFXyMTblR3c5NFXcN3dvRmbpdFXcpzQgk3LgwGd1RnblNXZ$==Qaz1WQ$=cmbpJHd$=cmbpJHd$T5WYjNVa$T5WYjNVa$gYWaw5SY$ggGdhBlb$h1WbvNUL$icCX6M0J$kFkIgQmb$oBHXcNWa$sJWdQxFX$uVmclZWZ$vl2c1x2Y$yBFcN1CZ$z1WQ$z1WQ$zJXZzVFX
                      • API String ID: 1758684399-1342957281
                      • Opcode ID: 4d1f63c8848b9324423b377315b3159e9dcea841206612359d24d613c9a9fc1c
                      • Instruction ID: a98b6bfe7a99aebf3bb0dc4532f6b7cdca838be127f0f4748d87de296261d5c7
                      • Opcode Fuzzy Hash: 4d1f63c8848b9324423b377315b3159e9dcea841206612359d24d613c9a9fc1c
                      • Instruction Fuzzy Hash: 74813E75701B869DCF24EBA6A8543E873A5A785F8CF4480398E8E5FB18FF38C6159341
                      Function 613C2BC0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 87 613c2bc0-613c2bda call 613c3240 90 613c2bdc-613c2bdf 87->90 91 613c2c01-613c2c0b 87->91 90->91 92 613c2be1-613c2bfa call 613c3080 90->92 95 613c2bfc 92->95 96 613c2c10-613c2c40 92->96 95->91 97 613c2c70-613c2c7b call 613c31b0 96->97 100 613c2c7d-613c2c80 97->100 101 613c2c42-613c2c6e 97->101 100->95 102 613c2c86-613c2c88 100->102 101->97 103 613c2ca5-613c2caa 101->103 104 613c2c90-613c2ca0 RtlAddFunctionTable 102->104 103->104 104->95
                      APIs
                      • RtlAddFunctionTable.KERNEL32 ref: 613C2C9A
                      Strings
                      Memory Dump Source
                      • Source File: 00000013.00000002.2174636011.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                      • Associated: 00000013.00000002.2174607927.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000013.00000002.2174659375.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000013.00000002.2174683927.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000013.00000002.2174708998.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000013.00000002.2174738251.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000013.00000002.2174784392.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_19_2_613c0000_rundll32.jbxd
                      Similarity
                      • API ID: FunctionTable
                      • String ID: .pdata
                      • API String ID: 1252446317-4177594709
                      • Opcode ID: 52976069890d9e3f5a635ecf40bf80e2661f8a198458f1dda444388e4e8995d7
                      • Instruction ID: a98d7effac0a08117c3fa1e10c50b581c5c7b73d9eed72f9ca58742f97c7602a
                      • Opcode Fuzzy Hash: 52976069890d9e3f5a635ecf40bf80e2661f8a198458f1dda444388e4e8995d7
                      • Instruction Fuzzy Hash: 4621B472B022609AFB058FA9DA443947B62A788F98F4CD024CE0B57314EB3A9A61D755
                      Function 613C1D97 Relevance: 1.5, APIs: 1, Instructions: 49libraryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 105 613c1d97-613c1dca LoadLibraryW 107 613c1dcc-613c1e2d 105->107 108 613c1e31-613c1e58 105->108 107->108
                      APIs
                      • LoadLibraryW.KERNELBASE(?,?,?,?,?,?,?,?,?,613C1F55), ref: 613C1DB2
                      Memory Dump Source
                      • Source File: 00000013.00000002.2174636011.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                      • Associated: 00000013.00000002.2174607927.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000013.00000002.2174659375.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000013.00000002.2174683927.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000013.00000002.2174708998.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000013.00000002.2174738251.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000013.00000002.2174784392.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_19_2_613c0000_rundll32.jbxd
                      Similarity
                      • API ID: LibraryLoad
                      • String ID:
                      • API String ID: 1029625771-0
                      • Opcode ID: 4127155981cb20e6f2d50b37ca81e7bbd812f1fa0de4aab2728d0d118f7055a4
                      • Instruction ID: c1c33eecdd383886d2d8d2bb6f1c2682b4f93b08dfe668e5ddc8be9d462bd23a
                      • Opcode Fuzzy Hash: 4127155981cb20e6f2d50b37ca81e7bbd812f1fa0de4aab2728d0d118f7055a4
                      • Instruction Fuzzy Hash: 06210B72B11B608CE700DBB9EC4439C3B71A348B98F044515DE6DA7BA8EF39C650C394
                      Function 613C3620 Relevance: 1.3, APIs: 1, Instructions: 6sleepCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 160 613c3620-613c3636 Sleep
                      APIs
                      Memory Dump Source
                      • Source File: 00000013.00000002.2174636011.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                      • Associated: 00000013.00000002.2174607927.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000013.00000002.2174659375.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000013.00000002.2174683927.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000013.00000002.2174708998.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000013.00000002.2174738251.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000013.00000002.2174784392.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_19_2_613c0000_rundll32.jbxd
                      Similarity
                      • API ID: Sleep
                      • String ID:
                      • API String ID: 3472027048-0
                      • Opcode ID: fe2ac243386cde0167416a04810260f3cbc85ba1deb6f6aec3d46932f2df1739
                      • Instruction ID: e9c459437bb93fbad0663031f86f151610a23291e51109e838943003221a6897
                      • Opcode Fuzzy Hash: fe2ac243386cde0167416a04810260f3cbc85ba1deb6f6aec3d46932f2df1739
                      • Instruction Fuzzy Hash: F0B01220F13160C3D70C33769C9635850D5574C300FD000288107842A0DC9D02A64640

                      Non-executed Functions

                      Function 613C2910 Relevance: 10.6, APIs: 7, Instructions: 50COMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • RtlCaptureContext.KERNEL32 ref: 613C2924
                      • RtlLookupFunctionEntry.KERNEL32 ref: 613C293B
                      • RtlVirtualUnwind.KERNEL32 ref: 613C297D
                      • SetUnhandledExceptionFilter.KERNEL32 ref: 613C29C4
                      • UnhandledExceptionFilter.KERNEL32 ref: 613C29D1
                      • GetCurrentProcess.KERNEL32 ref: 613C29D7
                      • TerminateProcess.KERNEL32 ref: 613C29E5
                      Memory Dump Source
                      • Source File: 00000013.00000002.2174636011.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                      • Associated: 00000013.00000002.2174607927.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000013.00000002.2174659375.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000013.00000002.2174683927.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000013.00000002.2174708998.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000013.00000002.2174738251.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000013.00000002.2174784392.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_19_2_613c0000_rundll32.jbxd
                      Similarity
                      • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentEntryFunctionLookupTerminateUnwindVirtual
                      • String ID:
                      • API String ID: 3266983031-0
                      • Opcode ID: d20c4be697a3212f516fb3c4bcd7d35ad969eae838489b411cfbb6ecde053262
                      • Instruction ID: e8e25b836daba40db766a00739c45693a0588c7fa2b6924b27fae8a827f53c88
                      • Opcode Fuzzy Hash: d20c4be697a3212f516fb3c4bcd7d35ad969eae838489b411cfbb6ecde053262
                      • Instruction Fuzzy Hash: E421D375611B31D9EB008B61F8843C937AAB748B98F480566D94F67734EF3AC764C780
                      Function 613C2470 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 210memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 188 613c2470-613c2489 189 613c248b-613c2498 188->189 190 613c24a0-613c24f7 call 613c3170 call 613c35d0 188->190 190->189 195 613c24f9-613c24fd 190->195 196 613c24ff-613c2505 195->196 197 613c2525-613c252b 195->197 198 613c250b-613c2512 196->198 199 613c2650-613c2653 196->199 197->199 200 613c2531-613c2536 197->200 198->199 201 613c2518-613c251f 198->201 199->189 203 613c2659-613c2660 199->203 200->199 202 613c253c-613c2542 200->202 201->202 204 613c2521 201->204 205 613c275c-613c2781 call 613c2290 202->205 206 613c2548-613c254f 202->206 207 613c2664-613c2686 call 613c2300 203->207 204->197 217 613c27a0-613c27a4 205->217 218 613c2783-613c279e 205->218 206->189 209 613c2555-613c2560 206->209 216 613c2688 207->216 213 613c256a-613c257f 209->213 214 613c2585 213->214 215 613c26c6-613c26f6 call 613c2300 213->215 219 613c268d-613c2690 214->219 220 613c258b-613c258e 214->220 225 613c26fb-613c270a call 613c2290 215->225 221 613c25c4-613c25d0 216->221 218->217 219->225 226 613c2692-613c26c1 call 613c2300 219->226 223 613c270f-613c2739 call 613c2300 220->223 224 613c2594-613c2597 220->224 221->189 227 613c25d6-613c25e8 221->227 242 613c273e-613c2757 call 613c2290 223->242 224->225 230 613c259d-613c25c2 call 613c2300 224->230 225->223 226->215 232 613c2603-613c2611 227->232 230->213 230->221 237 613c25f0-613c25fd 232->237 238 613c2613-613c2626 VirtualQuery 232->238 237->189 237->232 241 613c262c-613c2645 VirtualProtect 238->241 238->242 241->237 242->205
                      APIs
                      • VirtualQuery.KERNEL32(?,?,?,?,?,?,613C4054,?,?,?,?,613C12F5), ref: 613C2620
                      • VirtualProtect.KERNEL32(?,?,?,?,?,?,613C4054,?,?,?,?,613C12F5), ref: 613C2642
                      Strings
                      Memory Dump Source
                      • Source File: 00000013.00000002.2174636011.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                      • Associated: 00000013.00000002.2174607927.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000013.00000002.2174659375.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000013.00000002.2174683927.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000013.00000002.2174708998.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000013.00000002.2174738251.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000013.00000002.2174784392.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_19_2_613c0000_rundll32.jbxd
                      Similarity
                      • API ID: Virtual$ProtectQuery
                      • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$ VirtualQuery failed for %d bytes at address %p$T@<a
                      • API String ID: 1027372294-2627587640
                      • Opcode ID: e52f81ac41c2342fd462fc3170bb2c56cf49e9c9a5294d6a356940808a4d1b69
                      • Instruction ID: 62939e9ad82f9327e1e07ec4eefc127d92b0ac663fd755b0084f4618bd059482
                      • Opcode Fuzzy Hash: e52f81ac41c2342fd462fc3170bb2c56cf49e9c9a5294d6a356940808a4d1b69
                      • Instruction Fuzzy Hash: 2771DE76B11A2489EB01CF76EA8078AB362B748FACF48D115CD1F17358DB3AC911C352
                      Function 613C2830 Relevance: 7.6, APIs: 5, Instructions: 57timethreadCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetSystemTimeAsFileTime.KERNEL32 ref: 613C2875
                      • GetCurrentProcessId.KERNEL32 ref: 613C2880
                      • GetCurrentThreadId.KERNEL32 ref: 613C2888
                      • GetTickCount.KERNEL32 ref: 613C2890
                      • QueryPerformanceCounter.KERNEL32 ref: 613C289D
                      Memory Dump Source
                      • Source File: 00000013.00000002.2174636011.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                      • Associated: 00000013.00000002.2174607927.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000013.00000002.2174659375.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000013.00000002.2174683927.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000013.00000002.2174708998.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000013.00000002.2174738251.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000013.00000002.2174784392.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_19_2_613c0000_rundll32.jbxd
                      Similarity
                      • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                      • String ID:
                      • API String ID: 1445889803-0
                      • Opcode ID: 426e265ac137bbdeef0a01d9666284549597ad6e21c5f98ec00e579fb7b8abee
                      • Instruction ID: fbcbe058b436404562c126ae5aac31350f057f625ad19c487ba693073682924f
                      • Opcode Fuzzy Hash: 426e265ac137bbdeef0a01d9666284549597ad6e21c5f98ec00e579fb7b8abee
                      • Instruction Fuzzy Hash: 6411BF33756B3082F7005B25B904385B2A2B788BA0F0C5231EE5E53BA4EF3DC9968340
                      Function 613C2300 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 96COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 270 613c2300-613c232e 271 613c2332-613c2359 270->271 273 613c235b-613c2369 call 613c3120 271->273 276 613c236f-613c23bf call 613c3240 VirtualQuery 273->276 277 613c2452-613c2489 call 613c2290 273->277 283 613c2435-613c244d call 613c2290 276->283 284 613c23c1-613c23cb 276->284 285 613c248b-613c2498 277->285 286 613c24a0-613c24f7 call 613c3170 call 613c35d0 277->286 283->277 287 613c23cd-613c23d3 284->287 288 613c23f9-613c36a0 memcpy 284->288 286->285 295 613c24f9-613c24fd 286->295 287->288 296 613c24ff-613c2505 295->296 297 613c2525-613c252b 295->297 298 613c250b-613c2512 296->298 299 613c2650-613c2653 296->299 297->299 300 613c2531-613c2536 297->300 298->299 301 613c2518-613c251f 298->301 299->285 303 613c2659-613c2660 299->303 300->299 302 613c253c-613c2542 300->302 301->302 304 613c2521 301->304 305 613c275c-613c2781 call 613c2290 302->305 306 613c2548-613c254f 302->306 307 613c2664-613c2686 call 613c2300 303->307 304->297 317 613c27a0-613c27a4 305->317 318 613c2783-613c279e 305->318 306->285 309 613c2555-613c2560 306->309 316 613c2688 307->316 313 613c256a-613c257f 309->313 314 613c2585 313->314 315 613c26c6-613c26f6 call 613c2300 313->315 319 613c268d-613c2690 314->319 320 613c258b-613c258e 314->320 325 613c26fb-613c270a call 613c2290 315->325 321 613c25c4-613c25d0 316->321 318->317 319->325 326 613c2692-613c26c1 call 613c2300 319->326 323 613c270f-613c2739 call 613c2300 320->323 324 613c2594-613c2597 320->324 321->285 327 613c25d6-613c25e8 321->327 342 613c273e-613c2757 call 613c2290 323->342 324->325 330 613c259d-613c25c2 call 613c2300 324->330 325->323 326->315 332 613c2603-613c2611 327->332 330->313 330->321 337 613c25f0-613c25fd 332->337 338 613c2613-613c2626 VirtualQuery 332->338 337->285 337->332 341 613c262c-613c2645 VirtualProtect 338->341 338->342 341->337 342->305
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000013.00000002.2174636011.00000000613C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 613C0000, based on PE: true
                      • Associated: 00000013.00000002.2174607927.00000000613C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000013.00000002.2174659375.00000000613C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000013.00000002.2174683927.00000000613C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000013.00000002.2174708998.00000000613C9000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000013.00000002.2174738251.00000000613CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000013.00000002.2174784392.00000000613CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_19_2_613c0000_rundll32.jbxd
                      Similarity
                      • API ID: QueryVirtual
                      • String ID: VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$T@<a
                      • API String ID: 1804819252-4232178576
                      • Opcode ID: 8e7eacb048b803b310af8d91aca0147f1e0aad4f005fb9ffc7c056ff4d3ee6e9
                      • Instruction ID: 6a292cefe7e1f4070340493715416b3679d18dd40189ba87be4cd8971f2c6506
                      • Opcode Fuzzy Hash: 8e7eacb048b803b310af8d91aca0147f1e0aad4f005fb9ffc7c056ff4d3ee6e9
                      • Instruction Fuzzy Hash: 2631F673701A649AE601DF12ED04B967B65F788FE8F48C121DE1E17320DB3AD652C740

                      Executed Functions

                      Function 00007FF848DABB88 Relevance: 2.0, Strings: 1, Instructions: 758COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.2967646688.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_7ff848da0000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID: Y_H
                      • API String ID: 0-219585648
                      • Opcode ID: 4934dcf2f21c315a15a4285b732bc7dac1e0d4c0bb9fe613ba9174cd9b4045a5
                      • Instruction ID: be3bd6aab3fd711d2d412f3d9930e4cf9516ff5d28d0614118bf6becb24b60d8
                      • Opcode Fuzzy Hash: 4934dcf2f21c315a15a4285b732bc7dac1e0d4c0bb9fe613ba9174cd9b4045a5
                      • Instruction Fuzzy Hash: 6922C430A1DA498FDB88EF1CC495BB977E1FF99350F24016AD049C7296CB25E846CB81
                      Function 00007FF848E76605 Relevance: 1.7, Strings: 1, Instructions: 432COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.2970637783.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_7ff848e70000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID: X7&"
                      • API String ID: 0-409454980
                      • Opcode ID: b90f36c8ea8be1d5f0de379ee99f7b5a3c8d483d8ee84dd70b7c5c153215dbd2
                      • Instruction ID: 5b694ac5ee3933775659fd2ee9adc301422092554d27cc714f9b9510fb7f58ac
                      • Opcode Fuzzy Hash: b90f36c8ea8be1d5f0de379ee99f7b5a3c8d483d8ee84dd70b7c5c153215dbd2
                      • Instruction Fuzzy Hash: 57C13531D0EA8A9FFB99BB6858155B57BA0FF16398F0401FAD41DC70A3EB28A805C355
                      Function 00007FF848E77D73 Relevance: 1.0, Instructions: 992COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000017.00000002.2970637783.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_7ff848e70000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 746dd87c7b1b60cff7916448f93633086c5c608e271207187b342256d8433602
                      • Instruction ID: bcb9f45130db5834eb50229f6bc8663a088783970079d0affcbbd11d0671d0cc
                      • Opcode Fuzzy Hash: 746dd87c7b1b60cff7916448f93633086c5c608e271207187b342256d8433602
                      • Instruction Fuzzy Hash: 0F62F662D0E7C95FE756AB3858546A57FA1FF67260F0901FBD088CB093DB289806C35A
                      Function 00007FF848E77342 Relevance: .7, Instructions: 743COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000017.00000002.2970637783.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_7ff848e70000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1999a840fc5268211ad409be5eb23e3984ec77b78518481bf3083c1d66c7af80
                      • Instruction ID: 664874146c764028e4d46ffef483c5b7cbbc01b59fcfada651bd1813c844ea4c
                      • Opcode Fuzzy Hash: 1999a840fc5268211ad409be5eb23e3984ec77b78518481bf3083c1d66c7af80
                      • Instruction Fuzzy Hash: 1D224732E0DA895FE7A5AB285C596B53BE1FF56360F0801BBD44CC7193DB28AC06C356
                      Function 00007FF848DA6435 Relevance: .7, Instructions: 670COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000017.00000002.2967646688.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_7ff848da0000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 12946b8cb6993b79a14a079da41c3a58378d92f37d9542936d2cdf3c4a794020
                      • Instruction ID: b3c30864b2fede6045e6188cb5d761020a700b9ae71b4b1bbe31661f3043a930
                      • Opcode Fuzzy Hash: 12946b8cb6993b79a14a079da41c3a58378d92f37d9542936d2cdf3c4a794020
                      • Instruction Fuzzy Hash: DEC16E30A0DA4D8FDF84EF58D895BA97BE1FF68350F24416AD409D7296CB34E885CB81
                      Function 00007FF848DAAB22 Relevance: .7, Instructions: 663COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000017.00000002.2967646688.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_7ff848da0000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a795f905930bb7091d8df00982031e232948abd8aad2c96455ef55fcc530bb97
                      • Instruction ID: 688157b3582e6adbf57248e0bc0e4b61639840458ec5a1966d87796d24bf6b26
                      • Opcode Fuzzy Hash: a795f905930bb7091d8df00982031e232948abd8aad2c96455ef55fcc530bb97
                      • Instruction Fuzzy Hash: 6A223A31D0DB4A8FEB45EB1CD4956E87BA1FF55354F2802BAC048CB183EF25A886C785
                      Function 00007FF848E72066 Relevance: .4, Instructions: 436COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000017.00000002.2970637783.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_7ff848e70000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8e5d6f2688fb4c0754c0c6c69137a2796c8c2d54305f378ac2f98b6395c4810b
                      • Instruction ID: 276cdd14e9c29ee274ab9660cc6e72a1b736d7146de4f71a555735d29f943ae1
                      • Opcode Fuzzy Hash: 8e5d6f2688fb4c0754c0c6c69137a2796c8c2d54305f378ac2f98b6395c4810b
                      • Instruction Fuzzy Hash: 43D1043290DBCA4FE7979B3858652A07FE1FF57260F0901FBC089CB093DA289846C356
                      Function 00007FF848E732C6 Relevance: .4, Instructions: 434COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000017.00000002.2970637783.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_7ff848e70000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 82d1b77ca23a77b5db969401c33725637f5e3e49960db84eb464cacd512dc5b3
                      • Instruction ID: f6af325130d16b0be97bcb0aba01e001a790ea645b5aeb1155cfc50261a16c6f
                      • Opcode Fuzzy Hash: 82d1b77ca23a77b5db969401c33725637f5e3e49960db84eb464cacd512dc5b3
                      • Instruction Fuzzy Hash: C7D1E22190EBC65FE396A63C98641707FE1FF56650F4901FBC099CB193DE29AC058356
                      Function 00007FF848DAA828 Relevance: .2, Instructions: 198COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000017.00000002.2967646688.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_7ff848da0000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2cb9fcbe1af11806921b77f8b8fa9da8e1013917752a45fade2df694e6769e20
                      • Instruction ID: 158c86aaa2ef2baace5364d7d9837728da66b2fee5e84df7fcc54d5bb066127d
                      • Opcode Fuzzy Hash: 2cb9fcbe1af11806921b77f8b8fa9da8e1013917752a45fade2df694e6769e20
                      • Instruction Fuzzy Hash: 8951893190DB854FE349EB28C8955707BE0FF56364F2802BEC489C7193EE25A847C716
                      Function 00007FF848DA9748 Relevance: .1, Instructions: 146COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000017.00000002.2967646688.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_7ff848da0000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8026faad3e0dc5d41d56748acab6a118f3597c400da30e26cf1bf8b8458f34e9
                      • Instruction ID: 6451ab779d5ac99ba3245959c8fb516eeee8e413b33d80d58ad76a90b24c6390
                      • Opcode Fuzzy Hash: 8026faad3e0dc5d41d56748acab6a118f3597c400da30e26cf1bf8b8458f34e9
                      • Instruction Fuzzy Hash: 28413B71D1DB889FDB09AF5CA80A7F87BE0FB55311F10416FE04883256DB20A81AC7C2
                      Function 00007FF848DAA73C Relevance: .1, Instructions: 119COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000017.00000002.2967646688.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_7ff848da0000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: fe36f5eb177a7624ef4b436817fc6ac61525da4e00542be38fc6e60410d234e7
                      • Instruction ID: c94f7af55105d3dbc814184c1c2586d7d90aa65e646b303a9c0ebf78b41667d8
                      • Opcode Fuzzy Hash: fe36f5eb177a7624ef4b436817fc6ac61525da4e00542be38fc6e60410d234e7
                      • Instruction Fuzzy Hash: 1331383190DB8C8FEB59DB6898497E97FF0EF66321F0441AFC049C7163DA64584ACB52
                      Function 00007FF848C8E8EF Relevance: .1, Instructions: 119COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000017.00000002.2963596258.00007FF848C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C8D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_7ff848c8d000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 174d6a2bbbc1a2d178953ca7d2aa56f877b951c2fa0eb73510c35e7b38a913ad
                      • Instruction ID: 240e1e42398d7e206a0340bbf66051aaf244f35568e8280867501307a1a6e933
                      • Opcode Fuzzy Hash: 174d6a2bbbc1a2d178953ca7d2aa56f877b951c2fa0eb73510c35e7b38a913ad
                      • Instruction Fuzzy Hash: 0831267180DBC48FD79ADB3998459523FF0EF56320B1506DFD088CB1A3D629E846C792
                      Function 00007FF848E74148 Relevance: .1, Instructions: 91COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000017.00000002.2970637783.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_7ff848e70000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b2f2c546fa78b5c84fe22274533e3142000dd839c846ef2dd07d10bf52a2ecc7
                      • Instruction ID: cac0ad9ed29d13b320a79b64de7c4988e4ac1be177c9b567aa0cf9d8c5c05ff8
                      • Opcode Fuzzy Hash: b2f2c546fa78b5c84fe22274533e3142000dd839c846ef2dd07d10bf52a2ecc7
                      • Instruction Fuzzy Hash: 1721AF32B0CA088FEB59EA1CA4419E8B7E1FB59370F1401BBD14AC31A3DB25E845C795
                      Function 00007FF848E743FB Relevance: .1, Instructions: 87COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000017.00000002.2970637783.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_7ff848e70000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 55bdad3056ed9d4568d434da83f19b5c18eac24c70fff422e59a1383f3275096
                      • Instruction ID: 91218eab0e35872a6c23a8ee53a1b1491d397bf043514d2eef999f6bb611a0ce
                      • Opcode Fuzzy Hash: 55bdad3056ed9d4568d434da83f19b5c18eac24c70fff422e59a1383f3275096
                      • Instruction Fuzzy Hash: 5521BE32B0CA488FEB98EA1CA4419F8B7E0FB49360F1400BBD14AC3193EB25E8558795
                      Function 00007FF848E722E2 Relevance: .1, Instructions: 53COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000017.00000002.2970637783.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_7ff848e70000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: eadb6b9a5cfbd99bc8540dc50ea9ba351c5976f0291ebf66d5d534c7fad04503
                      • Instruction ID: 5ed656b034f1bec0855fdcf98b0f785c38fe4f28492e207995178b5074a701d0
                      • Opcode Fuzzy Hash: eadb6b9a5cfbd99bc8540dc50ea9ba351c5976f0291ebf66d5d534c7fad04503
                      • Instruction Fuzzy Hash: D901A733E0E7D24FF765567838521F4BBD0FF452A4F1801BBD59AC20C3DA1DA8058269
                      Function 00007FF848DA33B5 Relevance: .0, Instructions: 49COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000017.00000002.2967646688.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_7ff848da0000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                      • Instruction ID: 947609b87f0171a528e089c071280dd87983606f4429be7d1e91de7997688212
                      • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                      • Instruction Fuzzy Hash: 7A01447111CB084FDB48EF0CE451AA5B7E0FB95364F10056DE58AC3695DB26E882CB45
                      Function 00007FF848DAA0FB Relevance: .0, Instructions: 41COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000017.00000002.2967646688.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_7ff848da0000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9e602e62bb63d85556711c2b445fa81ea5c7aaea9dc3a3eecae4fe2df2f8e9e4
                      • Instruction ID: 0b52e4aaec5db539a28abf3dbd5c59e4e9e2a0f4f0756015ce8056ec680432b7
                      • Opcode Fuzzy Hash: 9e602e62bb63d85556711c2b445fa81ea5c7aaea9dc3a3eecae4fe2df2f8e9e4
                      • Instruction Fuzzy Hash: 0CF0447691DA884FD741AF18D85A1E5BBE0FF65241F1402ABD448C7161D7225849C7D1
                      Function 00007FF848DABE78 Relevance: .0, Instructions: 39COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000017.00000002.2967646688.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_7ff848da0000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 833b36e5ac0400503f9dda138b9b0031255c2190ea0a18dc5e69f4cd369d6f2b
                      • Instruction ID: ada4c5ea063ef095a914184d9f6123a0bbf7b416972296ec0634eab644cab02b
                      • Opcode Fuzzy Hash: 833b36e5ac0400503f9dda138b9b0031255c2190ea0a18dc5e69f4cd369d6f2b
                      • Instruction Fuzzy Hash: 55F0303275C6048FDB4CAA1CF842AB973D1EB99324F10016EE48BC3696D927E8868685

                      Non-executed Functions

                      Function 00007FF848DA8B69 Relevance: 6.4, Strings: 5, Instructions: 156COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.2967646688.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_7ff848da0000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID: L_^7$L_^8$L_^?$L_^@$L_^F
                      • API String ID: 0-3711972127
                      • Opcode ID: 510fb0a1a877353a66bda232f50ae9533dedb71dc04989057c935c2ea92f422d
                      • Instruction ID: b1a00a82c8f166f6750425d56d6207a40f6cd4ef9e9e4b7a95ca573af595ff2c
                      • Opcode Fuzzy Hash: 510fb0a1a877353a66bda232f50ae9533dedb71dc04989057c935c2ea92f422d
                      • Instruction Fuzzy Hash: 8E414A6370A41599D2013B7EB8152FD3752EF942B9F5451B6D28C8F043EF25708B86F8
                      Function 00007FF848DA89FA Relevance: 5.1, Strings: 4, Instructions: 83COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.2967646688.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_7ff848da0000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID: L_^$L_^$L_^$L_^
                      • API String ID: 0-2357752022
                      • Opcode ID: d0798a764a0900ca4e94ad032a4c8a57afc7d288d19d7329a653ebe125901c4b
                      • Instruction ID: 434d2fce83c78f4f6a5ff11b5459972b455e0705c20cb92def90aa6d03b60644
                      • Opcode Fuzzy Hash: d0798a764a0900ca4e94ad032a4c8a57afc7d288d19d7329a653ebe125901c4b
                      • Instruction Fuzzy Hash: 0631A7B390FAC24FE356571A4869194BFE0FF22354F1D01F7C9C44B0A3EF29184A9645

                      Executed Functions

                      Function 00007FF848E86745 Relevance: 1.7, Strings: 1, Instructions: 430COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000001A.00000002.3002533245.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_26_2_7ff848e80000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID: X7j:
                      • API String ID: 0-1472680411
                      • Opcode ID: 0f73d2ffc565130becb24129a7fdd127785f1070a1828c4ccb70c12fcc46579c
                      • Instruction ID: 3d1871601c76fde561629580a5b32e7311180d983ba894d23308e5bbc7d6cecf
                      • Opcode Fuzzy Hash: 0f73d2ffc565130becb24129a7fdd127785f1070a1828c4ccb70c12fcc46579c
                      • Instruction Fuzzy Hash: B1D15731D0EACA9FE796EB6858195B97BE0FF16390F4805FAD04CC70E3DA28A805C355
                      Function 00007FF848E87490 Relevance: .7, Instructions: 727COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001A.00000002.3002533245.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_26_2_7ff848e80000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1cd8cc4f14107b8001f413eb26f9c3c3845f897c65ef95214d7f45d2b73b4d31
                      • Instruction ID: 5affc005093c9e9af5b7b03baaf3b1edccc70e04e09756c2669572695a15a257
                      • Opcode Fuzzy Hash: 1cd8cc4f14107b8001f413eb26f9c3c3845f897c65ef95214d7f45d2b73b4d31
                      • Instruction Fuzzy Hash: 1C124732D0EA894FE795A7295C556B93BE1FF96260F4801FBC04CC7193DB28AC46C396
                      Function 00007FF848DBBA3C Relevance: .7, Instructions: 707COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001A.00000002.3000795855.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_26_2_7ff848db0000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: cb8a7b474ecde0de1363323219b5b73ecbacef920b9d5a082d60718507534a4a
                      • Instruction ID: 5f9159d79dfbb6541cd0ea8a02a5bbd221eaf09dddbb44e1dc53a7cdbb1e00b7
                      • Opcode Fuzzy Hash: cb8a7b474ecde0de1363323219b5b73ecbacef920b9d5a082d60718507534a4a
                      • Instruction Fuzzy Hash: CB22C230A1DA498FDB98EF1CC495AB977E1FF69350F1401BAD04AC7296CB35E846CB81
                      Function 00007FF848DBAA5C Relevance: .5, Instructions: 540COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001A.00000002.3000795855.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_26_2_7ff848db0000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b503d276617054403a8897e08e98ea6deb125cf1b92ed0011ccc5e564ad90f65
                      • Instruction ID: 8b2a5d4049433546e88938c1b45a06caf530761e4b211827cff6354b1e00034e
                      • Opcode Fuzzy Hash: b503d276617054403a8897e08e98ea6deb125cf1b92ed0011ccc5e564ad90f65
                      • Instruction Fuzzy Hash: ED02E130A0DA498FDB98EF1CC495AA97BE1FF68350F14017AD409D7296DB35EC86CB81
                      Function 00007FF848E833C5 Relevance: .5, Instructions: 459COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001A.00000002.3002533245.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_26_2_7ff848e80000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c4cbcb624c39083c205310be3d37b705eff15de9674425c132b3e5623aacbadc
                      • Instruction ID: 30c096491ed42d7098b3efaa105516133bd08575396bbb3069b56057b4f6fb73
                      • Opcode Fuzzy Hash: c4cbcb624c39083c205310be3d37b705eff15de9674425c132b3e5623aacbadc
                      • Instruction Fuzzy Hash: 24D1E161E0EBC60FE396A72C98651757FE1FF56290F4911FBC088CB1D3DA289C06835A
                      Function 00007FF848E87E2D Relevance: .5, Instructions: 454COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001A.00000002.3002533245.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_26_2_7ff848e80000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ca1980b8dc00e12ab821991d5c9f0249c3659b5ef53458ee82941e0d36b0ba0b
                      • Instruction ID: 48d3dfb8a7dedd2a2203898fc6cfa1a790ff8d204f4f04c66f0fb51a7c04acd9
                      • Opcode Fuzzy Hash: ca1980b8dc00e12ab821991d5c9f0249c3659b5ef53458ee82941e0d36b0ba0b
                      • Instruction Fuzzy Hash: 5CD1F06180E6C95FE756A72958155B97FA0FF53260F4901FFD48CC7093DB28A806C3A6
                      Function 00007FF848DB6AE5 Relevance: .3, Instructions: 348COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001A.00000002.3000795855.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_26_2_7ff848db0000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b3cd519cde7e1fdfe3bd923e8c1a6514b4cca705576c05b93a474f827854af12
                      • Instruction ID: c915b735f09602110e1bcda31cb2a96e238037c920ec42bfbb4ebcc271cf0912
                      • Opcode Fuzzy Hash: b3cd519cde7e1fdfe3bd923e8c1a6514b4cca705576c05b93a474f827854af12
                      • Instruction Fuzzy Hash: FEB15B31E09A4D8FDF98EF58D895AA9BBE1FF68340F14416AD409D7295CB34E885CB80
                      Function 00007FF848DB95C5 Relevance: .1, Instructions: 135COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001A.00000002.3000795855.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_26_2_7ff848db0000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6136fed9716e3d6c7e54f2e8bbf76c297a6183b9ebf3ab0c3d24698e718eba86
                      • Instruction ID: b4cd4803be5692612fdc34242df6cef2f565d1259b5b78f9e2c64d1d0f23b939
                      • Opcode Fuzzy Hash: 6136fed9716e3d6c7e54f2e8bbf76c297a6183b9ebf3ab0c3d24698e718eba86
                      • Instruction Fuzzy Hash: 5431F63191CB889FDB18DB5C984A6A97BE0FB69321F00426FE449C3252DB74A855CBC2
                      Function 00007FF848C9ED40 Relevance: .1, Instructions: 125COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001A.00000002.2998496394.00007FF848C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C9D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_26_2_7ff848c9d000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 861a0460346bd50bcbf07b89883bc45f696d38ea2c3030ec6dbbfab367074432
                      • Instruction ID: 80d4a3e442385595aa341602cfc26e54ce59e50c854e2b7997e41dbc11687c7f
                      • Opcode Fuzzy Hash: 861a0460346bd50bcbf07b89883bc45f696d38ea2c3030ec6dbbfab367074432
                      • Instruction Fuzzy Hash: D141E57180DBC48FE796DB2898419523FF4EF56264B1905DFD088CB1A3D729A846C792
                      Function 00007FF848E823E7 Relevance: .1, Instructions: 115COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001A.00000002.3002533245.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_26_2_7ff848e80000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 93718dadf731a7a18d6773a80ae20369af1e3d91aec477d5bfb2c1b70335551f
                      • Instruction ID: 0fec0d555f54e193177aa548df8a38a6681ea1ed3dcdd7a5d32511d547f68216
                      • Opcode Fuzzy Hash: 93718dadf731a7a18d6773a80ae20369af1e3d91aec477d5bfb2c1b70335551f
                      • Instruction Fuzzy Hash: 2D310732F0DA8A8FEBA5EA6C74516B877E1FF45760F5801BBC10DC3193DE2898058395
                      Function 00007FF848DBA2EC Relevance: .1, Instructions: 99COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001A.00000002.3000795855.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_26_2_7ff848db0000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: dfaaad81d02457ed61ea2f6c6322adf3dbd783dbcda421c46f081ebbfe6145e1
                      • Instruction ID: fab06a670b6979fc6ba0a03e9555f3eed474fb2bb1f3acfa641ad138551e507a
                      • Opcode Fuzzy Hash: dfaaad81d02457ed61ea2f6c6322adf3dbd783dbcda421c46f081ebbfe6145e1
                      • Instruction Fuzzy Hash: 43212B3190D74C8FDB59DF9C984A7E97FE0EB66321F04416FD448C3152D674644ACB91
                      Function 00007FF848DB2B9D Relevance: .1, Instructions: 99COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001A.00000002.3000795855.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_26_2_7ff848db0000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ceb2f54909cfe83a58a73858b3cca2b875e4b50fed46d7cdd52e3b055e33802a
                      • Instruction ID: cc168b462ca9f2ecc30bf1fe314fc409a54d645b690235910adc69f7395bef9f
                      • Opcode Fuzzy Hash: ceb2f54909cfe83a58a73858b3cca2b875e4b50fed46d7cdd52e3b055e33802a
                      • Instruction Fuzzy Hash: 5321C022B0ED4E5FEB94EA2D989877573D1EBB8291B0501B6D00CC329ADE28EC068304
                      Function 00007FF848DB33B5 Relevance: .0, Instructions: 49COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001A.00000002.3000795855.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_26_2_7ff848db0000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                      • Instruction ID: 3b57b3e9d12b2b9a0327dfef370fddf88df8e6630bec459fb2ef94491519d874
                      • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                      • Instruction Fuzzy Hash: D101447111CB084FDB48EF0CE451AA6B7E0FB95364F50056DE58AC3695DB26E882CB45
                      Function 00007FF848E82422 Relevance: .0, Instructions: 40COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001A.00000002.3002533245.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_26_2_7ff848e80000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8293bc44b18e47319eaaf70b347662826db8c7230fb73950cc67fc7da32b4131
                      • Instruction ID: 4e57f5dbe85c1e699b0e2b44c7e5f93aea719b9e586b27acade729a2976f2473
                      • Opcode Fuzzy Hash: 8293bc44b18e47319eaaf70b347662826db8c7230fb73950cc67fc7da32b4131
                      • Instruction Fuzzy Hash: ACF0B433D0EA828FE65A5A6878621BC7AA0FF45690F5800FED059C31D3D92D1805423A
                      Function 00007FF848DBBCB8 Relevance: .0, Instructions: 39COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001A.00000002.3000795855.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_26_2_7ff848db0000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5f183dd218b1e7df1abb2e7f81492dd1ddbada4d126069de0cce3372576afe15
                      • Instruction ID: 3d36e3cb6afe244635a7c92288f56b6130372cde22c346d20d33c612c42a88c1
                      • Opcode Fuzzy Hash: 5f183dd218b1e7df1abb2e7f81492dd1ddbada4d126069de0cce3372576afe15
                      • Instruction Fuzzy Hash: F0F0303275C6048FDB4CAA1CF842AB573D1EB99320F10056EF48BC3696D927E846C685
                      Function 00007FF848E84288 Relevance: .0, Instructions: 38COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001A.00000002.3002533245.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_26_2_7ff848e80000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 518de16e7b413a23a494f61d0893abd02c16525b723a256d2621dee4a79fdee6
                      • Instruction ID: 9dccd929e58055468d6bc9c34e248d1da44bd6f181771708e2bc86ef7b3a869a
                      • Opcode Fuzzy Hash: 518de16e7b413a23a494f61d0893abd02c16525b723a256d2621dee4a79fdee6
                      • Instruction Fuzzy Hash: A6F09A32A0D9458FE798EB1CA4008A877E0FF46360F1501BAE05DC70A7CB3AEC858754
                      Function 00007FF848DB9F48 Relevance: .0, Instructions: 38COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001A.00000002.3000795855.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_26_2_7ff848db0000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 99c4ca1cf1abc7fe09e75d67b8a9c213e8a9a362f580f9f6ae7df8e2239198b4
                      • Instruction ID: ac48d0aa4a97b59240034da6900987fb20063646099ea229923fd29c79c9a8f4
                      • Opcode Fuzzy Hash: 99c4ca1cf1abc7fe09e75d67b8a9c213e8a9a362f580f9f6ae7df8e2239198b4
                      • Instruction Fuzzy Hash: 3AF0BB3180C6CD4FDB06EF2888595D57FE0EF26351F050297D45CC70A2DB659458C792
                      Function 00007FF848E8453B Relevance: .0, Instructions: 36COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001A.00000002.3002533245.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_26_2_7ff848e80000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 29b8b48c48d817dcbe3ef83cf796b1983c5a4fed7128691649d32a33a4800083
                      • Instruction ID: 0c0ce5f4f264784af1440c8cbaf2ae1be258c949620dc4e94a7f08aea9937195
                      • Opcode Fuzzy Hash: 29b8b48c48d817dcbe3ef83cf796b1983c5a4fed7128691649d32a33a4800083
                      • Instruction Fuzzy Hash: 13F03A31A4D5458FEB95EB18A4419AC77E0FF05364B5500B6E159CB0A3CB2AAC548754

                      Non-executed Functions

                      Function 00007FF848DB8AF2 Relevance: 6.4, Strings: 5, Instructions: 163COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000001A.00000002.3000795855.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_26_2_7ff848db0000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID: K_^$K_^$K_^$K_^$K_^
                      • API String ID: 0-3188868157
                      • Opcode ID: 514daea1394a128c7c2d719b9f571259c5dbab3107d3435cfda3c4416ca6f25e
                      • Instruction ID: eb20f84cbc08072e4f8dcd9b27def9b9c4a9e19e115298ce1ec786406962d47a
                      • Opcode Fuzzy Hash: 514daea1394a128c7c2d719b9f571259c5dbab3107d3435cfda3c4416ca6f25e
                      • Instruction Fuzzy Hash: B551C3B2C0FAC58FE75ADA385C592646F90FF32795B1D01FEC0488B197EA599D09C30A
                      Function 00007FF848DB8965 Relevance: 5.2, Strings: 4, Instructions: 172COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000001A.00000002.3000795855.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_26_2_7ff848db0000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID: K_^$K_^$K_^$K_^
                      • API String ID: 0-4267328068
                      • Opcode ID: 1e6c547c498ec843dbc89c27433434ebdd8413c77abd99ae8faf4043ab60f6a9
                      • Instruction ID: b9c9f416f17f0890cf8572667f1e31ef9d8a41a22ec0f0f3dc3809600b8b23b7
                      • Opcode Fuzzy Hash: 1e6c547c498ec843dbc89c27433434ebdd8413c77abd99ae8faf4043ab60f6a9
                      • Instruction Fuzzy Hash: 5C519472D0F7C29FEB57962958A51947F60FF223A4F1D00FBC088CB093EA1A184A8716
                      Function 00007FF848DB84F2 Relevance: 5.1, Strings: 4, Instructions: 82COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000001A.00000002.3000795855.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_26_2_7ff848db0000_pha.jbxd
                      Similarity
                      • API ID:
                      • String ID: K_^$K_^$K_^$K_^
                      • API String ID: 0-4267328068
                      • Opcode ID: ad9787418d12748cf7f034179f99824896a4d6b1dffefffe3a3ed5ec4e8074d6
                      • Instruction ID: 5f91df13c2dca7c58706472c1929e456daa953692bb296ef9328c446bebb32d3
                      • Opcode Fuzzy Hash: ad9787418d12748cf7f034179f99824896a4d6b1dffefffe3a3ed5ec4e8074d6
                      • Instruction Fuzzy Hash: 642175B3D0EAC64FE356962818690947FE1FF322A9B1D00FFC0888B193EB195C4A9315